comp500
commented
1 year ago Git already has PGP signing for repositories - that could be integrated once Git support is implemented, and would allow signing the entire contents of the repo. Of course, this wouldn't be able to verify the PGP signatures of files packwiz-installer itself downloads, but you could implement signature verification when you create the pack and have everyone trust that you verified those files, without any extensions to the actual packwiz format (as the hashes ensure that the files you verified haven't been tampered with).
Reducing points of compromise is beneficial to security though, so verifying signatures in packwiz-installer seems like a good idea particularly if you want to link the trust to the original authors/builders of JARs. The following are my main concerns:
- How large would a PGP library be - would it add significant bulk to the install size of packwiz-installer?
- Would a different signing mechanism be better for a lightweight install, assuming the PKI/trust infrastructure that is used works with it?
- How would the signatures themselves be transmitted - a detached signature file? part of the
.pw.toml? retrieved from an external server? - Should the packwiz CLI obtain these signatures, and if so how?
- Who keeps track of which keys/certificates are valid, and who should be allowed to sign JARs? (i.e. key servers)
- This looks like a problem the MMPA is trying to solve...
- (possibly out of scope for this issue since such a filter could be useful without PGP) If an external authority provides certification to validate that executable files are "safe", how does packwiz-installer determine which files are "possibly dangerous" and require a signature from the authority?
- For the most part this would be solved with a
.jarfilter, but some mods might use native code or unsandboxed scripting that could be modified by a malicious modpack
- For the most part this would be solved with a
3TUSK
We migrated from our home-brewed mod-updater to packwiz-installer for our new iteration of online convention event this year.
Everything works as expected, except one feature missing: mandatory PGP signature verification.
As some background information: ever since 2020 when we started our convention event, we requires all submitted mods to be built on our own. Since 2021, we streamlined this process by leveraging GitHub Actions, and added a signing step after build, so that everyone with correct tooling can verify that those jars are from us. To make the verification easier, as well as to make mod updates faster, I rolled out the said home-brewed mod-updater. From a high-level point of view, this home-brewed updater:
This home-brewed updater has many flaws, however; I will not list them here to make this ticket less wordy. To address these flaws, we decided to drop our own tooling entirely in favor or packwiz, which, according to our initial testing earlier this year, is satisfactory.
... except the absence of PGP signature verification. Whilst in the last two years, we did not suffer from incidents akin to the Fractureiser, the Fractureiser incident itself is nonetheless a reminder that we need some kind of defense.
Therefore, I am writing this ticket to request such a feature. There are at least two ways to approach this, however:
I anticipate that both approaches involve changes to the existing packwiz format. Also, it is also worth noting that, the signature does not have to be PGP. We chose PGP because it was probably the most obvious choice when we were thinking about authenticity check.
Signature verification should be optional - that is, if a pack creator does not want to use it, the workflow is the same as what we have now; however, if a pack creator enables signature verification, the pack update should fail when signature verification fails.
Further, if a file does not have its accompanying detached signature, either the installer should skip verification for that file, or give some sort of warning about the absence of signature.