[tor-bugs] #12871 [RPM packaging]: RPM repo data is not signed and documentation misses repo_gpgcheck
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 24 23:11:40 UTC 2014
#12871: RPM repo data is not signed and documentation misses repo_gpgcheck
-------------------------------+----------------------
Reporter: cypherpunks | Owner: hiviah
Type: defect | Status: assigned
Priority: normal | Milestone:
Component: RPM packaging | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-------------------------------+----------------------
Comment (by cypherpunks):
Replying to [comment:9 hiviah]:
> Citing from https://lists.torproject.org/pipermail/tor-
dev/2014-October/007661.html :
>
> > It is my opinion that even in the case of HTTPS GPG signatures provide
a
> > security improvement since (I hope) the private GPG key used to sign
the
> > repo is less exposed than the wildcard certificate for *.tpo.
>
> The RPM packages are already GPG-signed, the signatures repomd.xml.asc
are already there and can be used.
Yes, *can* be used, but documentation at
https://www.torproject.org/docs/rpms.html.en
does not enable it - hence most won't use it.
(I will file a bug against yum in EL6 not showing GPG fingerprints.)
> On top of it the repomd.xml* files are transmitted over TLS. If an
attacker just wanted DOS by denying update, all he has to do is TCP RST
(why bother with forging TLS?).
I guess yum saying "Error: Unable to connect!" is less of a silent attack
than yum saying "No packages marked for update".
To summarize:
I believe HTTPS (with CA pinning) + repo_gpgcheck=1 is the best we can do
to protect against manipulation and should be the goal.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12871#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list