Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Package Verification Needed. #7

Open
OAKO-UCONN opened this issue Jul 7, 2020 · 4 comments
Open

Package Verification Needed. #7

OAKO-UCONN opened this issue Jul 7, 2020 · 4 comments

Comments

@OAKO-UCONN
Copy link
Contributor

OAKO-UCONN commented Jul 7, 2020

This software relies on packages online, which can be tampered with during transit. A verification system is highly recommended as soon as possible. Could start with SHA-512 then use GPG. Also when downloading from Github it would be great for security to be able to verify HiddenVM via GPG as this tool is included in Linux Tails.

@animik
Copy link
Collaborator

animik commented Jul 8, 2020

I'll let the boss reply and process, but sounds like a great suggestion!

@aforensics
Copy link
Owner

We can look at adding GPG verification for our releases.

About package verification, do you have any suggestions on how to do that with apt-get?

@OAKO-UCONN
Copy link
Contributor Author

Yeah package verification is tricky, but after looking at some web pages debsign and SecureApt could be the way to go.
https://www.google.com/search?q=gpg+package+verification+apt-get
https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/
https://wiki.debian.org/SecureApt

@aforensics
Copy link
Owner

aforensics commented Jul 11, 2020

I think repo metadata is automatically verified by apt-get. One exception is our virtualbox source, which we seem to have explicitly marked as "trusted" (probably out of convenience). At some point we should set up verification for the virtualbox source - they have clear instructions on how to do that: https://www.virtualbox.org/wiki/Linux_Downloads

As for individual package verification, I'm not entirely sure that's possible, because apparently many (or most) package files aren't signed. But if we end up creating an offline bundle, we could potentially sign and verify all packages we distribute. But that doesn't guarantee the packages we signed are good, if they weren't initially verified when we fetched them.

Anyway, I think the low hanging fruit here is to enable/set up source verification for virtualbox so we can remove [trusted=yes] from it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants