rpm-software-management / deltarpm

Other
21 stars 12 forks source link

Document if delta RPMs are signed #9

Open DemiMarie opened 3 years ago

DemiMarie commented 3 years ago

Are delta RPMs signed?

mlschroe commented 3 years ago

They are normal rpms with just a different payload, so they can be signed as well. I don't know about Fedora, but SUSE signs the generated delta rpms.

As they completely live outside of rpm I don't see why the rpm project should document something about them.

DemiMarie commented 3 years ago

The bigger question is whether DNF verifies these signatures.

marmarek commented 3 years ago

I've taken some random drpm from Fedora repo: https://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm It is not only not signed, but also package digest doesn't match:

$ rpm -K firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm
firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm: DIGESTS NOT OK

It looks like the header is from the new package (which matches vague description in https://github.com/rpm-software-management/deltarpm/blob/master/README). If that's really the case, the signature in the header can't possibly match the deltarpm payload, because it is different payload than the target rpm package. I think what @DemiMarie asked is whether the format permits a signature check before processing actual payload. My understanding is: it does not.

DemiMarie commented 3 years ago

Indeed that is what I am asking. If @marmarek is correct, then this is a serious security weakness in the delta RPM format, and delta RPMs should be disabled by default. The same reasoning for RPM Copy on Write applies here.

mlschroe commented 3 years ago

The signatures of a delta rpm are in its signature header, that's why they match the deltarpm payload and not the original rpm payload.

The exception is the new RPMTAG_PAYLOADDIGEST/RPMTAG_PAYLOADDIGESTALGO tags that have been added a couple of months ago. Maybe that's what rpm -K complains about... (maybe add the -v option to get more output?) We'd need to tweak them like we do with the payloadcompressor to make them match.

marmarek commented 3 years ago

Yes, it seems so:

firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm:
    Payload SHA256 ALT digest: BAD (Expected df190725901ecc553c9002649c70c95adb9a12bd934f7bf1d9e2fb5458b45fb8 != d9c8f0e9dc1f4f1351fce180f8757b646d0a4d8724960a6e02a9e4b9bfc56d70)
    Payload SHA256 digest: BAD (Expected 42d6bbdfcdbbd4deb4211b1bcc565454ccc751648f051933ed25e26bcf3a56c9 != d9c8f0e9dc1f4f1351fce180f8757b646d0a4d8724960a6e02a9e4b9bfc56d70)
    MD5 digest: OK
DemiMarie commented 3 years ago

@mlschroe can we add signature verification functionality to the deltarpm tool, and turn it on by default? I can’t think of many legit use cases for unsigned delta RPMs.

mlschroe commented 3 years ago

You're supposed to use rpm to check the signature of the delta rpm.

(Also note that the repodata usually contains a checksum for the delta rpm, so it's more like how much you trust the metadata.)