From 5863fcf4b54fa51acebd0c2abe5092dd99e71a1a Mon Sep 17 00:00:00 2001 From: Björn Persson Date: Jul 11 2019 16:36:21 +0000 Subject: [PATCH 1/5] Added the section Source File Verification. --- diff --git a/guidelines/modules/ROOT/pages/index.adoc b/guidelines/modules/ROOT/pages/index.adoc index 428fd9b..7d18a13 100644 --- a/guidelines/modules/ROOT/pages/index.adoc +++ b/guidelines/modules/ROOT/pages/index.adoc @@ -119,6 +119,105 @@ Similarly, filenames that contain non-ASCII characters must be encoded as UTF-8. Fedora's git repository is the canonical location for Fedora spec files. Maintainers MUST expect that other maintainers and automated tooling will make changes to their packages, potentially without communicating prior to doing so (though communication is always encouraged). If some maintainers are also attempting to keep copies of a spec in an outside repository, they MUST be prepared to merge changes made to the spec in Fedora's repository, and MUST NOT overwrite those changes with a copy from an external repository or using `+fedpkg import+`. +== Source File Verification + +Where the upstream project publishes OpenPGP signatures of their releases, +Fedora packages *MUST* verify that signature as part of the RPM build process. + +Although a checksum in the sources file certifies that a file retreived from the lookaside cache is the one that the packager uploaded, +it is silent on whether the file is what the upstream project released. +A signature by the upstream developers certifies that the source is identical to what they released. +Verifying the signature as part of the build ensures that packagers don't forget to verify it. + +=== Obtaining the Correct Keys + +The verification method requires an OpenPGP keyring file +with one or more public keys from the upstream project. +The keyring shall contain all the keys that are trusted to certify the authenticity of the sources, +and *MUST NOT* contain any other keys. + +Ideally the upstream project publishes such a keyring as a downloadable file. +You shall download that file +and do everything you reasonably can to verify that it is authentic. +Then you shall add it unmodified to the package SCM, +and provide its URL in the spec file +so that others can verify it. +The URL *MUST* use HTTPS or a similarly authenticated protocol if at all possible. + +Even if you are unable to verify the key at the first addition, +it still enhances security in a trust-on-first-use way. +It will ensure that future attacks will be detected if the key is the right one, +or that a current attack will be detected later if future releases are signed by the correct key. + +=== Verifying Signatures + +Signature verification *MUST* be done first in the `%prep` section of the spec file, +before any potentially compromised code is executed. +The verification *MUST* be done with the macro +++gpgverify+++, +which expands into a command +whose parameters shall be the pathnames of the keyring, the signature and the signed file. + +Any detached signature file +(e.g. foo.tar.gz.asc or foo.tar.gz.sig) +must be uploaded to the package lookaside cache alongside the source code, +while the keyring must be committed directly to the package SCM. + +The following format must be used: + +.... +Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz +Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz.asc +Source2: https://www.example.com/gpgkey-0123456789ABCDEF0123456789ABCDEF.gpg +… +%prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +.... + +The first source is the actual tarball, +the second one is the signature from upstream, +and the third one is the keyring. + +=== Exceptions +If the upstream tarball of a package needs to be modified, +for example because it contains forbidden items, +then the tarball cannot be verified as part of the build process. +In this case the upstream OpenPGP keyring must still be included in the package SCM +and the instructions/script used to build the stripped-down tarball needs to verify the upstream source. + +If the upstream project does not publish a keyring file +(for example if they publish only a fingerprint on their website +and refer to a keyserver network for downloading the key), +then you may need to create a keyring after you have verified the key. +In this case there is no upstream URL to the keyring, +so instead you should document how you created the keyring in a comment in the spec file. +A minimal keyring with the key with the fingerprint `7D33D762FD6C35130481347FDB4B54CBA4826A18` can be created with the following command: + +.... +gpg2 --export --export-options export-minimal 7D33D762FD6C35130481347FDB4B54CBA4826A18 > gpgkey-7D33D762FD6C35130481347FDB4B54CBA4826A18.gpg +.... + +If upstream signed a tarball differently, +for example by signing only the uncompressed tarball but distributing a compressed version, +then the verification step must the adjusted accordingly, for example: + +.... +Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.xz +Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.asc +Source2: https://www.example.com/gpgkey-0123456789ABCDEF0123456789ABCDEF.gpg +… +BuildRequires: xz +… +%prep +xzcat '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=- +.... + +=== Help + +If you need help getting your package compliant to this guideline, +or if you do not know what to do if a build fails on a signature verification, +then you should seek help on the Fedora devel mailing list before circumventing the check, +to make sure that you do not build compromised software. + == Architecture Support All Fedora packages must successfully compile and build into binary rpms on at least one supported primary architecture, except where the package is useful only on a secondary architecture (such as an architecture-specific boot utility, microcode loader, or hardware configuration tool). Fedora packagers should make every effort to support all https://fedoraproject.org/wiki/Architectures#Primary_Architectures[primary architectures]. From 7957d123145b4a48e6fdb94f6492f4521d8280e2 Mon Sep 17 00:00:00 2001 From: Björn Persson Date: Jul 11 2019 16:36:21 +0000 Subject: [PATCH 2/5] GnuPG won't be in the buildroot automatically. --- diff --git a/guidelines/modules/ROOT/pages/index.adoc b/guidelines/modules/ROOT/pages/index.adoc index 7d18a13..78e9b7b 100644 --- a/guidelines/modules/ROOT/pages/index.adoc +++ b/guidelines/modules/ROOT/pages/index.adoc @@ -156,6 +156,7 @@ before any potentially compromised code is executed. The verification *MUST* be done with the macro +++gpgverify+++, which expands into a command whose parameters shall be the pathnames of the keyring, the signature and the signed file. +“`BuildRequires: gnupg2`” is necessary for the verification to work. Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) @@ -169,6 +170,8 @@ Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz.asc Source2: https://www.example.com/gpgkey-0123456789ABCDEF0123456789ABCDEF.gpg … +BuildRequires: gnupg2 +… %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' .... @@ -205,12 +208,15 @@ Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.xz Source1: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.asc Source2: https://www.example.com/gpgkey-0123456789ABCDEF0123456789ABCDEF.gpg … -BuildRequires: xz +BuildRequires: gnupg2 xz … %prep xzcat '%{SOURCE0}' | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=- .... +Packages that are vital during bootstrapping of Fedora +may use a <> to skip the verification before GnuPG has been built. + === Help If you need help getting your package compliant to this guideline, From f1c750e6f482fa69ebb0416e80473759face0ab3 Mon Sep 17 00:00:00 2001 From: Björn Persson Date: Jul 11 2019 16:36:21 +0000 Subject: [PATCH 3/5] Weakened the requirement to verify signatures. --- diff --git a/guidelines/modules/ROOT/pages/index.adoc b/guidelines/modules/ROOT/pages/index.adoc index 78e9b7b..a816431 100644 --- a/guidelines/modules/ROOT/pages/index.adoc +++ b/guidelines/modules/ROOT/pages/index.adoc @@ -122,7 +122,7 @@ Fedora's git repository is the canonical location for Fedora spec files. Maintai == Source File Verification Where the upstream project publishes OpenPGP signatures of their releases, -Fedora packages *MUST* verify that signature as part of the RPM build process. +Fedora packages *SHOULD* verify that signature as part of the RPM build process. Although a checksum in the sources file certifies that a file retreived from the lookaside cache is the one that the packager uploaded, it is silent on whether the file is what the upstream project released. @@ -151,7 +151,8 @@ or that a current attack will be detected later if future releases are signed by === Verifying Signatures -Signature verification *MUST* be done first in the `%prep` section of the spec file, +When source file verification is done, +it *MUST* be done first in the `%prep` section of the spec file, before any potentially compromised code is executed. The verification *MUST* be done with the macro +++gpgverify+++, which expands into a command From 0c7d937f155a7eab0717711c0c56b94fe257c0ce Mon Sep 17 00:00:00 2001 From: Björn Persson Date: Jul 11 2019 16:36:21 +0000 Subject: [PATCH 4/5] requested grammar changes --- diff --git a/guidelines/modules/ROOT/pages/index.adoc b/guidelines/modules/ROOT/pages/index.adoc index a816431..c8ceb19 100644 --- a/guidelines/modules/ROOT/pages/index.adoc +++ b/guidelines/modules/ROOT/pages/index.adoc @@ -154,10 +154,10 @@ or that a current attack will be detected later if future releases are signed by When source file verification is done, it *MUST* be done first in the `%prep` section of the spec file, before any potentially compromised code is executed. -The verification *MUST* be done with the macro +++gpgverify+++, +The verification *MUST* be done with the macro `+%{gpgverify}+`, which expands into a command whose parameters shall be the pathnames of the keyring, the signature and the signed file. -“`BuildRequires: gnupg2`” is necessary for the verification to work. +`BuildRequires: gnupg2` is necessary for the verification to work. Any detached signature file (e.g. foo.tar.gz.asc or foo.tar.gz.sig) From ed142a5acc83249e5fb94e2c50e8cb2e02658ef4 Mon Sep 17 00:00:00 2001 From: Björn Persson Date: Jul 11 2019 16:36:21 +0000 Subject: [PATCH 5/5] spelling --- diff --git a/guidelines/modules/ROOT/pages/index.adoc b/guidelines/modules/ROOT/pages/index.adoc index c8ceb19..08f6224 100644 --- a/guidelines/modules/ROOT/pages/index.adoc +++ b/guidelines/modules/ROOT/pages/index.adoc @@ -202,7 +202,7 @@ gpg2 --export --export-options export-minimal 7D33D762FD6C35130481347FDB4B54CBA4 If upstream signed a tarball differently, for example by signing only the uncompressed tarball but distributing a compressed version, -then the verification step must the adjusted accordingly, for example: +then the verification step must be adjusted accordingly, for example: .... Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.xz