Opened 5 years ago

Closed 5 years ago

#59763 closed defect (fixed)

MacPorts gpg signatures are meaningless without access to the public key

Reported by: cohunter Owned by: cohunter <35784270+cohunter@…>
Priority: Normal Milestone:
Component: website Version:
Keywords: Cc: jmroot (Joshua Root), cohunter
Port:

Description

BLUF:


Hello,

In 2014 this issue was brought up (#50429), but closed as the key was said to be posted on jmr's profile page and a key server.

That seems to no longer be the case:

  • Opening the linked wiki page of jmr and searching for "gpg" and "key" return no matches.
  • The linked key server now returns an error page.

Even beyond those issues, finding the issue #50429 itself takes significant effort. Why are there zero references to the key on the main website and guide?

This is a critical security issue (though I've selected Normal priority in the interest of respecting maintainer's time) because new users should be able to verify the downloads. To be usable, the public key must be as readily accessible as the signed downloads.

Simply writing that it is on a public key server does not provide verification. Anyone can sign a file with a different key and put it on public key servers -- nowhere on the main MacPorts site or installation guides is it written that the key used is jmr's. (Also note that anyone can make a key claiming to represent any name/email address; only WKD.)

If you don't take my word for this issue, please at least consider that gpg itself warns about this:

$ gpg2 --verify ~/Downloads/MacPorts-2.6.2-10.15-Catalina.pkg.asc ~/Downloads/MacPorts-2.6.2-10.15-Catalina.pkg
gpg: Signature made Sun Oct 20 15:00:30 2019 PDT
gpg:                using DSA key C403793657236DCF2E580C0201FF673FB4AAE6CD
gpg: Good signature from "Joshua Root <jmr@macports.org>" [unknown]
gpg:                 aka "Joshua Root <josh+pgp@root.id.au>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

For additional reasons that this should be changed, please also refer to recent developments such as noted here: https://medium.com/faun/gpg-has-been-running-with-a-well-known-security-flaw-for-a-decade-never-got-around-to-fixing-the-5d2ddb66ff6

From the article:

Recently, an attack took place that resulted in the indefinite, possibly permanent, corruption of the GPG public network.

Due to the attack on its infrastructure, the integrity of all keyserver stored public keys is now called into question as any certificate may be poisoned.

GPG is unable to facilitate public key discovery for users who do not know each other.

There is no time frame for when a 100% fix will be available and the best mitigation at present is to stop using the SKS keyserver network.

By searching DuckDuckGo for the text contents of the key, I was able to find it hosted here: https://trac.macports.org/raw-attachment/wiki/jmr/jmr_at_macports_org-2013.pubkey

But I wasn't able to find any links to it at all, except by using a search engine and already having the key (downloaded from another public key server without verification).

Please fix this critical security issue and enable new users to verify download signatures by adding a link to the public signing key alongside the link to the file checksums in the install guide at the following URL: https://www.macports.org/install.php

Please also consider adding a link to the checksums and/or the signing key in the install guide at the following URL: https://guide.macports.org/chunked/installing.macports.html

It may also be prudent to consider alternative distribution methods like WKD, but for the purposes of this issue, simply adding a link to the key on the website and/or guide would enable users to verify the downloads.

It is incredibly important to instruct users to verify downloaded packages. Consider attacks such as the [recent Monero website compromise](https://arstechnica.com/information-technology/2019/11/official-monero-website-is-hacked-to-deliver-currency-stealing-malware/) -- if users had been expected to simply download and run packages without any verification (at least checksums, ideally signatures), as the guide.macports.org currently instructs for MacPorts, such compromises would possibly remain undiscovered for long periods of time.

Thank you,

Corey Hunter

Change History (3)

comment:1 Changed 5 years ago by cohunter

Cc: cohunter added

comment:2 Changed 5 years ago by jmroot (Joshua Root)

The file is definitely still attached to the wiki page, which is mentioned in all the release announcements, along with the key's fingerprint. And TBH it's fine for most users to rely on the Developer ID signatures embedded in the .pkg installers.

That said, I have no objection to adding more pointers to the GPG key (and indeed the detached signatures). If you have specific changes in mind, please feel free to propose them (preferably as pull requests on the macports-guide and/or macports-www repos.)

comment:3 Changed 5 years ago by cohunter <35784270+cohunter@…>

Owner: set to cohunter <35784270+cohunter@…>
Resolution: fixed
Status: newclosed

In cf58eaff8ad64098675bf9bbd0967eb03f35a5be/macports-www (master):

Add link to public signing key

Closes: #59763

Note: See TracTickets for help on using tickets.