Verification of packages in a local mirror

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.

  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages.
    Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.






linux package-management freebsd openbsd verification







share|improve this question






















  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

    – roaima
    Mar 13 at 12:20











  • A related question is unix.stackexchange.com/q/332362/5132 .

    – JdeBP
    Mar 13 at 12:38






  • 1





    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

    – user6756
    Mar 13 at 13:46











  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

    – user6756
    Mar 13 at 13:51


















1















  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.

  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages.
    Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.






linux package-management freebsd openbsd verification







share|improve this question






















  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

    – roaima
    Mar 13 at 12:20











  • A related question is unix.stackexchange.com/q/332362/5132 .

    – JdeBP
    Mar 13 at 12:38






  • 1





    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

    – user6756
    Mar 13 at 13:46











  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

    – user6756
    Mar 13 at 13:51














1












1








1








  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.

  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages.
    Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.






linux package-management freebsd openbsd verification







share|improve this question














  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.

  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages.
    Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.






linux package-management freebsd openbsd verification




linux package-management freebsd openbsd verification






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 13 at 11:59









user6756user6756

61




61












  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

    – roaima
    Mar 13 at 12:20











  • A related question is unix.stackexchange.com/q/332362/5132 .

    – JdeBP
    Mar 13 at 12:38






  • 1





    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

    – user6756
    Mar 13 at 13:46











  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

    – user6756
    Mar 13 at 13:51


















  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

    – roaima
    Mar 13 at 12:20











  • A related question is unix.stackexchange.com/q/332362/5132 .

    – JdeBP
    Mar 13 at 12:38






  • 1





    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

    – user6756
    Mar 13 at 13:46











  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

    – user6756
    Mar 13 at 13:51

















Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

– roaima
Mar 13 at 12:20





Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

– roaima
Mar 13 at 12:20













A related question is unix.stackexchange.com/q/332362/5132 .

– JdeBP
Mar 13 at 12:38





A related question is unix.stackexchange.com/q/332362/5132 .

– JdeBP
Mar 13 at 12:38




1




1





@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

– user6756
Mar 13 at 13:46





@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

– user6756
Mar 13 at 13:46













One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

– user6756
Mar 13 at 13:51






One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

– user6756
Mar 13 at 13:51











1 Answer
1






active

oldest

votes


















0














In BSD there are simple solutions how to avoid attacks (1,2) you described.




  • Basic. Use PKG




    The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





  • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




    Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
    PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



  • Chapter 16: Customizing Software with Ports

  • Chapter 17: Advanced Software Management

  • Chapter 18: Upgrading FreeBSD

  • Chapter 19: Advanced Security Features





share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506077%2fverification-of-packages-in-a-local-mirror%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    In BSD there are simple solutions how to avoid attacks (1,2) you described.




    • Basic. Use PKG




      The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





    • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




      Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
      PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




    Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



    • Chapter 16: Customizing Software with Ports

    • Chapter 17: Advanced Software Management

    • Chapter 18: Upgrading FreeBSD

    • Chapter 19: Advanced Security Features





    share|improve this answer



























      0














      In BSD there are simple solutions how to avoid attacks (1,2) you described.




      • Basic. Use PKG




        The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





      • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




        Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
        PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




      Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



      • Chapter 16: Customizing Software with Ports

      • Chapter 17: Advanced Software Management

      • Chapter 18: Upgrading FreeBSD

      • Chapter 19: Advanced Security Features





      share|improve this answer

























        0












        0








        0







        In BSD there are simple solutions how to avoid attacks (1,2) you described.




        • Basic. Use PKG




          The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





        • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




          Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
          PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




        Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



        • Chapter 16: Customizing Software with Ports

        • Chapter 17: Advanced Software Management

        • Chapter 18: Upgrading FreeBSD

        • Chapter 19: Advanced Security Features





        share|improve this answer













        In BSD there are simple solutions how to avoid attacks (1,2) you described.




        • Basic. Use PKG




          The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





        • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




          Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
          PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




        Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



        • Chapter 16: Customizing Software with Ports

        • Chapter 17: Advanced Software Management

        • Chapter 18: Upgrading FreeBSD

        • Chapter 19: Advanced Security Features






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 13 at 18:26









        Vladimir BotkaVladimir Botka

        28819




        28819



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506077%2fverification-of-packages-in-a-local-mirror%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            -

            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
            Read more

            Bahrain

            Image
            For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
            Read more

            Postfix configuration issue with fips on centos 7; mailgun relay

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
            Read more