Verification of packages in a local mirror
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
- Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.
- The whole mirror is malicious and serves you tampered files and signatures/metapackages.
Is there some OS independent way to check if the file has been changed?
I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.
linux package-management freebsd openbsd verification
add a comment |
- Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.
- The whole mirror is malicious and serves you tampered files and signatures/metapackages.
Is there some OS independent way to check if the file has been changed?
I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.
linux package-management freebsd openbsd verification
Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?
– roaima
Mar 13 at 12:20
A related question is unix.stackexchange.com/q/332362/5132 .
– JdeBP
Mar 13 at 12:38
1
@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...
– user6756
Mar 13 at 13:46
One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.
– user6756
Mar 13 at 13:51
add a comment |
- Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.
- The whole mirror is malicious and serves you tampered files and signatures/metapackages.
Is there some OS independent way to check if the file has been changed?
I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.
linux package-management freebsd openbsd verification
- Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.
- The whole mirror is malicious and serves you tampered files and signatures/metapackages.
Is there some OS independent way to check if the file has been changed?
I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.
linux package-management freebsd openbsd verification
linux package-management freebsd openbsd verification
asked Mar 13 at 11:59
user6756user6756
61
61
Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?
– roaima
Mar 13 at 12:20
A related question is unix.stackexchange.com/q/332362/5132 .
– JdeBP
Mar 13 at 12:38
1
@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...
– user6756
Mar 13 at 13:46
One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.
– user6756
Mar 13 at 13:51
add a comment |
Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?
– roaima
Mar 13 at 12:20
A related question is unix.stackexchange.com/q/332362/5132 .
– JdeBP
Mar 13 at 12:38
1
@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...
– user6756
Mar 13 at 13:46
One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.
– user6756
Mar 13 at 13:51
Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?
– roaima
Mar 13 at 12:20
Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?
– roaima
Mar 13 at 12:20
A related question is unix.stackexchange.com/q/332362/5132 .
– JdeBP
Mar 13 at 12:38
A related question is unix.stackexchange.com/q/332362/5132 .
– JdeBP
Mar 13 at 12:38
1
1
@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...
– user6756
Mar 13 at 13:46
@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...
– user6756
Mar 13 at 13:46
One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.
– user6756
Mar 13 at 13:51
One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.
– user6756
Mar 13 at 13:51
add a comment |
1 Answer
1
active
oldest
votes
In BSD there are simple solutions how to avoid attacks (1,2) you described.
Basic. Use PKG
The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.
Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.
Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key
Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.
- Chapter 16: Customizing Software with Ports
- Chapter 17: Advanced Software Management
- Chapter 18: Upgrading FreeBSD
- Chapter 19: Advanced Security Features
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506077%2fverification-of-packages-in-a-local-mirror%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
In BSD there are simple solutions how to avoid attacks (1,2) you described.
Basic. Use PKG
The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.
Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.
Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key
Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.
- Chapter 16: Customizing Software with Ports
- Chapter 17: Advanced Software Management
- Chapter 18: Upgrading FreeBSD
- Chapter 19: Advanced Security Features
add a comment |
In BSD there are simple solutions how to avoid attacks (1,2) you described.
Basic. Use PKG
The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.
Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.
Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key
Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.
- Chapter 16: Customizing Software with Ports
- Chapter 17: Advanced Software Management
- Chapter 18: Upgrading FreeBSD
- Chapter 19: Advanced Security Features
add a comment |
In BSD there are simple solutions how to avoid attacks (1,2) you described.
Basic. Use PKG
The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.
Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.
Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key
Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.
- Chapter 16: Customizing Software with Ports
- Chapter 17: Advanced Software Management
- Chapter 18: Upgrading FreeBSD
- Chapter 19: Advanced Security Features
In BSD there are simple solutions how to avoid attacks (1,2) you described.
Basic. Use PKG
The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.
Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.
Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key
Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.
- Chapter 16: Customizing Software with Ports
- Chapter 17: Advanced Software Management
- Chapter 18: Upgrading FreeBSD
- Chapter 19: Advanced Security Features
answered Mar 13 at 18:26
Vladimir BotkaVladimir Botka
28819
28819
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506077%2fverification-of-packages-in-a-local-mirror%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?
– roaima
Mar 13 at 12:20
A related question is unix.stackexchange.com/q/332362/5132 .
– JdeBP
Mar 13 at 12:38
1
@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...
– user6756
Mar 13 at 13:46
One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.
– user6756
Mar 13 at 13:51