Early verification of packages and use of TLS-secured connection

[Turakar]

This is a possible enhancement:

Currently the packages are downloaded using HTTP without TLS and their signature is not verified. This is a potential security issue, which would be fixed by using HTTPS and PGP keys imported from the base system. I do not know however, how difficult this is in a new system, but I would appreciate it, if it is possible to change this.

This would make this tool a secure alternative to the pre-compiled Imges from the Raspberry Pi Foundation. (If you are one of these guys, which do not trust anything)

[TheSin-]

The keys are installed they just aren't available during multi strap as they aren't installed yet, you'd need to install them on the building system before running multi strap for that and in the middle there would still be a lapse during plug if packages install, once the system is up and running you should no longer see that issue though

Sent from my iPhone

On Jan 31, 2017, at 2:58 PM, Turakar notifications@github.com wrote:

This is a possible enhancement:

Currently the packages are downloaded using HTTP without TLS and their signature is not verified. This is a potential security issue, which would be fixed by using HTTPS and PGP keys imported from the base system. I do not know however, how difficult this is in a new system, but I would appreciate it, if it is possible to change this.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[TheSin-]

I've been searching to see if there is a way to make multistrap install the key rings before starting since the repos are likely not locally installed and I have not found a way yet. But I'm still looking, as for using https that only works if the repo supports it so far I haven't found one that does plus there is no really point in encrypting the safer since it's public data anyhow. I would add the key verification if I could but I'm not sure there will be a sane way of doing this sadly.

[TheSin-]

Looks like I was wrong, mouth does install it locally first, I'm still testing it as I'm having issues with raspbian as usual, if you get a chance to test this change please let me know.

[TheSin-]

so this option is not really available sadly and this is form the multistrap man page

Unfortunately, keyring packages cannot be downloaded from the repositories specified in the multistrap configuration - this is because "apt" needs the keyring to be updated before being able to use repositories not previously known.

So sadly I need to trust his options off, if the system you are building on already has all he key rings feel free to modify multistrap.list.in in the main dir and change noauth to false and it will auth for you.

[Turakar]

Too bad. But thanks for your research!

[TheSin-]

I think I have found something in the Foundation repo, that key doesn't have a package so I hand install it during postinst script, I'm working on moving it partially to prints and then installing it before apt runs, I'm still working it out but at least it should help.

it won't solve untrusted during bootstrapping but everything afterwards should be able to use the keys at least, so it's a partial fix.

[TheSin-]

okay I think I finally got it, I just made a commit for it, that being said I'm re testing it right now to make sure, let me know if it looks better, it won't be 100% but it should be better at least.

[TheSin-]

Okay a BIG change/issue was found thanks to you reporting this. turns out multistrap would use the native system to build a list of required packages. This could cause images to differ based not eh system that was building them and even worst it would bloat the image in many ways. I've taken the first steps to fix this, but MUCH more testing is required. Please open a new report if you hit any missing deps during the build process.