andk / cpanpm

CPAN.pm
87 stars 79 forks source link

"Promote" Module::Signature from Bundle::CPANxxl to Bundle::CPAN #137

Open dweekly opened 4 years ago

dweekly commented 4 years ago

Module::Signature is critical for validating signatures for downloaded CPAN modules; lacking enforced signatures or HTTPS support in CPAN, Perl installs don't know the provenance of the source codes they are downloading and installing on their systems. This is a small patch to "promote" Module::Signature from the XXL bundle to the regular one as step towards checking signatures systematically.

This PR is part of a larger effort to "Secure Perl" - comments welcome at https://docs.google.com/document/d/1DRkiCJhJu4RDI0u_JppBpFa0djouskxEyNHax912U_w/edit#

briandfoy commented 12 months ago

As noted in your Google Doc, Module::Signature doesn't offer any security. It checks that a signature file matches some text in another file, and neither file is secured. Checking two unsecured values against each other gives people the false hope that they are somehow protected. We should not be part of that charade.

There are other ways that we might handle this, some of which you noted in the link. However, this isn't one of the things we should pursue.

stigtsp commented 12 months ago

I agree that Module::Signature should not be used, at least not non-interactively, for the following reasons:

  1. No trust root is checked to ensure you're getting the correct pubkey for the author, instead relying on the users gnupg trust settings.
  2. SIGNATURE data does not contain a reference to the distribution name, author and version, allowing for replay attacks.
  3. The SIGNATURE file is contained inside the distribution package, requiring it to be unpacked before checking signatures, allowing for attacks on i.e. zlib or tar.

Some work being done: