-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
old keyring in BUILDINFO breaks reproducibillity when requiring sha1-sigs #127
Comments
These approaches are not mutually exclusive, shipping a "trust-resolved" keyring file can be done without changing any other code or how pacman verifies packages. Having this file available in the archlinux-keyring package would allow more software to better integrate with Arch Linux package signatures (e.g. This approach has been suggested previously because it also makes it easier to reason about which keys you trust, because the sha256 of a file is much easier to compare than the state machine inside of If "resolving the trust graph" is done inside of the archlinux-keyring
How the resolved file is generated could be iterated over in the future, but having the file available for use by future us seems like something we should start doing sooner than later.
FWIW since December 2022 there's a public bypass for disabling the web-of-trust using a single signature from any trusted packager. Configuring trust through simple files that are easy to reason about would make this kind of backdoor harder to hide from e.g. archlinux-userland-fs-cmp however. |
Currently we cannot reproduce packages that require old
archlinux-keyring
that were still depending on sha1 signatures. The reason is, that modern gnupg versions reject and ignore signatures that were done using a sha1 algo for security reasons. This leads to dropping Arch Linux main key signature on packagers keys, which ultimately means the web-of-trust schema using the ownertrust model in gpg drops down to marginal trust instead of full trust. This happens, when the threshold falls below 3 signatures.The current code responsible is as follows:
archlinux-repro/repro.in
Lines 430 to 432 in 75dfdc6
The root trust comes from the currently used bootstrap image:
archlinux-repro/repro.in
Lines 18 to 19 in 75dfdc6
This extracts the old keyring package like
archlinux-keyring-20220224-1-any
and pacstrap's it into the keyring cache. This subsequently resolves the dependencies, installing a new gnupg 2.4. Afterwards the hooks consume the old keyring with the new gnupg, leading to the drop of legacy signatures.Example:
libmnl-1.0.5-1-x86_64.pkg.tar.zst
is one of the affected packages, which installsarchlinux-keyring-20220224-1-any
. This results inerror: 'cache/findutils-4.9.0-1-x86_64.pkg.tar.zst': invalid or corrupted package (PGP signature)
.Solutions:
.BUILDINFO
of the keyring will lead to similar issues, depending on a package inside the.BUILDINFO
which isn't trusted anymore with the parent boostrap image. This means we either need to break the chain of trust by ignoring signatures once between latest bootstrap image and the keyring required for reproduction or we need to use individual bootstrap images taking back to the same time as the required keyring was built.The text was updated successfully, but these errors were encountered: