public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed
From: "mark at klomp dot org" <sourceware-bugzilla@sourceware.org>
To: elfutils-devel@sourceware.org
Subject: [Bug debuginfod/28204] extend webapi / verification with forthcoming signed-contents archives
Date: Fri, 25 Aug 2023 15:00:13 +0000	[thread overview]
Message-ID: <bug-28204-10460-9yHUSjdOZS@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-28204-10460@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=28204

--- Comment #22 from Mark Wielaard <mark at klomp dot org> ---
(In reply to Ryan Goldberg from comment #21)
> (In reply to Mark Wielaard from comment #20)
> > But isn't the idea of checking the IMA signatures that you don't have to
> > trust the server providing the debuginfo files as the distro intended them?
> But this will allow for the case of a trusted server which only has some of
> it's RPMs per-file signed. Take for instance a server which has the RPMs for
> f36,37,38. The f36 files don't have signatures so using enforcing here is
> too strict since we are ok just letting a client know that these ones are
> unverifiable, but we still want to be able to reject any of the invalid ones
> for f38

This still feels odd. Since you cannot distinguish between non-sig f36 package
(okish?) and non-sig f38 packages (bad?). I think you have to either trust or
reject all non-sig packages from such a server.

> > So both are bad in some way. Which imho means that if we support some kind
> > of permissive mode, then it should explicitly warn for both kind of baddness.
> In the permissive mode you'll get:
> * "the signature is valid" for valid sigs
> * "ALERT: this download is being rejected since the IMA signature could not
> be verified" for invalid sigs
> * "the signature could not be verified" otherwise

I'll look at the code to see if I understand what this means in practice. Are
those the messages presented to the user (in verbose mode? always?). And does
this mean all three cases warn (or only the second and third)? And is it just a
message or does it also mean actual rejection in some cases?

> So we do warn for both kinds of bad, we just don't reject the 'unknown' bad

But how is 'unknown' bad different from invalid signature bad?
I think you should assume that if there is no signature, then the signature is
by definition invalid (assume it has a signature of
00000000000000000000000000000000).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

  parent reply	other threads:[~2023-08-25 15:00 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-06 21:11 [Bug debuginfod/28204] New: " fche at redhat dot com
2021-08-12 18:13 ` [Bug debuginfod/28204] " fche at redhat dot com
2021-08-26 20:53 ` mark at klomp dot org
2021-09-08 11:26 ` fche at redhat dot com
2022-06-10 17:19 ` fche at redhat dot com
2022-07-13 19:44 ` rgoldber at redhat dot com
2022-07-14 16:32 ` fche at redhat dot com
2022-07-27 14:52 ` mark at klomp dot org
2022-08-04 19:45 ` rgoldber at redhat dot com
2022-10-20 21:10 ` mark at klomp dot org
2022-10-20 23:11 ` mark at klomp dot org
2023-07-06 19:49 ` rgoldber at redhat dot com
2023-07-23 21:05 ` mark at klomp dot org
2023-07-23 21:07 ` mark at klomp dot org
2023-07-23 21:08 ` mark at klomp dot org
2023-07-23 21:57 ` mark at klomp dot org
2023-07-23 22:23 ` mark at klomp dot org
2023-07-31 14:27 ` rgoldber at redhat dot com
2023-08-02 16:37 ` mark at klomp dot org
2023-08-07 17:04 ` fche at redhat dot com
2023-08-09 18:17 ` rgoldber at redhat dot com
2023-08-17 15:39 ` mark at klomp dot org
2023-08-17 16:25 ` rgoldber at redhat dot com
2023-08-25 15:00 ` mark at klomp dot org [this message]
2023-08-25 15:21 ` rgoldber at redhat dot com
2023-08-25 15:24 ` mark at klomp dot org
2023-08-25 16:43 ` mark at klomp dot org
2023-08-26 22:25 ` mark at klomp dot org
2023-08-28 14:40 ` rgoldber at redhat dot com
2023-08-29 13:09 ` mark at klomp dot org
2024-06-03 15:28 ` fche at redhat dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-28204-10460-9yHUSjdOZS@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=elfutils-devel@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).