Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
I would expect migration to happen this way: * a dnf repo has only rpms with only one old signature * dnf and rpm and distribution-repo-keys package or dns repo metadata for offering new keys are updated to support the new signature format and include the new key * a release cycle happens so people can still update to this old repo (rolling distries wait time and make a snapshot) * the next release of the repo is rebuilt to have all rpms only have new signature type with the new key; dnf knows old and new key, but the old repo only uses the old one and the new repo only used the new key; so the switch of a repo to a new key can happen atomically as long as dnf knows both keys * after some time or a release cycle an update to distribution-repo-keys or dnf repo metadata with remove-key instructions removes the old key Supporting two keys at the same time would be to hedge against one being compromised and migration would work the same as above. I currently don't see how a more complicated migration would give you any advantages except more chance for errors. If you really want to make it more complicated you could make a migration with phases of unsupported signature formats and/or optional keys by recording in the dnf repo meta data the list of keys of signatures to expect and marking some of these keys optional and/or skip-if-unsupported and passing that list to rpm. So you can have both flexibility and strict by default. Does any of that work for your use cases? If you have a use case that needs a more complicated migration, can you explain what leads to that need or what the advantages are? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460478976 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Sanitize signing operation output (PR #3424)
@pmatilai pushed 2 commits. 7df36ba7ba370f72f93554c1863d855a0ed5856d Run all signing tests with runroot since we now can 1d53115a6310a9cfb4b5a58fd71c5e0c1487e96c Sanitize rpmsign --addsign/--delsign output -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3424/files/d00afdbf115de10911586d8f6bd3cf1c9e408cce..1d53115a6310a9cfb4b5a58fd71c5e0c1487e96c You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
@JanZerebecki This work is meant to create the conditions to move to new signatures over time while retaining backwards compatibility. A draconian policy that does not contemplate the possibility of getting an RPM with unknown signatures would make any transition impossible. I am sure it should be an optional policy you can set on your system if you want to be strict, but we are talking about reasonable defaults here. Of course if rpm does not recognize *any* signature it should fail, but as long as it can verify all known ones it is fine. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460359947 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Sanitize signing operation output (PR #3424)
@dmnks approved this pull request. Looks good, I've made a little fixup commit, see the message for details. There's a conflict in one test on master now so please resolve and then feel free to merge this one. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3424#pullrequestreview-2418072842 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
Another related change is that we'll call header+payload signatures and digests "Legacy" from here on. Rpm v4 header signatures will be called legacy too but maybe not just yet. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2459774496 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fix build regression with -Wformat-security (PR #3427)
Merged #3427 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3427#event-15148681747 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Sanitize signing operation output (PR #3424)
Merged #3424 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3424#event-15149992339 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Sanitize signing operation output (PR #3424)
@pmatilai pushed 2 commits. be716979449003f17fc71d523bd2a2b654eef774 Run all signing tests with runroot since we now can 9d6dd4609e86efdb58d6d610e9b859e5debf0347 Sanitize rpmsign --addsign/--delsign output -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3424/files/1d53115a6310a9cfb4b5a58fd71c5e0c1487e96c..9d6dd4609e86efdb58d6d610e9b859e5debf0347 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fix rpmsign --key-id regression (PR #3423)
Merged #3423 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3423#event-15145540716 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Sanitize signing operation output (PR #3424)
@dmnks commented on this pull request.
>
-cp ${ORIG} "${RPMTEST}"/tmp/
-run rpmsign --key-id 4344591E1964C5FC --addsign ${NEW} > /dev/null
-cmp -s ${ORIG} ${NEW}; echo $?
-run rpmsign --delsign ${NEW} > /dev/null
-cmp -s ${ORIG} ${NEW}; echo $?
+runroot_other cp ${ORIG} /tmp/
+runroot rpmsign --key-id 4344591E1964C5FC --addsign
/tmp/hello-2.0-1.x86_64.rpm > /dev/null
Argh, we forgot about this one too :laughing:
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3424#pullrequestreview-2418164166
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] fix rpmdump output (PR #3428)
Merged #3428 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3428#event-15145843673 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RPM 4.20.0 building problem (Discussion #3430)
All the distros build it as a dynamic library. It should also be available on Ubuntu, so you don't need to roll your own. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3430#discussioncomment-11164063 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Sanitize signing operation output (PR #3424)
> Hmm, I found one leftover /dev/null redirect in my local tree but not the one you mentioned, I wonder if this is GH playing tricks... anyway, fixed the one I found 😅 Yeah, I realized I had commented on an outdated commit so deleted the comment right away :sweat_smile: Juggling too many branches/PRs, indeed... -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3424#issuecomment-2459693148 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Query database from my Go source code (Discussion #3308)
ok, sorry if i get it like it was too high. I'm not english native and maybe your answer was not so haughty as i feel it was. So there is nothing to explain how we are supposed it to work and nothing will be done in this way. Ok, thank you and have a good rest. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3308#discussioncomment-11165446 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] fix rpmdump output (PR #3428)
Doh :sweat_smile: Thanks for the patch. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3428#issuecomment-2459244331 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RPM 4.20.0 building problem (Discussion #3430)
> We don't generally endorse or support static linkage because it's nothing but > a headache. But I read the docs of lua.org, there's no guide about compile lua to a dynamic library. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3430#discussioncomment-11163986 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RPM db does not upgrades when upgrading from `4.11.3` to `4.18.2` (Issue #3420)
@ffesti converted this issue into discussion #3431. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3420#event-15143634325 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Another signature verification verbose message update (PR #3432)
This adds the following to verbose mode signature verification: - OpenPGP string to all signatures (these are not raw DSA/RSA/etc but OpenPGP) - Header+payload signatures and digests are now prefixed Legacy to make it clear what they are Both needed to pave way for the multiple signature stuff. You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3432 -- Commit Summary -- * Add "OpenPGP" to all signature verification related messages * Call header+payload signatures and digests legacy -- File Changes -- M lib/rpmvs.cc (14) M tests/rpmi.at (20) M tests/rpmpython.at (4) M tests/rpmquery.at (2) M tests/rpmsigdig.at (222) M tests/rpmvfylevel.at (38) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/3432.patch https://github.com/rpm-software-management/rpm/pull/3432.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3432 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
@pmatilai How do we decide when a package "fails" verification with multiple signatures? Would we have a policy tunable? Some kind of indicator as a "primary" signature? Or something else? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460291327 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
@Conan-Kudo the simplest policy is that signatures must all verify (why would you put multiple of them otherwise?). The tricky part is how to handle signatures you do not understand, and I think the simplest policy, again, is to ignore those. Note, I am not saying you should ignore signatures for which you do not have a public key, only signatures you do not have code for. For sig where you do not have a key you need to get a key, just like for the one-sig case. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460302647 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Sanitize signing operation output (PR #3424)
Hmm, I found one leftover /dev/null redirect in my local tree but not the one you mentioned, I wonder if this is GH playing tricks... anyway, fixed the one I found :sweat_smile: -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3424#issuecomment-2459682098 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
> @pmatilai How do we decide when a package "fails" verification with multiple signatures? Would we have a policy tunable? Some kind of indicator as a "primary" signature? Or something else? Hmm, I thought it was in the description as it's been discussed elsewhere but apparently not - will fix. The initial implementation will indeed simply require all signatures to pass. I expect us to have various extra controls later. Rpm currently has disablers like RPMVSF_NORSAHEADER that operate on the tag level because that's how the signatures are spread out per algorithm, I think we'd extend this to simply operate on algorithm level instead, which means you can explicitly disable eg an algorithm considered compromised and if that's the only thing there was, you fail to get a positive verification. As for unknown signatures, I hadn't really gotten there yet. But there is indeed only one possible default: to ignore anything unknown, because that's the only way to deal with forward compatibility - like @simo5 said. If in doubt, think about this: we add this new RPMTAG_OPENPGP signature tag into rpm now. Older rpm versions simply do not know about this tag, so they will not look there, much less try to verify anything in there. And that's exactly what allows forward compatibility to exist: older rpm versions can still verify the packages to the best of their abilities, we cannot expect them to do anything more. And that's exactly what we must do with the new signatures too - just ignore if not known. If there are no known signatures at all then you fail to get a positive verification, and that's again how it should be. Note all the talk about positive verification: as a reminder, rpm 6.0 will ship with enforcing signature checking on by default. So you need to make that assumption when talking about this stuff now, otherwise none of it makes any sense. Just like rpm 4.x default signature behavior makes no sense whatsoever. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2461534152 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
Also note that dnf (or otherwise) repositories are way out of scope and topic here, this is strictly an rpm level matter. How multiple signatures are dealt with on repo level is a repo tooling headache to be discussed elsewhere. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2461543123 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
> But, if we can't be trusted to decode base64 then how are we expected to read the rest of the rpm? That's like being too afraid to leave the house because something bad might happen. The point was not about the correctness of our implementation of base64, but that the format should have only one canonical encoding any alternate encodings being rejected. It also makes the format more reproducible. When incorporating existing formats, it is suggested to use a format whose normal spec is strict in that regard. The reason is so that other implementations do not accidentally pick a common lax implementation, which cause different rpm implementations to accept and reject different rpms. Good formats have test suits to ensure alternative implementations reject anything besides the specified canonical encoding. The same can happen with hex: 0xabcd 0xABCD encode the same. JSON is another example that does not specify a canonical encoding and this causes security bugs regularly. One other of the advantages of only one canonical encoding is to prevent a MITM during transport of the rpm being able to modify it while the signature check would still not fail after the modification. While that may not directly pose a problem, this is a normal security precaution to be able to predict precisely what data exits on a system so that we can more easily verify it to be secure. Security bugs that are easier to exploit when arbitrary payloads are available are a regular occurrence on distributions using rpm. There are additional ways we want the rpm format to only have one encoding: forbid more than one signature with the same key; reject if signatures do not appear in a canonical sort order (e.g. sorted by key fingerprint); each dnf/zypper/etc repo should come with a list of the exact keys whose signatures all need to be verified by rpm to be present (maybe keyed on packager and vendor?); etc. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460265966 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
> @Conan-Kudo the simplest policy is that signatures must all verify (why would you put multiple of them otherwise?). > Multiple signatures aren't necessarily for users installing to process, so it would make sense to ignore them in that case. For example, the signatures may be used to indicate something passed through certain stages. You may have a policy to validate them all, but it may not actually be a required policy. Some signatures may only be for some systems to validate but not others. I can think of a variety of reasons for it. But regardless, I think it does make sense to have some way to indicate a primary/key signature to validate. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460508781 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
One important point of my suggestion is that the list of keys that are associated with a repo is signed and verifiable with the same list, but is distinct from the keys that are trusted to sign repos. Trusted keys are a superset of keys used in a repo. This makes verifying parts of a repo more deterministic. If your config verified the repo, the uncompromised rpms will always verify. You do not suddenly get one rpm that has only a new signature that you always skipped on the other rpms because they had also an old one. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460524389 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Another signature verification verbose message update (PR #3432)
@pmatilai pushed 2 commits. 1a88fff24c9e21e860e3a0e3d58bb282dbefaad8 Add "OpenPGP" to all signature verification related messages 106a0140b5fa166a7a24c87248239d79a6072053 Call header+payload signatures and digests legacy -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3432/files/44e35ca0738df34d772b1563caccdd3d562d38f1..106a0140b5fa166a7a24c87248239d79a6072053 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Sanitize signing operation output (PR #3424)
@dmnks pushed 1 commit. 4f29655480dbfdf6746a477901a717da764d6e15 fixup! Run all signing tests with runroot since we now can -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3424/files/a3224a4ac684192ede1783224897f60b92fb2bab..4f29655480dbfdf6746a477901a717da764d6e15 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
I disagree as explained above. If there is a sig you do not understand it should fail the rpm. If you do not have a key for one it should fail. Sigs for all specified keys need to always be present and to be in the correct order otherwise fail. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460314115 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
(This implies different dnf repos with different key sets can coexist on the same system. So you could also add a new repo to an installation, stop updating the old repo, and at some point remove the old repo from this installation.) -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460490158 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
