[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)
Georg Sauthoff
notifications at github.com
Fri Jul 13 16:51:38 UTC 2018
In SPEC files there is the Source0/SourceX directive to specify the sources. Example:
Source0: http://releases.nixos.org/patchelf/patchelf-%{version}//%{name}-%{version}.tar.bz2
cf. https://github.com/gsauthof/copr-epel/blob/master/patchelf/patchelf.spec#L9
Other software then uses those keys to download the referenced files. For example, one can tell rpmbuild to auto-download all sources, Copr auto-downloads the sources (by default) or the user evaluates the SPEC file with `rpmspec -P` and copy'n'pastes into a curl/wget command line.
Either way, as-is, there is no way to specify cryptographic checksum inside the SPEC file for the sources specified there. For example like this:
Source0-sha256: a0f65c1ba148890e9f2f7823f4bedf7ecad5417772f64f994004f59a39014f83
With such syntax available it would be great if rpm would verify each source against the specified checksum and fail if there is a mismatch.
cf. https://bugzilla.redhat.com/show_bug.cgi?id=1536846#c7 for an example where this came up
As-is, it seems, one has to maintain checksums outside the .spec file, be cautious to manually check checksums or just ignore the problem - which is all tedious and error-prone or dangerous.
For example, because of this I had to roll my own verification logic for my Copr packages (as described in
https://bugzilla.redhat.com/show_bug.cgi?id=1536846#c7).
Thus, adding this capability directly to rpm would reliably protect against man-in-the-middle (MITM) attacks.
Note that restricting auto-downloads to secure protocols like https isn't a substitute for this feature as a) not all sources are available via https and b) the infrastructure behind the https endpoint can have security issues (e.g. a temporary intrusion where files are getting replaced).
See also the discussion around https://pagure.io/copr/copr/pull-request/211#comment-43965 how Copr disabled insecure protocols for auto-downloads.
Other package formats support specifying checksums for the referenced source files (e.g. Arch/Gentoo/Homebrew source packages).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180713/0afd69e5/attachment.html>
More information about the Rpm-maint
mailing list