OpenBSD Journal

Signed Installs, Upgrades, and Packages

Contributed by tbert on from the puffy's-signature-is-$10-a-pop dept.

Marc Espie (espie@) lets the cat out of the bag:
It's probably time to talk about it.

Yes, we are now distributing signed packages.  A lot of people have probably
noticed because there was a key mismatch on at least one batch of signed
packages.

Obviously, we haven't finished testing yet.

Don't read too much into that.  "Signed packages" just mean you can use
an insecure medium, such as ftp, to download packages: if the key matches,
it means the package hasn't been tampered with since it was signed.

The cryptographic framework used to sign packages is called signify(1),
mostly written by Ted Unangst, with a lot of feedback from (mostly) Theo
and I.

The signing framework in pkg_add/pkg_create is much older than that, if
was written for x509 a few years ago, but signify(1) will probably be more
robust and ways simpler.  In particular, there's no "chain-of-trust", so
you keep complete control on the sources YOU trust.

Signatures should be transparent in use: the package is opened, the 
packing-list signature is checked, and then files are checksummed while
extracted against the packing-list embedded checksums (there are provisions
to ensure any dangerous meta-data is also encoded in the packing-list as
@mode/@user/@group annotations.

So, barring problems, you shouldn't even notice signatures.

And Theo de Raadt (deraadt@) talks about signed base sets for installations and upgrades:

I suspect only a few have noticed, so it probably should be mentioned
that install/upgrades are also signed now.

The documentation isn't written yet because change is ongoing.  Here
is a rough primer, for one or two usage cases.  More install methods
will work, but some are not perfect yet.

As detailed in the new signify(1) manual page, if you download bsd.rd
you can:

     Verify a bsd.rd before an upgrade:
           $ signify -V -e -p /etc/signify/55base.pub -x SHA256.sig -m - | \
                   sha256 -C - bsd.rd

The same can be done with cd55.iso or install55.iso, of course.

If this is OK, you can boot that bsd.rd (OK, you are trusting your
pre-existing bootblocks, though you could verify new ones).

When you install or upgrade from the net, it will use the SHA256.sig
file first, verify it using signify, then collect the base sets and
compare them against the SHA256 hashes.  They are all downloaded to a
spare place on the disk, and then extracted.  This change also makes
upgrades more "atomic".

There are a few raw edges still, but we would appreciate if this is
tried by a few people.. please give us feedback.

This mechanism was designed by Ted Unangst; a few pieces here and
there by Todd Fries and myself; the bulk of the install script changes
by Alexander Hall and Robert Peichaer.

For those of you who wanted signed releases, you finally get your wish. As always, ensuring the continued quality of OpenBSD software entails you, the user, making use of and reporting problems.

(Comments are closed)


Comments
  1. By Anonymous Coward (24.113.147.35) on

    Please make sure to start signing the kernel source. In the past, it hasn't had checksums like the installation packages do.

  2. By Jason Crawford (X-rayS) jason AT purebsd DOT net on

    Are they planning on bringing back progress meters during upgrades? Or does checking signatures make that much more difficult to do in the installation media?

    Comments
    1. By Aaron Bieber (qbit) on http://www.bolddaemon.com

      > Are they planning on bringing back progress meters during upgrades? Or does checking signatures make that much more difficult to do in the installation media?

      Package upgrades show progress meters and sets will have progress meters if you upgrade via bsd.rd. Which meters are you talking about?

      Comments
      1. By Edward F Ahlsen-Girard (72.213.209.212) girarde@alum.rpi.edu on

        > > Are they planning on bringing back progress meters during upgrades? Or does checking signatures make that much more difficult to do in the installation media?
        >
        > Package upgrades show progress meters and sets will have progress meters if you upgrade via bsd.rd. Which meters are you talking about?

        I always upgrade with bsd.rd, and I have not seen meters in a couple of weeks.

        Comments
        1. By Aaron Bieber (qbit) on http://www.bolddaemon.com

          > > > Are they planning on bringing back progress meters during upgrades? Or does checking signatures make that much more difficult to do in the installation media?
          > >
          > > Package upgrades show progress meters and sets will have progress meters if you upgrade via bsd.rd. Which meters are you talking about?
          >
          > I always upgrade with bsd.rd, and I have not seen meters in a couple of weeks.


          Ah, you are right! Check this out tho! (http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ftp/extern.h)

          "Add -D shorttitle support, so that the progress meter can show some sort
          of reason why it is processing a certain file. This will be used by the
          installer for that purpose.
          ok krw rpe"

      2. By Jason Crawford (X-rayS) on

        > > Are they planning on bringing back progress meters during upgrades? Or does checking signatures make that much more difficult to do in the installation media?
        >
        > Package upgrades show progress meters and sets will have progress meters if you upgrade via bsd.rd. Which meters are you talking about?

        I was talking about upgrading via bsd.rd, not packages. And I have not seen progress meters since the install media started verifying the files, it just says 'Installing sets.' but doesn't list each one with % complete. Maybe because I upgrade via hard disk (I download ahead of time on the running system) so it does not have to download the sets. But even doing that it would show progress meters before the signature verification.

    2. By Stefan (188.194.125.13) on

      > Are they planning on bringing back progress meters during upgrades? Or does checking signatures make that much more difficult to do in the installation media?

      As of January 24th, 2014, the progress-meter is back (at least I can say so for i386). Thank you, devs!

  3. By Marc Espie (espie) espie@nerim.net on

    pkg_sign(1) just became its own command. It's still possible to sign-while-building with pkg_create(1), but signing existing packages makes ways more sense as a separate command, what between option description and actual code being almost completely independent.

    There is another cool surprise currently being tested. If things work out alright, signing should end up being almost as fast as copying packages around, with no visible change to tar and pkg_add.

    Comments
    1. By Marc Espie (espie) on

      > There is another cool surprise currently being tested. If things work out alright, signing should end up being almost as fast as copying packages around, with no visible change to tar and pkg_add.

      The cool surprise is in: pkg_create and pkg_sign now handle "split-gzip" archives, where the packing-list is actually stored as a separate gzip stream in front of the rest of the file. That allows the signing process to just extract/sign/repack the packing-list without having to decompress/recompress the rest of the file, which makes a big difference in cpu usage for signing.

      This is 100% transparent for other tools: tar sees a single tarball, the multiple streams are a completely standard part of the gzip format, specifically designed to make that kind of stunt easy (separately compress several parts of the same file).

  4. By Anonymous Coward (81.83.83.198) on

    does this embed signatures in the package tarballs, à la gzsig?

    Comments
    1. By Marc Espie (espie) on

      > does this embed signatures in the package tarballs, à la gzsig?

      Not quite. If you look closely at the CVS attic, you'll see I did a very old draft of signatures using pgp, a few years before Dug Song reused that exact same idea to write gzsig.

      What's going on here is different in several aspects:
      - it's not header info inside gzip... those will make quite a few tools whine, including gnu gzip.
      - it only signs the package "manifest", e.g., the packing-list -> that one contains sha256 for all files in the package.

      The first aspect is a conscious decision: the signature is plainly visible in the end PLIST, so you can check for yourself exactly what is going on.

      The second aspect gives you "in-time" extraction. gzsig is a good idea... until you realize you CAN'T verify stuff until you have the whole file, which is an interesting can of worm when you're pressed for file system space (also, it doubles time for installation, unless you go to funny tricks like installing one package while checking the next one... which is a bit more parallel than sane...)

      Comments
      1. By Anonymous Coward (81.83.83.198) on

        thank you!

  5. By Anonymous Coward (121.45.219.214) on

    Time to throw a Party and Donate to the OpenBSD project!!!

  6. By Marc Espie (espie) espie@nerim.net on

    Just turned on the code that enforces signed packages by default...
    Not sure it's going to stay for the release, but right now, if you try to manually call pkg_add without -Dunsigned, it will at least ask about unsigned packages, and refuse if you're not running interactive...

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]