Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux packages don't download via HTTPS #231

Open
JeremyRand opened this issue May 29, 2015 · 7 comments
Open

Linux packages don't download via HTTPS #231

JeremyRand opened this issue May 29, 2015 · 7 comments

Comments

@JeremyRand
Copy link
Member

The Linux packages on OBS don't download via HTTPS; nor do the associated keys. This means that a passive attacker can easily see who is downloading Namecoin, and an active attacker can easily inject malware into downloads.

I know this is a temporary issue since Namecoin Core will use reproducible builds... but it's still a problem for now.

@JeremyRand
Copy link
Member Author

@pmconrad

@pmconrad
Copy link

pmconrad commented Jun 8, 2015

Posted an issue at openSUSE: openSUSE/software-o-o#45

@JeremyRand
Copy link
Member Author

@pmconrad I'm not referring to the iframe web page; I'm talking about the package files. E.g. it asks me to run:

wget http://download.opensuse.org/repositories/home:p_conrad:coins/Fedora_21/home:p_conrad:coins.repo

Which means I'm totally vulnerable to a MITM attack when downloading that .repo file, which could be used to inject malware.

@pmconrad
Copy link

pmconrad commented Jun 9, 2015

I can sign the repo's GPG key with my own if that's any help. (But I can't upload to signed key to OBS, so we'd have to publish it elsewhere.)
That would prevent the MITM, but wouldn't solve the privacy issue.

@JeremyRand
Copy link
Member Author

@pmconrad If you could upload a signed copy of the .repo files (and whatever equivalent exists for non-Fedora distros) to namecoin.org, that would probably work okay (and would be reasonably user-friendly for end users). @phelixbtc could probably help facilitate uploading them.

I would love to solve the privacy issue too, but it's less critical (particularly since privacy-conscious users are probably using Tor, which partially solves this issue).

@JeremyRand
Copy link
Member Author

Hello @pmconrad and @phelix , is there any progress on this?

@pmconrad
Copy link

Sorry, this dropped off my radar. Thanks for the bump.
Here's the repo key signed by me:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQGiBEzT5vQRBAChC66Ww4PMVR/EQ/z6h1R4ChmMO+1B6GNJRP5AaoCO1rERilP4
eRLZPosh1xK6InmC9s0WKTTZoQK4BtRn/OLI81i4RGOMQ6gu/Deo/snbgO+tGXaD
qWPklbhysZcvjfitGV52ZZZch7nYLo1PWGQcdE3MiIO/6lPD2MGVTk9W3wCgqTAh
hBOmpSzT20kvbbgFeAZPKYED/3fW1+fcdXMvh90JP5cqdGzPTlRwU38/UltHHEte
mn14fJ8wOT1T8N903qZaePPiZDzWPR8SoGRHNvT0Hjlx2OC/ZlpKK6HlYzf9b8c5
LwkD6jicJZot5EXtdPwJ9wg/YBaKvNQPm3YMKyCbbqWGbHw9oJBYhSOAL3wbfov8
xEtTBACduLJEOcPkt3eDlvOLOaScYZP60xRdowPtjYJ7/uf5qHh3CeK2Q8bV4UKY
ieOWeclRUQobPmumvgisQRdk48NdSKMaLXCDuzgMDPWQVW6B9XF9cHWykIJFPylm
1rqK5hGbdkREoDX3o4Uh8QmNJK8E0k57pRGXrGNSpSQKRy9227Q8aG9tZTpwX2Nv
bnJhZCBPQlMgUHJvamVjdCA8aG9tZTpwX2NvbnJhZEBidWlsZC5vcGVuc3VzZS5v
cmc+iGYEExECACYFAlD1HMoCGwMFCQg/5dYGCwkIBwMCBBUCCAMEFgIDAQIeAQIX
gAAKCRAp2MjaxER88/nqAKCNa7rEXRGJ9dmezjwZ1mVprqpZGACgjJ8pofoBDzqj
JFZzsgjtnxexHPeIRgQTEQIABgUCTNPm9AAKCRA7MBG3a51lIxZXAJ9LCIEuqGSC
vqWHSDWfOyUVJDs79QCgjie73b4Aqqh6/L5gNNnyOKfijQGIZgQTEQIAJgUCVRVA
KgIbAwUJDGAJNgYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJECnYyNrERHzzaMgA
oKS3rphzC+bldqyVYAoYScPkuOfoAJ9zTBjr6NyGerUadVJXdxouuwuH74hGBBAR
AgAGBQJVqgtUAAoJEJjqcbfL1n6bycYAn1hv8fsI7J5s6SnmE0GTZ7fpLDuIAJ9n
6zmk6cIOz4/lwrKmsIToN/CL3Q==
=sAAQ
-----END PGP PUBLIC KEY BLOCK-----

On RPM-based systems, the key should be imported with rpm --import <keyfile> before adding the repo, on APT-based systems with apt-key add <keyfile>.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants