From 7e6201fc0304bc1122bdef5884b741c42d097998 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 27 Sep 2011 09:41:18 +0200 Subject: fix apt-key net-update by erroring out if there are any duplicated keys in master-keyring and add-keyring (see lp #857472) and add regression test --- cmdline/apt-key | 11 +++++ .../integration/exploid-keyring-with-dupe-keys.pub | Bin 0 -> 3986 bytes test/integration/test-apt-key-net-update | 47 +++++++++++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 test/integration/exploid-keyring-with-dupe-keys.pub create mode 100755 test/integration/test-apt-key-net-update diff --git a/cmdline/apt-key b/cmdline/apt-key index 4d2b7c49f..8a3f5ba54 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -50,6 +50,17 @@ add_keys_with_verify_against_master_keyring() { # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + # verify to ensure that there are no key id duplications that may be + # used to attack the system, see LP: #857472 + for add_key in $add_keys; do + for master_key in $master_keys; do + if [ "$add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$add_key' detected, operation aborted" + return 1 + fi + done + done + # add all keys signed with any of the master key(s) for add_key in $add_keys; do ADDED=0 for master_key in $master_keys; do diff --git a/test/integration/exploid-keyring-with-dupe-keys.pub b/test/integration/exploid-keyring-with-dupe-keys.pub new file mode 100644 index 000000000..642952a40 Binary files /dev/null and b/test/integration/exploid-keyring-with-dupe-keys.pub differ diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update new file mode 100755 index 000000000..66aafbbc4 --- /dev/null +++ b/test/integration/test-apt-key-net-update @@ -0,0 +1,47 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# mock +requires_root() { + return 0 +} + +# extract net_update() and import it +func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key ) +eval "$func" + +mkdir -p ./etc/apt +TRUSTEDFILE=./etc/apt/trusted.gpg +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" +GPG="$GPG_CMD --keyring $TRUSTEDFILE" +MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg + +msgtest "add_keys_with_verify_against_master_keyring" +if [ ! -e $MASTER_KEYRING ]; then + echo -n "No $MASTER_KEYRING found" + msgskip + exit 0 +fi + +# test bad keyring and ensure its not added (LP: #857472) +ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgfail +else + msgpass +fi + +# test good keyring and ensure we get no errors +ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgpass +else + msgfail +fi + -- cgit v1.2.3 From 00b19b328c738954169c165aa6f734ade6962fa5 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 4 Oct 2011 09:22:43 +0200 Subject: cmdline/apt-key: use --verify-sigs instead of --list-sigs --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline/apt-key b/cmdline/apt-key index 8a3f5ba54..104ca656b 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -64,7 +64,7 @@ add_keys_with_verify_against_master_keyring() { for add_key in $add_keys; do ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + if $GPG_CMD --keyring $ADD_KEYRING --verify-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import ADDED=1 fi -- cgit v1.2.3 From f20750cb30baaf00ca1b87f2ae55e6a0eb900f2b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 4 Oct 2011 18:01:41 +0200 Subject: export/import keys one-by-one --- cmdline/apt-key | 27 +++++++++++++++------------ test/integration/test-apt-key-net-update | 3 +++ 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/cmdline/apt-key b/cmdline/apt-key index 104ca656b..617fed4f8 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -22,7 +22,7 @@ MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg ARCHIVE_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg REMOVED_KEYS=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg ARCHIVE_KEYRING_URI=http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg - +TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg requires_root() { if [ "$(id -u)" -ne 0 ]; then @@ -34,7 +34,7 @@ requires_root() { add_keys_with_verify_against_master_keyring() { ADD_KEYRING=$1 MASTER=$2 - + if [ ! -f "$ADD_KEYRING" ]; then echo "ERROR: '$ADD_KEYRING' not found" return @@ -50,22 +50,26 @@ add_keys_with_verify_against_master_keyring() { # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` - # verify to ensure that there are no key id duplications that may be - # used to attack the system, see LP: #857472 + + ADDED=0 for add_key in $add_keys; do + + # ensure there are no colisions LP: #857472 for master_key in $master_keys; do if [ "$add_key" = "$master_key" ]; then echo >&2 "Keyid collision for '$add_key' detected, operation aborted" return 1 fi done - done - # add all keys signed with any of the master key(s) - for add_key in $add_keys; do - ADDED=0 + + # export the add keyring one-by-one + rm -f $TMP_KEYRING + $GPG_CMD --keyring $ADD_KEYRING --export $add_key | $GPG_CMD --keyring $TMP_KEYRING --import --trust-model direct + + # check if signed with the master key and only add in this case for master_key in $master_keys; do - if $GPG_CMD --keyring $ADD_KEYRING --verify-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then - $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import + if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + $GPG --import $TMP_KEYRING ADDED=1 fi done @@ -73,14 +77,13 @@ add_keys_with_verify_against_master_keyring() { echo >&2 "Key '$add_key' not added. It is not signed with a master key" fi done + rm -f $TMP_KEYRING } # update the current archive signing keyring from a network URI # the archive-keyring keys needs to be signed with the master key # (otherwise it does not make sense from a security POV) net_update() { - # Disabled for now as code is insecure - exit 1 if [ -z "$ARCHIVE_KEYRING_URI" ]; then echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update index 66aafbbc4..710c02f61 100755 --- a/test/integration/test-apt-key-net-update +++ b/test/integration/test-apt-key-net-update @@ -18,10 +18,13 @@ eval "$func" mkdir -p ./etc/apt TRUSTEDFILE=./etc/apt/trusted.gpg +mkdir -p ./var/lib/apt/keyrings +TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" GPG="$GPG_CMD --keyring $TRUSTEDFILE" MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg + msgtest "add_keys_with_verify_against_master_keyring" if [ ! -e $MASTER_KEYRING ]; then echo -n "No $MASTER_KEYRING found" -- cgit v1.2.3 From d787fe83b74f68dd033e74ce9aeb0120806a17be Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 4 Oct 2011 23:03:08 +0200 Subject: test/integration/test-apt-key-net-update: improve test to test for empty keyring/correct keys --- test/integration/test-apt-key-net-update | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update index 710c02f61..bc4e6029f 100755 --- a/test/integration/test-apt-key-net-update +++ b/test/integration/test-apt-key-net-update @@ -40,6 +40,15 @@ else msgpass fi +# ensure the keyring is still empty +gpg_out=$($GPG --list-keys) +msgtest "Test if keyring is empty" +if [ -n "" ]; then + msgfail +else + msgpass +fi + # test good keyring and ensure we get no errors ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then @@ -48,3 +57,12 @@ else msgfail fi +testequal './etc/apt/trusted.gpg +--------------------- +pub 1024D/437D05B5 2004-09-12 +uid Ubuntu Archive Automatic Signing Key +sub 2048g/79164387 2004-09-12 + +pub 1024D/FBB75451 2004-12-30 +uid Ubuntu CD Image Automatic Signing Key +' $GPG --list-keys -- cgit v1.2.3 From a57ced3e09b68fa3afda71605a51f87304ca7f5d Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 5 Oct 2011 18:33:44 +0200 Subject: cmdline/apt-key: move ADDED into the right place, thanks to Marc Deslauriers --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline/apt-key b/cmdline/apt-key index 617fed4f8..cd7824df1 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -51,7 +51,6 @@ add_keys_with_verify_against_master_keyring() { add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` - ADDED=0 for add_key in $add_keys; do # ensure there are no colisions LP: #857472 @@ -67,6 +66,7 @@ add_keys_with_verify_against_master_keyring() { $GPG_CMD --keyring $ADD_KEYRING --export $add_key | $GPG_CMD --keyring $TMP_KEYRING --import --trust-model direct # check if signed with the master key and only add in this case + ADDED=0 for master_key in $master_keys; do if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then $GPG --import $TMP_KEYRING -- cgit v1.2.3 From 27c251b98640130c7d9a3dae6fd66a8a4a22b6d5 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 5 Oct 2011 20:52:42 +0200 Subject: cmdline/apt-key: use --output instead of the the pipe and import, thanks to mdeslaur and infinity for the code review --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline/apt-key b/cmdline/apt-key index cd7824df1..c522d54fe 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -63,7 +63,7 @@ add_keys_with_verify_against_master_keyring() { # export the add keyring one-by-one rm -f $TMP_KEYRING - $GPG_CMD --keyring $ADD_KEYRING --export $add_key | $GPG_CMD --keyring $TMP_KEYRING --import --trust-model direct + $GPG_CMD --keyring $ADD_KEYRING --export $add_key --output $TMP_KEYRING # check if signed with the master key and only add in this case ADDED=0 -- cgit v1.2.3 From f180f39e94c189799b0a0668de801519a5a6108d Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 5 Oct 2011 21:42:34 +0200 Subject: cmdline/apt-key: fix --check-sigs to ensure that the signature can verify and also add master keyring to ensure that we can actually verify the signature --- cmdline/apt-key | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cmdline/apt-key b/cmdline/apt-key index c522d54fe..9c7804d5b 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -63,12 +63,11 @@ add_keys_with_verify_against_master_keyring() { # export the add keyring one-by-one rm -f $TMP_KEYRING - $GPG_CMD --keyring $ADD_KEYRING --export $add_key --output $TMP_KEYRING - + $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key # check if signed with the master key and only add in this case ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + if $GPG_CMD --keyring $MASTER_KEYRING --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then $GPG --import $TMP_KEYRING ADDED=1 fi -- cgit v1.2.3 From 04a8d1205d87c085ff6349d7e7824c5571282dba Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 5 Oct 2011 21:51:07 +0200 Subject: cmdline/apt-key: use MASTER instead of MASTER_KEYRING as the former is the argument of the function --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline/apt-key b/cmdline/apt-key index 9c7804d5b..7bfe47fca 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -67,7 +67,7 @@ add_keys_with_verify_against_master_keyring() { # check if signed with the master key and only add in this case ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $MASTER_KEYRING --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then + if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then $GPG --import $TMP_KEYRING ADDED=1 fi -- cgit v1.2.3