[Dev] Bug #567 has significant security impact on binaries

Luke g4jc at openmailbox.org
Sat Jun 27 15:44:49 GMT 2015

Hello All,
Just yesterday I was learning libretools and how the packaging works on
Parbola GNU/Linux-libre.
I am used to compiling some things for Arch and was surprised at one of
the key differences - one that I think can be classified as a "major"
security flaw in the build process.

When making packages normally, one needs only edit /etc/makepkg.conf,
and add GPG="keyid". Then to make a package from the PKGBUILD, simply
run: makepkg
The package will be compiled, and immediately signed with the packager's
key during compile process.

However, libremakepkg disables this feature. The compiled binary package
is left unsigned. This means that up until the packager manually sign's
the package with his/her key and/or it is done at the librerelease
stage, the binary is unprotected. Example compile: http://termbin.com/9p3o
Note this part particularly:

 |  ==> Signing package...
 |  ==> WARNING: Failed to sign package file.

This allows two security risks.
1) Someone or something could modify the package while it's sitting
around waiting to be uploaded on the packager's computer.
2) If librerelease is signing binaries only, what is to prevent someone
from taking a random modified binary and pushing it to the main repo
with their key?

Lukeshu caught this important bug 12 months ago:

Hence, I agree with lukeshu. The packages must, at the very least, be
signed closer to the source.

In Summary: Librerelease shouldn't be signing packages, it should be gpg
--verifying them before uploading; and libremakepkg needs to be able to
sign packages during compile as upstream does.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/fb839e37/attachment.sig>

More information about the Dev mailing list