Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release signing keys may be poisoned #29531

Closed
canterberry opened this issue Sep 12, 2019 · 5 comments
Closed

Release signing keys may be poisoned #29531

canterberry opened this issue Sep 12, 2019 · 5 comments
Labels
release Issues and PRs related to Node.js releases.

Comments

@canterberry
Copy link

canterberry commented Sep 12, 2019

💡 Initially reported in this comment, but I felt it warranted an issue of its own given the age of the issue on which it is attached.

This is not an issue with Node.js itself, but rather with the manner in which the release team's keys are currently distributed.

Impact

Automated installations of Node.js binaries which depend upon the documented method of verifying release signatures are no longer functional. No suitable alternatives currently exist for obtaining public keys of the Node.js release team.

Any tools which continue to rely on the SKS keyserver network may be rendered unusable by certificates poisoned via CVE-2019-13050.

Bottom Line

The SKS keyserver network is no longer a viable option for distributing release keys.

Details

With the recent and unmitigated death of the SKS keyserver network (in CVE-2019-13050), the documented method of obtaining the PGP public keys of the release team is no longer viable, and in fact may have dire consequences to an OpenPGP installation. A different method of distributing release keys, or even of signing and verifying the release package itself, is necessary.

Proposed Solution

For minimal impact, my recommendation would be to place the public keys or authorized releasers within this repo, under a /keys directory, in a manner similar to that of signed RubyGems (except instead of X.509 certificates in a certs/ directory, we'd be talking about ASCII-armored PGP certificates in a keys/ directory), and update the README with instructions on how to import those keys into the OpenGPG keychain from the repo instead of from the SKS keyserver network.

Alternatively, or in addition to the above, publishing these keys to nodejs.org may also provide a second factor to build assurance of the keys' integrity.

💡 Especially paranoid users may want to seek additional verification from unaffiliated yet equally trusted soruces by fetching and comparing keys from those sources as well.

@canterberry
Copy link
Author

☝️ I volunteer to implement the proposed solution above, but will need copies of the release team's public keys in order to do so.

@canterberry
Copy link
Author

Discussion on this issue continues in nodejs/build#1913 -- keeping this issue around for reference, since this repo's README.md will need an update and it would be helpful to have an issue for the PR to reference.

@avivkeller
Copy link
Member

Hi! This issue hasn't seen any activity in a while, and it looks like the issue was resolved, is it okay to close this issue?

@canterberry
Copy link
Author

The "bottom line" of this issue has been resolved -- SKS keyservers are no longer part of the release verification documentation.

However, the class of vulnerability intended to be mitigated by the nodejs/release-keys repo remains -- the documented flow for release verification depends on an third-party service (i.e: a service not maintained or influenced by the Node.js release team).

The nodejs/release-keys repo is not cross-referenced in https://github.com/nodejs/node?tab=readme-ov-file#verifying-binaries -- instead, references to SKS keyservers have simply been replaced with keys.openpgp.org.

Thus, while the nodejs/release-keys repo does exist and is actively maintained, since it is not mentioned in the Node.js README for release verification, most users will likely not find it.

@avivkeller
Copy link
Member

Got it. Feel free to open a PR to add the missing docs!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release Issues and PRs related to Node.js releases.
Projects
None yet
Development

No branches or pull requests

3 participants