[pacman-dev] Enable sha256/md5 hash verification if detached signatures are used

Message ID 20200730164932.1739-1-anatol.pomozov@gmail.com
State New
Headers show
Series
  • [pacman-dev] Enable sha256/md5 hash verification if detached signatures are used
Related show

Commit Message

Anatol Pomozov July 30, 2020, 4:49 p.m. UTC
Pacman has multiple ways to verify package content integrity:
 - gpg signature
 - sha256
 - md5

These verification mechanisms overlap each other. gpg signatures already contain
hash value of the package content. So if a package signature is present then
pacman ignored the other 2 hash values. This worked well with signtures
embedded into pacman database.

Recently pacman got an ability to handle detached signatures (*.sig files
located next to the package files). If pacman verifies detached signature only
then one can replace pkg+sig files with some other content and pacman still
processes it as a valid package. It open doors for security attacks
e.g. 'rollback attack'.

To prevent it we need to verify database<->package integrity using hash
values stored in the database.

This commit fixes FS#67232

The new debug output is:
  checking package integrity...
  debug: found cached pkg: /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
  debug: sha256sum: 77baf61c62c5570b3a37cf0c3b16c5d9a97dde6fedd1a3528bf0cc5f96dd5e52
  debug: checking sha256sum for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
  debug: sig data: <from .sig>
  debug: checking signature for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
  debug: 1 signatures returned
  debug: fingerprint: B5971F2C5C10A9A08C60030F786C63F330D7CB92

Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com>
---
 lib/libalpm/be_package.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c
index f98832f4..4dde7167 100644
--- a/lib/libalpm/be_package.c
+++ b/lib/libalpm/be_package.c
@@ -311,7 +311,7 @@  int _alpm_pkg_validate_internal(alpm_handle_t *handle,
 		}
 	}
 
-	if(syncpkg && !has_sig) {
+	if(syncpkg && (!has_sig || !syncpkg->base64_sig)) {
 		if(syncpkg->md5sum && !syncpkg->sha256sum) {
 			_alpm_log(handle, ALPM_LOG_DEBUG, "md5sum: %s\n", syncpkg->md5sum);
 			_alpm_log(handle, ALPM_LOG_DEBUG, "checking md5sum for %s\n", pkgfile);