Verification of packages in a local mirror

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.

  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages.
    Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.










share|improve this question






















  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

    – roaima
    Mar 13 at 12:20











  • A related question is unix.stackexchange.com/q/332362/5132 .

    – JdeBP
    Mar 13 at 12:38






  • 1





    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

    – user6756
    Mar 13 at 13:46











  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

    – user6756
    Mar 13 at 13:51


















1















  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.

  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages.
    Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.










share|improve this question






















  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

    – roaima
    Mar 13 at 12:20











  • A related question is unix.stackexchange.com/q/332362/5132 .

    – JdeBP
    Mar 13 at 12:38






  • 1





    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

    – user6756
    Mar 13 at 13:46











  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

    – user6756
    Mar 13 at 13:51














1












1








1








  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.

  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages.
    Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.










share|improve this question














  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.

  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages.
    Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though.
But if I want to verify not through the package manager?
I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.







linux package-management freebsd openbsd verification






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 13 at 11:59









user6756user6756

61




61












  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

    – roaima
    Mar 13 at 12:20











  • A related question is unix.stackexchange.com/q/332362/5132 .

    – JdeBP
    Mar 13 at 12:38






  • 1





    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

    – user6756
    Mar 13 at 13:46











  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

    – user6756
    Mar 13 at 13:51


















  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

    – roaima
    Mar 13 at 12:20











  • A related question is unix.stackexchange.com/q/332362/5132 .

    – JdeBP
    Mar 13 at 12:38






  • 1





    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

    – user6756
    Mar 13 at 13:46











  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

    – user6756
    Mar 13 at 13:51

















Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

– roaima
Mar 13 at 12:20





Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed?

– roaima
Mar 13 at 12:20













A related question is unix.stackexchange.com/q/332362/5132 .

– JdeBP
Mar 13 at 12:38





A related question is unix.stackexchange.com/q/332362/5132 .

– JdeBP
Mar 13 at 12:38




1




1





@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

– user6756
Mar 13 at 13:46





@roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ...

– user6756
Mar 13 at 13:46













One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

– user6756
Mar 13 at 13:51






One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system.

– user6756
Mar 13 at 13:51











1 Answer
1






active

oldest

votes


















0














In BSD there are simple solutions how to avoid attacks (1,2) you described.




  • Basic. Use PKG




    The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





  • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




    Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
    PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



  • Chapter 16: Customizing Software with Ports

  • Chapter 17: Advanced Software Management

  • Chapter 18: Upgrading FreeBSD

  • Chapter 19: Advanced Security Features





share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506077%2fverification-of-packages-in-a-local-mirror%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    In BSD there are simple solutions how to avoid attacks (1,2) you described.




    • Basic. Use PKG




      The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





    • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




      Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
      PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




    Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



    • Chapter 16: Customizing Software with Ports

    • Chapter 17: Advanced Software Management

    • Chapter 18: Upgrading FreeBSD

    • Chapter 19: Advanced Security Features





    share|improve this answer



























      0














      In BSD there are simple solutions how to avoid attacks (1,2) you described.




      • Basic. Use PKG




        The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





      • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




        Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
        PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




      Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



      • Chapter 16: Customizing Software with Ports

      • Chapter 17: Advanced Software Management

      • Chapter 18: Upgrading FreeBSD

      • Chapter 19: Advanced Security Features





      share|improve this answer

























        0












        0








        0







        In BSD there are simple solutions how to avoid attacks (1,2) you described.




        • Basic. Use PKG




          The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





        • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




          Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
          PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




        Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



        • Chapter 16: Customizing Software with Ports

        • Chapter 17: Advanced Software Management

        • Chapter 18: Upgrading FreeBSD

        • Chapter 19: Advanced Security Features





        share|improve this answer













        In BSD there are simple solutions how to avoid attacks (1,2) you described.




        • Basic. Use PKG




          The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.





        • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.




          Path to the RSA key to sign the PKG repo with. See pkg-repo(8)
          PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key




        Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.



        • Chapter 16: Customizing Software with Ports

        • Chapter 17: Advanced Software Management

        • Chapter 18: Upgrading FreeBSD

        • Chapter 19: Advanced Security Features






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 13 at 18:26









        Vladimir BotkaVladimir Botka

        28819




        28819



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506077%2fverification-of-packages-in-a-local-mirror%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?