search

namecoin / namecoin-legacy

Legacy client. New version here: https://github.com/namecoin/namecoin-core Note the release branch! - Official website:
https://namecoin.org
MIT License
449 stars 177 forks source link

Linux packages don't download via HTTPS #231

Open JeremyRand opened 9 years ago

JeremyRand commented 9 years ago

The Linux packages on OBS don't download via HTTPS; nor do the associated keys. This means that a passive attacker can easily see who is downloading Namecoin, and an active attacker can easily inject malware into downloads.

I know this is a temporary issue since Namecoin Core will use reproducible builds... but it's still a problem for now.

JeremyRand commented 9 years ago

@pmconrad

pmconrad commented 9 years ago

Posted an issue at openSUSE: https://github.com/openSUSE/software-o-o/issues/45

JeremyRand commented 9 years ago

@pmconrad I'm not referring to the iframe web page; I'm talking about the package files. E.g. it asks me to run:

wget http://download.opensuse.org/repositories/home:p_conrad:coins/Fedora_21/home:p_conrad:coins.repo

Which means I'm totally vulnerable to a MITM attack when downloading that .repo file, which could be used to inject malware.

pmconrad commented 9 years ago

I can sign the repo's GPG key with my own if that's any help. (But I can't upload to signed key to OBS, so we'd have to publish it elsewhere.) That would prevent the MITM, but wouldn't solve the privacy issue.

JeremyRand commented 9 years ago

@pmconrad If you could upload a signed copy of the .repo files (and whatever equivalent exists for non-Fedora distros) to namecoin.org, that would probably work okay (and would be reasonably user-friendly for end users). @phelixbtc could probably help facilitate uploading them.

I would love to solve the privacy issue too, but it's less critical (particularly since privacy-conscious users are probably using Tor, which partially solves this issue).

JeremyRand commented 9 years ago

Hello @pmconrad and @phelix , is there any progress on this?

pmconrad commented 9 years ago

Sorry, this dropped off my radar. Thanks for the bump. Here's the repo key signed by me: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2

mQGiBEzT5vQRBAChC66Ww4PMVR/EQ/z6h1R4ChmMO+1B6GNJRP5AaoCO1rERilP4 eRLZPosh1xK6InmC9s0WKTTZoQK4BtRn/OLI81i4RGOMQ6gu/Deo/snbgO+tGXaD qWPklbhysZcvjfitGV52ZZZch7nYLo1PWGQcdE3MiIO/6lPD2MGVTk9W3wCgqTAh hBOmpSzT20kvbbgFeAZPKYED/3fW1+fcdXMvh90JP5cqdGzPTlRwU38/UltHHEte mn14fJ8wOT1T8N903qZaePPiZDzWPR8SoGRHNvT0Hjlx2OC/ZlpKK6HlYzf9b8c5 LwkD6jicJZot5EXtdPwJ9wg/YBaKvNQPm3YMKyCbbqWGbHw9oJBYhSOAL3wbfov8 xEtTBACduLJEOcPkt3eDlvOLOaScYZP60xRdowPtjYJ7/uf5qHh3CeK2Q8bV4UKY ieOWeclRUQobPmumvgisQRdk48NdSKMaLXCDuzgMDPWQVW6B9XF9cHWykIJFPylm 1rqK5hGbdkREoDX3o4Uh8QmNJK8E0k57pRGXrGNSpSQKRy9227Q8aG9tZTpwX2Nv bnJhZCBPQlMgUHJvamVjdCA8aG9tZTpwX2NvbnJhZEBidWlsZC5vcGVuc3VzZS5v cmc+iGYEExECACYFAlD1HMoCGwMFCQg/5dYGCwkIBwMCBBUCCAMEFgIDAQIeAQIX gAAKCRAp2MjaxER88/nqAKCNa7rEXRGJ9dmezjwZ1mVprqpZGACgjJ8pofoBDzqj JFZzsgjtnxexHPeIRgQTEQIABgUCTNPm9AAKCRA7MBG3a51lIxZXAJ9LCIEuqGSC vqWHSDWfOyUVJDs79QCgjie73b4Aqqh6/L5gNNnyOKfijQGIZgQTEQIAJgUCVRVA KgIbAwUJDGAJNgYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJECnYyNrERHzzaMgA oKS3rphzC+bldqyVYAoYScPkuOfoAJ9zTBjr6NyGerUadVJXdxouuwuH74hGBBAR AgAGBQJVqgtUAAoJEJjqcbfL1n6bycYAn1hv8fsI7J5s6SnmE0GTZ7fpLDuIAJ9n 6zmk6cIOz4/lwrKmsIToN/CL3Q== =sAAQ -----END PGP PUBLIC KEY BLOCK-----

On RPM-based systems, the key should be imported with rpm --import <keyfile> before adding the repo, on APT-based systems with apt-key add <keyfile>.