From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Xen signing and wget Date: Tue, 06 Jul 2010 17:12:08 +0200 Message-ID: <4C3347C8.7020603@invisiblethingslab.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1591332858==" Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: "xen-devel@lists.xensource.com" List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============1591332858== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigDB073BA669D86ACDD11D6949" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDB073BA669D86ACDD11D6949 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable While the Xen sources have recently become digitally signed by xen.org (which is just great), there is still a problem that its various Makefiles download (and subsequently build) various 3rd party software via wget (e.g. ioemmu, grub, tboot, etc). Unless I'm missing something, the downloaded 3rd part software is never verified in any way. =46rom the security point of view, it is equal to say that Xen downloads random code from the web, and unconditionally executes it. So, this not only allows for building potentially compromised Xen packages, but also is a threat to the developers machine, where the (untrusted) Makefiles of the unverified 3rd party software are run. Consequently, I have the following suggestions: 1) Push on the vendors of the 3rd party components you use in the build to sign their software, verify the signatures after download in your Makefile, 2) Until the 3rd party vendors implement signing of their software, add hardcoded list of hashes for the specific versions of the software version you use in the build (e.g. md5sum and then use md5sum --check in the Makefile for verification that what you downloaded is good). joanna. --------------enigDB073BA669D86ACDD11D6949 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkwzR80ACgkQORdkotfEW86rOwCffKgs5d4rt7R3b/CWaNG0Cl17 YrcAoINUntRx9Fv9yRQ5/WFYhbpfHVO4 =DRkj -----END PGP SIGNATURE----- --------------enigDB073BA669D86ACDD11D6949-- --===============1591332858== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --===============1591332858==--