[Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)
notifications at github.com
Tue Feb 21 09:57:07 UTC 2017
There should be a way to verify the payload before trying to uncompress, and more importantly, unpack it:
- We have digests on the contents of individual files, but detecting corruption in middle of installation, after all sorts of scripts might have already run, is no good at all
- Compresssion libraries have vulnerabilities of their own
- The RPMv3 digest covering the payload is the obsolete MD5, and furthermore it covers the header and the payload, but we want a digest on the payload only. This way it can be included in the main header which in turn can be signed, so the digest is protected.
The main obstacle is that the payload comes after the header during build, so it's necessary to calculate a placeholder header and rewrite with the actual digest value after writing down the payload, much like is done with signature header currently. The digest algorithm should be configurable, but default to something relatively strong, SHA256 perhaps.
It has also been suggested that this should be implemented as multiple intermediate digest "snapshots" to avoid having to check everything at once and to allow early exit on corrupted content. It would no doubt be beneficial, the challenge is finding a rasonable tradeoff between header size and the snapshot frequency, considering the payload can be anything from a few kilobytes to tens of gigabytes.
Verification of the data is another story with its own set of problems, but lets not go there yet.
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Rpm-maint