IgnorantGuru's Blog

Linux software, news, and tips

Signatures Added

All downloads on this site now include a “verify” link in the Download Links section at the top of each page. This provides brief instructions on verifying the authenticity of your download, which is as simple a pasting a few lines into your terminal (you can even paste all the lines at once).

I have created a PGP key and signed all the current versions of the files available for download. The reason I took the time to do this is to improve your security. I recommend verifying downloads.

Arch Linux Users: The AUR currently provides no way to verify signatures. For now I recommend following the ‘verify’ instructions prior to using the AUR to install software.

If you ever encounter a bad signature, please don’t ignore it, and let me know about it so I can check the server.

March 13, 2011 - Posted by | Mods, Scripts, Tips

6 Comments

  1. What do you think of the security of the downloading of the X.org release sources ?

    I may be wrong but I could not see any signature of the sources from the primary download sites, or from the mirrors :
    see http://xorg.freedesktop.org/wiki/Mirrors

    If it is confirmed that no signature (nor md5 or sha256 sums for that matter) is available for the X.org sources, will you have the same opinion about the X.org developers as you express about the Arch devs ?

    All the distros should get the X.org sources
    from X.org primary download sites, or from a mirror, to build their (maybe signed) packages.

    May not the sources be modified also by an evil hacker on one or several mirrors ?

    What do you think about that ?

    I think that observation may apply to many package sources also.

    I don’t mean to say that no action should be taken to better the security (I use your paccheck script).
    But don’t you think that insecurity is everywhere and we should not get too paranoiac about that ?

    Comment by Bernard Baeyens (berbae) | March 14, 2011

    • > If it is confirmed that no signature (nor md5 or sha256 sums for that matter) is available for the X.org sources, will you have the same opinion about the X.org developers as you express about the Arch devs ?

      Absolutely. It looks like Xorg is way behind in this area. There are a few signatures on the mirrors (compiz, etc), but most of it appears to be unsigned. How they’ve managed to keep the code from being compromised (if they have), is hard to say. They have relatively few mirrors, so maybe developers serious about security use one of the two primary mirrors. They may also rely on mechanisms in git. But it looks very loose, as they themselves state in the release notes for X11R7.6-RC1:

      “Note about module security

      The X server runs with root privileges, i.e., the X server loadable modules also run with these privileges. For this reason we recommend that all users be careful to only use loadable modules from reliable sources, otherwise the introduction of viruses and contaminated code can occur and wreak havoc on your system. We hope to have a mechanism for signing/verifying the modules that we provide available in a future release.”

      link

      I think they’ve gotten away with this by sheer luck, and they’re not being very responsible. And to compound it they say:

      There are many Mirrors from which you can download source code to the X Window System. If you would like to be a mirror, feel free to do so and add yourself to the Mirrors page.

      Xorg has horrible security in general:
      Linux X.org Critical Security Flaw Silently Patched
      The High-Profile X.Org / Linux Kernel Security Bug
      Linux Xorg Is Riddled With Security Bugs. It’s a Hacker’s Dream!

      Ironically, they sign (some of?) their announcements, so someone there knows how to use PGP.

      > I don’t mean to say that no action should be taken to better the security (I use your paccheck script).
      But don’t you think that insecurity is everywhere and we should not get too paranoiac about that ?

      I think it’s important to do your best, and keep doing it – eternal vigilance. Security is a continuous process, not something you do and are done with. Systems that have poor security are eventually compromised in a public way, then there is a rush to fix the problem. Many devs need to learn this the hard way unfortunately.

      Same for maintaining your personal systems – you do the best you can. It’s also important to honestly assess the security of your systems, and part of these discussions isn’t just about getting devs to fix the problems, but letting users know that the problems exist. That way users can make qualified assessments of their system for a particular purpose, and also have a better idea where the vulnerabilities are.

      A distro’s package signing is an important component in Xorg’s security, as is Xorg’s handling of their own mirrors and source code for developers. The more vulnerabilities you address the less likely a compromised system becomes.

      Thanks for pointing this out about Xorg. It does seem like Linux security is often overstated, but it is certainly better than some alternatives (eg Microsoft). I think it is important to stay informed and aware of current issues, and do what we can to keep improving it. I dont think paranoia is helpful – just keep your eyes open and put some reasonable effort into using good security.

      Comment by igurublog | March 14, 2011

      • In fact I wanted to run the Xorg server as non root user when I read that it should be possible with Kernel mode setting. See https://bbs.archlinux.org/viewtopic.php?id=96224
        But unfortunately it is not yet the case, as the kernel and the xorg-server packages have to be patched for that to be realized.
        I chose to use the Nouveau driver for that reason but was disappointed when I saw the X process still running with root privileges.
        So after a regression bug was introduced in the Nouveau driver, I came back to the proprietory Nvidia driver.
        I read in your second link :
        “The proprietary NVIDIA driver doesn’t implement KMS support, but it can allow the X Server to not run as root assuming the /dev/nvidiaX files have appropriate permissions”. So I have some hopes I will be able to do that, for a better security in GUI.
        Concerning the building of the ArchLinux xorg-server package, I can see an “easy” action to better the security :
        The announcement in http://lists.freedesktop.org/archives/xorg/2011-March/052647.html is gpg signed and contains the MD5 and SHA1 sum of the sources.
        So Jan de Groot, the maintainer of the package, could use the mail announcement, verify its signature, and could use both the MD5 and SHA1 sum from the mail announcement in the PKGBUILD, to be sure the downloaded tarball was not modified.
        That could be done for the other Xorg packages, even for those with a not signed mail announcement.
        But I am afraid, not sure though, that it will be viewed as a paranoiac attitude about hypothetical hacking of the X.org sources.
        I hesitate to propose that to Jan de Groot.
        It would be for the “better to do something now than nothing” attitude…

        Comment by Bernard Baeyens (berbae) | March 15, 2011

        • I think bringing your ideas to Jan de Groot and the Arch packagers is valuable. The more they hear about these issues the better, even if they don’t appear to respond immediately. “The squeaky wheel gets the grease,” as the saying goes.

          Feel free to post any additional info here – I don’t mind and appreciate the info. I may drop an email to Xorg mailing list to inquire about the best way to validate their sources.

          Comment by igurublog | March 15, 2011

  2. When I try to import your gpg public key with the command :

    gpg –keyserver keys.gnupg.net –recv-keys 0x8835279A1936270694BE8B7C0EAEC485107165A1

    I get :

    gpg: requête de la clé 107165A1 du serveur hkp keys.gnupg.net
    gpgkeys: key 8835279A1936270694BE8B7C0EAEC485107165A1 not found on keyserver
    gpg: aucune donnée OpenPGP valide n’a été trouvée.
    gpg: Quantité totale traitée: 0

    But it works with the command :

    gpg –keyserver keys.gnupg.net –recv-keys 107165A1

    Then I get :

    gpg: requête de la clé 107165A1 du serveur hkp keys.gnupg.net
    gpg: clé 107165A1: clé publique « IgnorantGuru (igurublog.wordpress.com) » importée
    gpg: Quantité totale traitée: 1
    gpg: importée: 1

    You may want to modify the howto of the “verify” link.

    I tried to verify the signature of the two last mails from Jeremy Huddleston of X.org, after having imported its public key of course.
    Here are my results.

    For http://lists.freedesktop.org/archives/xorg-announce/2011-March/001619.html I get :

    gpg: Signature faite le sam. 05 mars 2011 01:40:10 CET avec la clé DSA ID 37F53663
    gpg: Bonne signature de « Jeremy Huddleston »
    gpg: alias « Jeremy Huddleston »
    gpg: alias « Jeremy Huddleston »
    gpg: alias « Jeremy Huddleston »
    gpg: alias « Jeremy Huddleston »
    gpg: alias « Jeremy Huddleston »
    gpg: alias « Jeremy Huddleston »
    gpg: alias « Jeremy Huddleston »
    gpg: alias « Jeremy Huddleston »
    gpg: ATTENTION: Cette clé n’est pas certifiée avec une signature de confiance !
    gpg: Rien ne dit que la signature appartient à son propriétaire.
    Empreinte de clé principale: 04AD 8079 48F1 035E 1649 B885 8C2D 409E 37F5 3663

    ie GOOD signature for libXt 1.1.0
    nice!

    But for http://lists.freedesktop.org/archives/xorg-announce/2011-March/001620.html the one for the last release of xorg-server 1.9.4.901 I get :

    gpg: Signature faite le sam. 05 mars 2011 00:37:49 CET avec la clé DSA ID 37F53663
    gpg: MAUVAISE signature de « Jeremy Huddleston »

    ie “BAD signature”.

    This is not very reassuring for the very important package xorg-server 1.9.4.901
    and its integrity.
    What can I do now ?

    Before posting to the Arch devs, I prefer to make some tests on what to propose to them.

    Comment by Bernard Baeyens (berbae) | March 16, 2011

    • > gpgkeys: key 8835279A1936270694BE8B7C0EAEC485107165A1 not found on keyserver

      That looks like a transient error. Does it report that every time if you run it again? I don’t think there is any functional difference. The fingerprint helps avoid collisions. But if it’s consistent I can add the other keyid as a backup method. Thanks for the feedback.

      I have gotten that error at other times, and running it again with the same keyid didn’t return an error. That’s why I think it may be a transient or network error you encountered.

      > What can I do now ?

      I would ask Jeremy Huddleston about why his signature is reported bad.

      Comment by igurublog | March 16, 2011


Sorry, the comment form is closed at this time.

%d bloggers like this: