search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
533 stars 46 forks source link

Provide ways to manually authenticate package signing keys #7274

Open Keisial opened 2 years ago

Keisial commented 2 years ago

(This is mostly a continuation of #4212)

Qubes OS 4 uses several Packages Signing Keys for their package repositories, namely:

These keys were hard to find (issue #4212), which was fixed by publishing them on https://keys.qubes-os.org/keys/ This allows fetching the cryptographic material.

However, such keys might not be the real ones. Per Qubes OS threat model the infrastructure must be distrusted since keys.qubes-os.org might be compromised.

It is possible to verify these keys by extracting them from the templates inside the official image, but that's a needlessly convoluted process:

# Qubes OS Release 4 Signing Key (5817A43B283DE5A9181A522E1848792F9E2795E9) is signed by the Qubes Master Signing Key (427F11FD0FAA4B080123F01CDDFA1A3E36879494)
$ gpg --list-sigs 5817A43B283DE5A9181A522E1848792F9E2795E9
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [  full  ] Qubes OS Release 4 Signing Key
sig 3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig          DDFA1A3E36879494 2021-11-29  Qubes Master Signing Key
sig          DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key

# from which Qubes-R4.1.0-rc2-x86_64.iso can be verified
$ gpg --verify Qubes-R4.1.0-rc2-x86_64.iso.asc Qubes-R4.1.0-rc2-x86_64.iso
gpg: Signature made Mon 15 Nov 2021 06:29:07 CET
gpg:                using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]

# and the above keys extracted
$ sudo mount -o ro,loop Qubes-R4.1.0-rc2-x86_64.iso /mnt/
$ cd "$(mktemp -d)"
$ rpm2cpio - < /mnt/Packages/qubes-template-debian-11-4.0.6-202110081812.noarch.rpm | cpio -d -i

$ cat var/lib/qubes/vm-templates/debian-11/root.img.part.* | tar -x -C /tmp
$ loop="$(sudo losetup --show -o $((415744 * 512)) -f /tmp/root.img)"
$ sudo mount "$loop" /media
$ gpg --no-default-keyring --keyring /media/etc/apt/trusted.gpg --list-keys
/media/etc/apt/trusted.gpg
--------------------------
pub   rsa4096 2017-03-07 [SC]
      A55DC100FFD712ADB92B5B1043B760F197CA1BF5
uid           [ unknown] Qubes OS 4 Debian Packages Signing Key

$ sudo umount /media
$ sudo losetup -d "$loop"
$ rm -r "$PWD"
$ rm /tmp/root.img

$ cd "$(mktemp -d)"
$ rpm2cpio - < /mnt/Packages/qubes-template-fedora-34-4.0.6-202110081812.noarch.rpm | cpio -d -i
$ cat var/lib/qubes/vm-templates/fedora-34/root.img.part.* | tar -x -C /tmp
$ loop="$(sudo losetup --show -o $((415744 * 512)) -f /tmp/root.img)"
$ sudo mount "$loop" /media
$ gpg --import /media/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4.1-primary 
gpg: key 1848792F9E2795E9: "Qubes OS Release 4 Signing Key" not changed
$ gpg --import /media/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-primary 
gpg: key 1848792F9E2795E9: "Qubes OS Release 4 Signing Key" not changed
$ gpg --list-keys 1848792F9E2795E9
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [  full  ] Qubes OS Release 4 Signing Key

$ gpg --import /media/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-centos 
gpg: key 19205A11FDE3D0AA: public key "Qubes OS 4 CentOS Packages Signing Key" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --list-keys 19205A11FDE3D0AA
pub   rsa4096 2017-09-29 [SC]
      EE88DA5FB2B7082919C8826D19205A11FDE3D0AA
uid           [ unknown] Qubes OS 4 CentOS Packages Signing Key

$ gpg --import /media/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-unstable 
gpg: key 7AF9C6537BB6DE87: public key "Qubes OS Release 4 Unstable Signing Key" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --list-keys 7AF9C6537BB6DE87
pub   rsa4096 2017-06-12 [SC]
      51629CD41240D51DDAA773397AF9C6537BB6DE87
uid           [ unknown] Qubes OS Release 4 Unstable Signing Key

$ sudo umount /media
$ sudo losetup -d "$loop"
$ rm -r "$PWD"
$ rm /tmp/root.img
$ cd -
$ sudo umount /tmp

Expected:

Include the package signing keys in the qubes-secpack (probably in a new keys/packages-signing-keys folder) and/or sign them by the Release 4 Signing Key or the QMSK.

andrewdavidwong commented 2 years ago

Excuse my ignorance, but why is it necessary to manually authenticate the package signing keys? Doesn't Qubes OS do this for the user automatically? (Of course, this assumes that the the Qubes installation was installed from an authentic ISO, but we've already worked out a way for users to authenticate their ISOs.)

andrewdavidwong commented 2 years ago

(Attempted to make issue title more descriptive. Let me know if I've misinterpreted anything.)

DemiMarie commented 2 years ago

Excuse my ignorance, but why is it necessary to manually authenticate the package signing keys? Doesn't Qubes OS do this for the user automatically? (Of course, this assumes that the the Qubes installation was installed from an authentic ISO, but we've already worked out a way for users to authenticate their ISOs.)

@Keisial what is your use-case?

Keisial commented 2 years ago

You would already have the signing keys if you are using the provided templates. Are you creating your own template? You would need to import those signing keys from somewhere. You want to test a package from a release into another? You might need the corresponding key. Maybe just to verify that nobody tampered with the repositories configured on your template?