On 07/03/2017 12:07 AM, Morten Linderud wrote: > On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote: >> Yes the GPG signature of the tag commit is checked. However you can >> attack the git metadata and set a tag to a different commit. If this >> commit is signed, but at an older stage which is vulnearable, we have an >> issue. Just one example. So we should always also secure the transport >> layer. >> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias >> > > The sign includes the hash. You would essentially have to trick Lennart into replacing the tag to a different commit, > and sign the tag. Creating a vulnerable but verified source for the PKGBUILD. At this point i think we have bigger > problems then whatever the PKGBUILD is doing... > Thats is exactly what I mean. If I understood right you can modify the git metadata in a way that you can pull tag 1.2 but get 1.0. And tag 1.0 is gpg signed and all valid. This seems to work for me. I've added sangy to this email, he is the author of this presentation and should know best. sangy, can you please give us some more detailed information if an attack could still compromise the systemd package with a modified git source but still gpg signed commits? ~Nico
Attachment:
signature.asc
Description: OpenPGP digital signature
