Linux packages don't download via HTTPS

Question

Linux packages don't download via HTTPS

JeremyRand opened this issue 9 years ago · comments

The Linux packages on OBS don't download via HTTPS; nor do the associated keys. This means that a passive attacker can easily see who is downloading Namecoin, and an active attacker can easily inject malware into downloads.

I know this is a temporary issue since Namecoin Core will use reproducible builds... but it's still a problem for now.

JeremyRand commented 9 years ago

@pmconrad

Peter Conrad · Answer 1 · Mon Jun 08 2015 17:31:54 GMT+0800 (China Standard Time)

Posted an issue at openSUSE: openSUSE/software-o-o#45

JeremyRand · Answer 2 · Mon Jun 08 2015 18:03:05 GMT+0800 (China Standard Time)

@pmconrad I'm not referring to the iframe web page; I'm talking about the package files. E.g. it asks me to run:

wget http://download.opensuse.org/repositories/home:p_conrad:coins/Fedora_21/home:p_conrad:coins.repo

Which means I'm totally vulnerable to a MITM attack when downloading that .repo file, which could be used to inject malware.

Peter Conrad · Answer 3 · Tue Jun 09 2015 22:18:15 GMT+0800 (China Standard Time)

I can sign the repo's GPG key with my own if that's any help. (But I can't upload to signed key to OBS, so we'd have to publish it elsewhere.)
That would prevent the MITM, but wouldn't solve the privacy issue.

JeremyRand · Answer 4 · Wed Jun 10 2015 03:36:21 GMT+0800 (China Standard Time)

@pmconrad If you could upload a signed copy of the .repo files (and whatever equivalent exists for non-Fedora distros) to namecoin.org, that would probably work okay (and would be reasonably user-friendly for end users). @phelixbtc could probably help facilitate uploading them.

I would love to solve the privacy issue too, but it's less critical (particularly since privacy-conscious users are probably using Tor, which partially solves this issue).

JeremyRand · Answer 5 · Sat Jul 18 2015 04:32:26 GMT+0800 (China Standard Time)

Hello @pmconrad and @phelix , is there any progress on this?

Peter Conrad · Answer 6 · Sat Jul 18 2015 16:28:27 GMT+0800 (China Standard Time)

Sorry, this dropped off my radar. Thanks for the bump.
Here's the repo key signed by me:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQGiBEzT5vQRBAChC66Ww4PMVR/EQ/z6h1R4ChmMO+1B6GNJRP5AaoCO1rERilP4
eRLZPosh1xK6InmC9s0WKTTZoQK4BtRn/OLI81i4RGOMQ6gu/Deo/snbgO+tGXaD
qWPklbhysZcvjfitGV52ZZZch7nYLo1PWGQcdE3MiIO/6lPD2MGVTk9W3wCgqTAh
hBOmpSzT20kvbbgFeAZPKYED/3fW1+fcdXMvh90JP5cqdGzPTlRwU38/UltHHEte
mn14fJ8wOT1T8N903qZaePPiZDzWPR8SoGRHNvT0Hjlx2OC/ZlpKK6HlYzf9b8c5
LwkD6jicJZot5EXtdPwJ9wg/YBaKvNQPm3YMKyCbbqWGbHw9oJBYhSOAL3wbfov8
xEtTBACduLJEOcPkt3eDlvOLOaScYZP60xRdowPtjYJ7/uf5qHh3CeK2Q8bV4UKY
ieOWeclRUQobPmumvgisQRdk48NdSKMaLXCDuzgMDPWQVW6B9XF9cHWykIJFPylm
1rqK5hGbdkREoDX3o4Uh8QmNJK8E0k57pRGXrGNSpSQKRy9227Q8aG9tZTpwX2Nv
bnJhZCBPQlMgUHJvamVjdCA8aG9tZTpwX2NvbnJhZEBidWlsZC5vcGVuc3VzZS5v
cmc+iGYEExECACYFAlD1HMoCGwMFCQg/5dYGCwkIBwMCBBUCCAMEFgIDAQIeAQIX
gAAKCRAp2MjaxER88/nqAKCNa7rEXRGJ9dmezjwZ1mVprqpZGACgjJ8pofoBDzqj
JFZzsgjtnxexHPeIRgQTEQIABgUCTNPm9AAKCRA7MBG3a51lIxZXAJ9LCIEuqGSC
vqWHSDWfOyUVJDs79QCgjie73b4Aqqh6/L5gNNnyOKfijQGIZgQTEQIAJgUCVRVA
KgIbAwUJDGAJNgYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJECnYyNrERHzzaMgA
oKS3rphzC+bldqyVYAoYScPkuOfoAJ9zTBjr6NyGerUadVJXdxouuwuH74hGBBAR
AgAGBQJVqgtUAAoJEJjqcbfL1n6bycYAn1hv8fsI7J5s6SnmE0GTZ7fpLDuIAJ9n
6zmk6cIOz4/lwrKmsIToN/CL3Q==
=sAAQ
-----END PGP PUBLIC KEY BLOCK-----

On RPM-based systems, the key should be imported with rpm --import <keyfile> before adding the repo, on APT-based systems with apt-key add <keyfile>.