Re: Package integrity check?

From: Wes Peters (wes@softweyr.com)
Date: 02/06/01 

Date: Mon, 05 Feb 2001 23:33:26 -0700
From: Wes Peters <wes@softweyr.com>
To: Markus Holmberg <markush@acc.umu.se>

Markus Holmberg wrote:
>
> Hello.
>
> Is there any way to perform an integrity check on packages that are fetched
> with "pkg_add -r <packagename>"?
>
> (Similarly to building a package manually with a trusted /usr/ports and
> checksumming downloaded files)
>
> I assume there is no way to do integrity checking on packages, which
> leads me to the question if the general opinion among the security
> conscious is that packages (from untrusted parties, like any ftp site on
> the mirror list) should not be used at all?

I have package signing tools, integrated into the pkg_ commands, sitting
on Freefall waiting to be committed. They let you sign a package with
an MD5 checksum (this mechanism is a little weird, inherited from the
OpenBSD code), a PGP signature (this code is also inherited from OpenBSD,
uses PGP 2.xx command line tools, and kinda sucks in my opinion) and
X.509 signatures. If you need it, I'll go ahead and commit what I have.

I opened a discussion about this on the -ports mailing list a while ago,
which immediately veered off into outer space. I haven't commited these
bits since then, but am willing to do so now. We could discuss some of the
sensible things people asked for and add them after the fact. For instance,
somebody mentioned that pkg_info should report if the package is signed or
not; pkg_add should (perhaps optionally) refuse to install a signed package
whose signature does not match. What is not clear is whether it is OK
to force pkg_add and pkg_info to link against the crypto libraries, or if
they should call the pkg_check executable (if it is installed) to do the
work. 

-- 
            "Where am I, and what am I doing in this handbasket?"
Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: [opensuse] Re: 1/2 of libqt4-x11 packages failing to install in 11.0 update from kde4 factor
    ... integrity check" failures tonight updating various 11.0 boxes. ... updates, 30 or so fail with the integrity check fail error. ... If there are no further updates, then there would be no newer packages in the repos for the package manager to select -- Right? ...
    (SuSE)
  • [Full-Disclosure] SUSE Security Announcement: gtk2, gdk-pixbuf (SUSE-SA:2004:033)
    ... package for gtk1 and integrated into the gtk2 package. ... integrity by the methods listed in section 3) of this announcement. ... patch rpm: ... Pending vulnerabilities in SUSE Distributions and Workarounds: ...
    (Full-Disclosure)
  • Re: Oldstable package
    ... In Lenny, I don't find it. ... anybody suggest the name of the corrispondent package in Lenny? ... You said you were using "star" to check the integrity of the burned CD. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: [opensuse] best file distribution technology for my case?
    ... For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx ... use Bittorrent for the transfer but use zip, rar or other tool to password protect your package, so your package is protected against curious people and by the integrity check you're certain that you have received your package. ... Unless you know that there's a way to change a package without modifying the integrity of these, ...
    (SuSE)
  • Re: Verizon Customer Service Not Winning Me Over!
    ... signature is required by them before the phones can be delivered. ... you wanted Fedex to drop on your doorstep two fully ... that the drop-off location is reasonably safe, i.e. the package isn't ... deliveries. ...
    (alt.cellular.verizon)