majormoses
commented
6 years ago For now I would suggest we ensure that the PGP key is downloaded over HTTPS even if the repo is not. With this we at least mitigate them changing packages in transit.
Closed mike-stewart closed 6 years ago
majormoses
commented
6 years ago For now I would suggest we ensure that the PGP key is downloaded over HTTPS even if the repo is not. With this we at least mitigate them changing packages in transit.
majormoses
commented
6 years ago from my testing I think we should switch to using https://repositories.sensuapp.org/apt as the repo URL.
This cookbook downloads the GPG key for the repository using HTTP by default for Debian/Ubuntu, leaving it vulnerable to MITM attacks.
It also appears to not use a GPG key at all for installation on RHEL w/ yum.
Similar issue for windows - HTTPS is not used for downloading the MSI.
Related issues (now resolved): https://github.com/sensu/sensu/issues/1099 https://github.com/sensu/sensu-docs/issues/159
Expected Behavior
I'd expect that any packages should either be downloaded over HTTPS and/or verified using a trusted key. If the key was downloaded insecurely, it can't be trusted.
Current Behavior
The GPG key is downloaded over HTTP for Debian/Ubuntu: https://github.com/sensu/sensu-chef/blob/2834183376a124e8d634aa4dc406e5c493d85059/attributes/default.rb#L34 https://github.com/sensu/sensu-chef/blob/2834183376a124e8d634aa4dc406e5c493d85059/recipes/_linux.rb#L28
GPG is disabled for RHEL/fedora/amazon/suse: https://github.com/sensu/sensu-chef/blob/2834183376a124e8d634aa4dc406e5c493d85059/recipes/_linux.rb#L76
Possible Solution
Either change the default repo URLs to use HTTPS (this seems to have worked for me), or add an additional attribute to the cookbook to specify the GPG key URL. Presumably at https://sensu.global.ssl.fastly.net/apt/pubkey.gpg default?