Comment by vbezhenar

7 years ago

deb/rpm is better because it's usually signed by maintainer with GPG keys. I think that it's harder to steal keys from maintainer than to infiltrate web server.

26 comments

vbezhenar

api 7 years ago

We came up with a way to do gpg verified curl | bash for ZeroTier. It still works without gpg too. Scroll down to Linux.

https://zerotier.com/download.shtml

e12e 7 years ago
Quote(trying to fit it to narrow widt, for others on mobile):
curl -s \ 'https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61' | gpg --import \ && if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi
It's interesting - it tries to import a given gpg key from keyserver, then grabs a gpg armored text file with a bash header - with the gpg header wrapped in a here-document:
#!/bin/bash <<ENDOFSIGSTART= -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ENDOFSIGSTART=
I'm unsure, but I think you could just stick your malicious code before the signature?
#!/bin/bash sudo much_evil <<ENDOFSIGSTART= -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ENDOFSIGSTART=
So it really isn't any better, as far as I can tell. There's also a trade-off between scripts that can be typed (curl https://i.com.com) and need copy-pasting - as copy-pasting also isn't safe - even if that's a somewhat different attack vector (compromising the web site, altering js depending on visitor).
- api 7 years ago
  
  Putting malicious code before the signature doesn't work because gpg chops it out. It only outputs the verified part.
  It is definitely a kludge though.
  
  3 replies →

geocar 7 years ago

They could be. dpkg and rpm will still install unsigned packages by default. That's one problem.

Another problem is that people are being trained to get software [directly] from software developers.

cjbprime 7 years ago

For the most part you receive the GPG keys over the same TLS connection, though.

sigjuice 7 years ago
Not sure what you mean. I don’t think apt-get install foo involves transferring GPG keys.
- cjbprime 7 years ago
  
  We're comparing the security properties of
  `curl https://somesite.com/foo.sh | bash`
  with
  `curl https://somesite.com/foo.deb`
  and
  `curl https://somesite.com/apt.key | sudo apt-key add - && sudo apt-get update && sudo apt-get install some-software`
  I don't think there are very meaningful differences in the security properties -- I don't think it's more difficult to become compromised by one than by one of the others.
  
  5 replies →
dredmorbius 7 years ago

GPG's trust model is outside the transport layer, via signatures.
Not foolproof, but it answers your objection.
fulafel 7 years ago
That's an antipattern, should use keyservers.
- geocar 7 years ago
  
  Where do you get the keyserver ID? From the website? You're back to square one, because anyone can upload anything to a keyserver. If they can modify the website (change files, etc) they can also change the keyserver ID they're telling people to use.
  The "antipattern" is letting/expecting software developers also be software publishers.
  
  2 replies →
- deathanatos 7 years ago
  
  Aren't keyserver lookups usually keyed off a 32-bit key ID though? (Whose space isn't big enough to avoid someone brute-force generating a key with a certain key ID s.t. you think you got the right key.) You're supposed to check the fingerprint, but you need to get the fingerprint, and for that you need a secure channel, and you're right back to square one.
  For that matter, where did you get the key ID.
- dredmorbius 7 years ago
  
  Still not safe.
  Verify key signatures.
  And I really wish GPG had a negative trust signature.
  
  4 replies →