touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #02390
[Bug 1330770] Re: click packages rely upon tls for integrity and authenticity
A correction to comment #8, after the latest changes in the spec:
The code doing app updates in system settings will also need to do the same steps as the click scope:
- fetch the sha-512 hash from the package details webservice
- pass it to download manager so it can verify the download of the package with the store signature appended.
There's no longer a need for the updater nor the click scope to download
signatures nor to pass them to packagekit.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1330770
Title:
click packages rely upon tls for integrity and authenticity
Status in Click Package metadata search service:
New
Status in Online service used by software center:
New
Status in Click Packages Scope for Unity:
New
Status in “click” package in Ubuntu:
In Progress
Status in “ubuntu-system-settings” package in Ubuntu:
Triaged
Status in “unity-scope-click” package in Ubuntu:
New
Bug description:
Hello, I just completed a quick review of the click source and the
unity-scope-click source and behaviours, and found some opportunities
for improvement.
Debian, and Ubuntu, rely upon signed repository files with
cryptographic hashes of packages to provide both integrity and
authenticity checks for the packages hosted on that repository.
The click framework and the unity-scope-click discovery and
installation tool do not use signed repository files, nor do they have
signatures of any sort on downloaded packages. The only integrity and
authenticity checks are provided by the use of HTTPS. The click
verify command will check files within the archive against MD5sums
stored inside the archive but the click verify command is not used
during package installation. (This is suitable for validating
integrity against accidental changes only.)
While it appears that unity-scope-click properly uses HTTPS to
download package metadata and packages, HTTPS alone is insufficient
for our needs:
- Someone in a position to create new certificates at any of several
hundred certificate authorities could create certificates purporting
to be our update servers. This actual problem has been discovered in
the wild with several certificate authorities issuing wild-card
certificates or even certificates with signing authority.
- X.509 is extremely complicated; TLS is extremely complicated. Flaws
in both are inevitable.
- HTTPS prevents the use of caching.
- HTTPS only 'works' for data-in-motion; it is useless for data-at-
rest integrity and authenticity checks.
I have not yet reviewed the tools that application authors will use to
upload their packages to our distribution servers but note in passing
that most of these issues are also issues for adding packages to our
update servers -- packages in flight within our network can be
corrupted for many reasons, packages on disk can be corrupted for many
reasons. A signature mechanism can protect against internal network
faults, storage faults, and provide assurance months or years later
that an uploaded package was uploaded by someone in control of a
corresponding private key.
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/click-package-index/+bug/1330770/+subscriptions