[feature request] Support for GPG-based signature files for ISOs

[shibumi]

Hello, It would be nice to have GPG based checks for the builders-section. I thought about something like this: (iso_signature)

...
"http_directory": "http",
"iso_checksum": "91a195bf1395694151fc3f7f766e9d1233e2aed9",
"iso_checksum_type": "sha1",
"iso_signature": "https://www.archlinux.org/iso/2017.05.01/archlinux-2017.05.01-x86_64.iso.sig",
"iso_url": "https://downloads.archlinux.de/iso/2017.05.01/archlinux-2017.05.01-x86_64.iso",
"ssh_username": "vagrant",
"ssh_password": "vagrant",
"ssh_port": 22,
...

[mwhooker]

Can you point to some information about how this might be useful? The common pattern I've seen is to have a checksum file and then to gpg sign the checksum file. Checksums are generally assumed to be resistant to collision attacks (maybe not sha1 and md5, but we support sha256 and sha512), so if you've got a checksum that you've verified the signature of, adding a gpg check doesn't seem like it would buy you anything.

for example http://releases.ubuntu.com/16.04/SHA1SUMS.gpg http://releases.ubuntu.com/16.04/SHA1SUMS

how we do it with packer: https://releases.hashicorp.com/packer/1.0.0/packer_1.0.0_SHA256SUMS https://releases.hashicorp.com/packer/1.0.0/packer_1.0.0_SHA256SUMS.sig https://hashicorp.com/security.html

[shibumi]

Not all Distributions do this and for me signing a checksum file with checksums for a binary is just another attack vector. Arch Linux for example only provides MD5 and SHA1 hashes because they think for checking it's integrity they are enough, they advise the users to use their signature.

EDIT: And even when I have checksum files with a signature, I want to verify the checksum file with packer.

[anthraxx]

It would be neat to see packer internal GPG support. :smile_cat: Its about chain of trust, checking the hashsums file via a signature just once and outside of the pulling environment doesn't solve anything. You have successful verified that in the particular moment where you checked the hashsum file it was indeed properly authenticated, however its whole purpose is to guarantee this authenticity every time the data is pulled. When the box is later built (f.e. by automated builds or whatever) it may indeed pull a altered/backoored/MITMed version and the hashsums file could be altered accordingly too. Therefor you only guarantee authenticity of the iso if you check the chain every time you pull the data. For this to work you will of cause need to pin the fingerprints of the accepted keys for the signature with an array like valid_gpg_keys=["fingerprint1", "fingerprint2"] cheers

[shibumi]

Any update on this feature?

[mwhooker]

happy to review PRs for it, but this is not a priority for us

[Wenzel]

Hi,

I'm building old releases of Ubuntu, and both the iso and the checksum file are downloaded from an unsecure HTTP-only website: http://old-releases.ubuntu.com/

I have no way of ensuring that my builds are not corrupted by a third party at the moment. That's a strong argument for supporting GPG signatures in Packer.

[rickard-von-essen]

@Wenzel you can just download the and verify the gpg signature before hand.

[Wenzel]

@rickard-von-essen that's true, but it's kind of tedius when you have a dozen of packer templates to maintain for example (my case)

[Wenzel]

Also, if you are using iso_checksum_url in all of your templates, even if you verify the checksum file once, it will still be downloaded over an unsecure link in the future, so the problem remains.

[rickard-von-essen]

I meant download the iso's and checksum files and verify them and then reference the local URL. You can either do this manually or a small wrapper script that does it automatically. But yes it would be more convenient if Packer would handle this.