On June 16, 2019 5:57:34 PM GMT+02:00, Eli Schwartz via arch-general <arch-general@xxxxxxxxxxxxx> wrote: >That being said, if you have signed the repository db then as you >mentioned the sha256 checksums for the package file are securely >signed, >so you are guaranteed that use of pacman -S pkgname will securely >verify >that it is installing the package the repo-add user expected to provide >when running repo-add. > >What is your threat model? These things will not be protected against: > >- people installing the package file directly, as such: > pacman -U https://example.com/foopkg-1-1-x86_64.pkg.tar.xz >- An attacker with local filesystem access on the signing/hosting >server > can retroactively replace *all* packages built at any date, and trick > you into signing a new repo DB referencing them. >- In shared packaging situations, like when a team of dozens of people > all upload packages, you want to be able to verify who signed each > package, as opposed to only verifying that the last person to update > the repository asserted that all other packages are good and backed by > his/her good name -- this does not concern you. An important side note: This will only really help if users of the repo have set the repository SigLevel to Required (which is not the default). When using the default of Optional a MitM attacker can just drop signatures for that database, which obviously is much much much easier to achieve for non https mirrors. Cheers, Levente
