Giters

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

Home Page:https://www.kicksecure.com/wiki/Impressum

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

`flatpak remote-add` TOFU and TLS security issue / use stronger authentication than TLS

adrelanos opened this issue · comments

commented

Issue

The command flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo for adding the Flathub repository has a security concern. That command downloads a Flatpak repository file. That file contains an OpenPGP (gpg) signing key under the GPGKey= keyword, but this key is not authenticated beyond the security provided by TLS.

The command relies on Trust on First Use (TOFU), which is a less secure approach compared to verification of signing keys. In essence, TOFU means trusting the initial connection and the credentials received without additional verification.

When a repository is added using the flatpak remote-add command, the Flatpak repository definition file is downloaded over TLS (Transport Layer Security). While TLS provides basic security, TLS CA system not very secure and has been hacked multiple times.. TLS alone does not provide strong verification of the authenticity of the software’s origin.

It would be more secure to verify the key fingerprinting through the OpenPGP web of trust or other means of key fingerprinting verification.

The reliance on TLS for verification lowers the overall security level. Ideally, software verification should be done through established and strong cryptographic signatures, ensuring that the software comes from a trusted source and has not been tampered with.

To enhance security, users could manually add the Flathub repository configuration. This can be done by placing a configuration snippet directly in the /etc/flatpak/remotes.d directory. A file like /etc/flatpak/remotes.d/flathub.flatpakrepo can be created for this purpose. The content of this file, especially the GPGKey= keyword, should be sourced from a more secure, authenticated method than TLS. This ensures that the repository’s signing key is verified and trusted beyond the initial TLS connection.

In other words, the flatpak remote-add command currently fails against a MitM capable of breaking TLS. This is sad because by comparison other package managers such as Debian's APT survives that (assuming there is no vulnerability in that gpg verification code). Once the user has installed the Linux distribution, the signing key is installed and used. The package manager can use TLS for an additional security layer but is also secure in case TLS is compromised.

Solution 1: Use properly formatted OpenPGP keys in flathub.flatpakrepo.

Add support for properly formatted OpenPGP keys in flathub.flatpakrepo files. At the end:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFlD2sABEADsiUZUOYBg1UdDaWkEdJYkTSZD68214m8Q1fbrP5AptaUfCl8K
-----END PGP PUBLIC KEY BLOCK-----

Because currently GPGKey= is hard to convert into a format that gpg understands. I tried to extract the key from GPGKey= , add BEGIN and END but that won't work. Error: gpg: invalid radix64 character 2D skipped
Probably because the lines are too long.

I tried formatting the lines.

awk '/-----BEGIN PGP PUBLIC KEY BLOCK-----/,/-----END PGP PUBLIC KEY BLOCK-----/ { if (!/-----BEGIN PGP PUBLIC KEY BLOCK-----/ && !/-----END PGP PUBLIC KEY BLOCK-----/) {print | "fold -w 64"} else print }' flathub-key-long.asc > flathub-key.as

Still same error. So that seems complicated and an uphill battle. Even if someone wanted do this is, that currently does not seem possible.

I don't think after downloading flathub.flatpakrepo there is any way to verify the key fingerprint?

Solution 2: Provide a detached gpg signature.

  • repofile: https://flathub.org/repo/flathub.flatpakrepo
  • signature: https://flathub.org/repo/flathub.flatpakrepo.asc

Solution 3: Allow specification of the long gpg fingerprint on the command line.

Something like this:

flatpak remote-add --fingerprint 0000000000000000000000000000000000000000 --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Then flatpak could use a setting in /etc/flatpak which makes --fingerprint mandatory.

Solution 4: Hardcode the gpg key fingerprint or TLS certificate fingerprint.

At least for Flathub it would be good if the gpg fingerprint and/or TLS certificate fingerprint for flathub.org would be hardcoded so that certificate authorities cannot mess with it.

commented

Wrong repository. Will post at flatpak.