auto importing rpm gpg public keys from keyserver

Andrea Arcangeli andrea at suse.de
Thu Jun 15 10:09:27 PDT 2006 

On Thu, Jun 15, 2006 at 06:55:03AM -0400, Jeff Johnson wrote:
> Um, ick. Let's kill this code today please. ;-)

;)

> The keyid can be extracted using a --queryformat modifier.
> 
> The relevant queryformat syntax is
>     "%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{% 
> {RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{% 
> {SIGPGP:pgpsig}}:{(none)}|}|}|}|"
> 
> The --queryformat extraction is bound through hdr.sprintf() in python.

works well:

>>> h.sprintf("%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|")
'DSA/SHA1, Sun Apr 23 02:36:59 2006, Key ID a84edae89c800aca'
>>> 

Thanks for the tip, it would have taken me ages of digging through the
source to make up the above queryformat ;)

However we still have to mangle (i.e. split) the string to get to the
key number right?

> You can find example usage in yum if not in smart already.
> 
> This is a series of nested tests for existence of 4 possible signatures.
> 
> There are two types of plaintext: header-only and header+payload.
> 
> There were different tags used for pgp (essentially RSA) and gpg  
> (essentially DSA) historically.

It seems it worked if I got the above result.

> No GUI expertise here either.

Let's leave it for later then...

> The flags to disable signature checking are per-transaction, the  
> method is ts.setVSFlags.

Yes, I noticed.

> All the flags are disablers, so
>     ts.setVSFlags(-1)
> disables all signature and digests checking by rpm.

To avoid executing rpm with popen, we need to only temporarily disable
the signature checking, that's easy, problem is that I couldn't find how
to re-enable it. However creating a new temporary rpm.ts() workarounded
it. With a new temporary rpm.ts() I can disable signatures checking so I
can read the header and now using your sprintf() I can get to the key.

> Note carefully the chicken <-> egg problem of reading the header in
> order to identify the pubkey you wish to import.

Creating a new ts seems to work, however if I could just re-enable
signature checking after reading the header, I could avoid to create a
new ts.

> Some security problems, like a buffer overflow reading a package
> header leading to a setuid shell, will occur before you are able to
> import the pubkey. In those cases, your scheme using gpg to import
> pubkeys  is no security at all.

And how disabling signature checking would help to make things more
secure? If the signature check is off and the package is malicious they
won't even need to hope the NX bit is disabled in the pte to get istant
root.

Also note, if you think this is a serious concern it's very possible to
do all signature checking and gpg key fetching as user nobody, so it's
totally fixable even if you think the signature checking is so flakey
and nearly unfixable in reasonable time (infact with my way of forking
off a new rpm I could simply do su - nobody -c 'rpm ...' and catch the
output, it would be a two liner to make 100% secure as long as the
kernel isn't buggy too, and the point is that it wouldn't give you
istant root).

More information about the Smart mailing list