animik
commented
4 years ago I'll let the boss reply and process, but sounds like a great suggestion!
Open OAKO-UCONN opened 4 years ago
animik
commented
4 years ago I'll let the boss reply and process, but sounds like a great suggestion!
aforensics
commented
4 years ago We can look at adding GPG verification for our releases.
About package verification, do you have any suggestions on how to do that with apt-get?
OAKO-UCONN
commented
4 years ago Yeah package verification is tricky, but after looking at some web pages debsign and SecureApt could be the way to go. https://www.google.com/search?q=gpg+package+verification+apt-get https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/ https://wiki.debian.org/SecureApt
aforensics
commented
4 years ago I think repo metadata is automatically verified by apt-get. One exception is our virtualbox source, which we seem to have explicitly marked as "trusted" (probably out of convenience). At some point we should set up verification for the virtualbox source - they have clear instructions on how to do that: https://www.virtualbox.org/wiki/Linux_Downloads
As for individual package verification, I'm not entirely sure that's possible, because apparently many (or most) package files aren't signed. But if we end up creating an offline bundle, we could potentially sign and verify all packages we distribute. But that doesn't guarantee the packages we signed are good, if they weren't initially verified when we fetched them.
Anyway, I think the low hanging fruit here is to enable/set up source verification for virtualbox so we can remove [trusted=yes] from it.
This software relies on packages online, which can be tampered with during transit. A verification system is highly recommended as soon as possible. Could start with SHA-512 then use GPG. Also when downloading from Github it would be great for security to be able to verify HiddenVM via GPG as this tool is included in Linux Tails.