On Fri, Jul 07 2023, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2023/07/07 11:17, Marc Espie wrote:
>> On Thu, Jul 06, 2023 at 05:49:04PM +0200, Jeremie Courreges-Anglas wrote:
>> > On Thu, Jul 06 2023, Stuart Henderson <s...@spacehopper.org> wrote:
>> > > On 2023/07/05 21:21, Jeremie Courreges-Anglas wrote:
>> > >> On Wed, Jul 05 2023, Alexander Bluhm <alexander.bl...@gmx.net> wrote:
>> > >> > On Wed, Jul 05, 2023 at 05:35:01PM +0200, Jeremie Courreges-Anglas
>> > >> > wrote:
>> > >> >> On Tue, Jul 04 2023, Alexander Bluhm <alexander.bl...@gmx.net> wrote:
>> > >> >> > Hi,
>> > >> >> >
>> > >> >> > ok to import splicebench-1.02 ?
>> > >> >>
>> > >> >> At first I got puzzled by SUPDISTFILES but gofor it if you find it
>> > >> >> useful.
>> > >> >
>> > >> > If upstream provides a gpg signature, I download it and check it.
>> > >> > Although it is not perfect to prevent backdoors, I would feel very
>> > >> > bad, if I would commit a tampered port that could be detected by a
>> > >> > signature.
>> > >> >
>> > >> > Downloading the detached signature as SUPDISTFILES makes it easy
>> > >> > to verify manually.
>> > >> >
>> > >> > Any better idea to prevent supply chain attacks?
>> > >>
>> > >> I'm not objecting to the rationale, I also check signatures whenever
>> > >> I can. This reminds me of a proposal from Stuart which I liked a lot
>> > >> but I haven't pushed for... until now:
>> > >>
>> > >> https://marc.info/?l=openbsd-ports&m=157687699320320&w=2
>> > >
>> > > I lost interest when it turned into a load mkre complication and a new
>> > > tool to verify pgp signatures that would only run on certain archs
>> > > and reverted to my previous method, "stick a shell script in the port
>> > > directory that will download and check the signature when run by hand".
>> >
>> > Your original approach looked good to me. Was the additional
>> > complexity warranted by security or usability concerns?
>> >
>> > You mention a "new tool", I would prefer if we kept using security/gnupg
>> > instead of some go/rust program, precisely for portability reasons.
>> >
>> > --
>> > jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
>> >
>> >
>> Looking at sthen's patch. How verbose is gnu-gpg ?
>> Specifically, is the "signature failed message" enough to identify
>> which file failed.
pbuild2 /usr/ports/x11/ratpoison$ LC_ALL=C.UTF-8 make checksum CHECK_PGPSIG=Yes
===> Checking files for ratpoison-1.4.9p1
`/usr/ports/distfiles/ratpoison-1.4.9.tar.gz' is up to date.
`/usr/ports/distfiles/ratpoison-1.4.9.tar.gz.sig' is up to date.
>> (SHA256) ratpoison-1.4.9.tar.gz: OK
>> (SHA256) ratpoison-1.4.9.tar.gz.sig: OK
gpg: assuming signed data in 'ratpoison-1.4.9.tar.gz'
gpg: Signature made Mon Apr 3 17:31:45 2017 CEST
gpg: using RSA key 0DFA74AE1524E7EE
gpg: BAD signature from "Jérémie Courrèges-Anglas <j...@wxcvbn.org>" [unknown]
PGP signature invalid.
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2563
'_internal-checksum': @cd /usr/ports/distfiles; OK=true; for file in ratpoi...)
*** Error 2 in /usr/ports/x11/ratpoison
(/usr/ports/infrastructure/mk/bsd.port.mk:2627 'checksum':
@lock=ratpoison-1.4.9p1; export _LOCKS_H...)
(with a mangled .tar.gz distfile and distinfo edited)
vs
pbuild2 /usr/ports/x11/ratpoison$ LC_ALL=C.UTF-8 make checksum CHECK_PGPSIG=Yes
===> Checking files for ratpoison-1.4.9p1
`/usr/ports/distfiles/ratpoison-1.4.9.tar.gz' is up to date.
`/usr/ports/distfiles/ratpoison-1.4.9.tar.gz.sig' is up to date.
>> (SHA256) ratpoison-1.4.9.tar.gz: OK
>> (SHA256) ratpoison-1.4.9.tar.gz.sig: OK
gpg: assuming signed data in 'ratpoison-1.4.9.tar.gz'
gpg: Signature made Mon Apr 3 17:31:45 2017 CEST
gpg: using RSA key 0DFA74AE1524E7EE
gpg: Good signature from "Jérémie Courrèges-Anglas <j...@wxcvbn.org>" [unknown]
gpg: aka "Jérémie Courrèges-Anglas <j...@autogeree.net>"
[unknown]
gpg: aka "Jérémie Courrèges-Anglas <j...@openbsd.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
pbuild2 /usr/ports/x11/ratpoison$
>> I'm not too sure about the BUILD_DEPENDS: gnupg has got a lot of
>> dependencies.
>>
>> I see the distinct possibility of build loops if CHECK_PGPSIG was set
>> indiscriminately in mk.conf.
>
> hmm - perhaps it would be better in a different make target (or not
> handling verification from make at all; just provide a way to list/fetch
> ignature files so they can be handled externally, say via a script that
> uses "make show=SIGFILES").
I have at least one port (net/samba) which would not cope easily with
verification done as in your proposal, since they sign the uncompressed
archive (weird choice but hey...). A generic make target would work
if it can be overriden locally, say with do-check-pgp-sigs.
> I wasn't intending for this to be used indiscriminately - in particular
> I didn't want to have this extend into key management, just use what
> your normal user account has specifically added and trusted - so given
> that, it's unlikely that it would even be able to verify files for
> ports other than ones that you're particularly interested in.
>> Is there any kind of minimal build of gnupg that could be useful without
>> the gazillion dependencies ?
There's gpgv but it appears broken both in gnupg-2.2.41 and gnupg-2.4.3.
It doesn't really cut down the deps list anyway. There's
security/netpgp that depends only on bzip2, but the project doesn't seem
actively maintained upstream. Anyway I'd rather zap BUILD_DEPENDS.
Below is an updated version that I'm tinkering with. Changes: no more
CHECK_PGPSIG setting, provide a specific make target (that can be
overriden), don't append to BUILD_DEPENDS but complain if gpg isn't
installed. I can imagine people willing to use another program but I'd
rather keep it simple for now.
I'm not completely sold on zapping CHECK_PGPSIG, and using a specific
make target, instead of handling this in make checksum. Using the
checksum target would be more strict I guess.
Thoughts?
Index: bsd.port.mk
===================================================================
RCS file: /cvs/ports/infrastructure/mk/bsd.port.mk,v
retrieving revision 1.1594
diff -u -p -r1.1594 bsd.port.mk
--- bsd.port.mk 20 Jun 2023 06:19:32 -0000 1.1594
+++ bsd.port.mk 7 Jul 2023 13:56:32 -0000
@@ -118,7 +118,7 @@ _ALL_VARIABLES_PER_ARCH =
# consumers of (dump-vars) include sqlports generation and dpb
# dpb doesn't need everything, those are speed optimizations
.if ${DPB:L:Mfetch} || ${DPB:L:Mall}
-_ALL_VARIABLES += DISTFILES PATCHFILES SUPDISTFILES DIST_SUBDIR MASTER_SITES \
+_ALL_VARIABLES += DISTFILES PATCHFILES SUPDISTFILES SIGFILES DIST_SUBDIR
MASTER_SITES \
MASTER_SITES0 MASTER_SITES1 MASTER_SITES2 MASTER_SITES3 MASTER_SITES4 \
MASTER_SITES5 MASTER_SITES6 MASTER_SITES7 MASTER_SITES8 MASTER_SITES9 \
CHECKSUM_FILE FETCH_MANUALLY MISSING_FILES PERMIT_DISTFILES
@@ -1308,6 +1308,7 @@ DISTFILES ?= ${DISTNAME}${EXTRACT_SUFX}
PATCHFILES ?=
SUPDISTFILES ?=
+SIGFILES ?=
# the following loop "parses" DISTFILES-style files
# _PATH_x contains filenames with SUBDIR prepended when necessary
@@ -1319,10 +1320,10 @@ SUPDISTFILES ?=
#
# _FILES is used to de-duplicates names
# the order matters: DISTFILES PATCHFILES SUPDISTFILES
-# - we never have the same names in DISTFILES and PATCHFILES
+# - we never have the same names in DISTFILES and PATCHFILES or SIGFILES
# - SUPDISTFILES has to happen later
_FILES=
-.for v in DISTFILES PATCHFILES SUPDISTFILES
+.for v in DISTFILES PATCHFILES SIGFILES SUPDISTFILES
. if !empty($v)
. for e in ${$v}
. for f m u in ${e:C/:[0-9]$//:C/^(.*)\{.*\}(.*)$/\1\2/}
MASTER_SITES${e:M*\:[0-9]:C/^.*:([0-9])$/\1/}
${e:C/:[0-9]$//:C/^.*\{(.*)\}(.*)$/\1\2/}
@@ -1346,7 +1347,7 @@ _LIST_$v =
.endfor
_FULL_FETCH_LIST ?=
-CHECKSUMFILES = ${_PATH_DISTFILES} ${_PATH_PATCHFILES}
+CHECKSUMFILES = ${_PATH_DISTFILES} ${_PATH_PATCHFILES} ${_PATH_SIGFILES}
MAKESUMFILES = ${CHECKSUMFILES} ${_PATH_SUPDISTFILES}
# This is what is actually going to be extracted, and is overridable
@@ -2547,6 +2548,29 @@ _internal-checksum: _internal-fetch
fi
. endif
. endif
+
+check-pgp-sigs:
+.if !empty(SIGFILES)
+. if target(do-check-pgp-sigs)
+ @${MAKE} do-check-pgp-sigs
+. else
+. if !exists(${LOCALBASE}/bin/gpg)
+ @echo ">> gpg program not installed" >&2
+ @exit 1
+. endif
+ @cd ${FULLDISTDIR}; OK=true; \
+ for file in ${SIGFILES}; do \
+ ${LOCALBASE}/bin/gpg --verify $$file || OK=false; \
+ done; \
+ if ! $$OK; then \
+ echo ">> PGP signature invalid." >&2; \
+ exit 1; \
+ fi
+. endif
+.else
+ @echo ">> No PGP signature file." >&2
+ @exit 1
+.endif
# The cookie's recipe hold the real rule for each of those targets.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
