I've been working on a new way to sign archives, in preparation to a change to pkg tools, with feedback from Theo and Tedu.
The actual problem happened in FreeBSD. They got a hole in their gunzip pipeline a few weeks ago (rather subtle one). So if your workflow is: 1/ fetch data -> 2/ uncompress it -> 3/ check signature -> 4/ process data you've got TWO steps (1 and 2) that are relatively easy to tamper with, with potentially deadly consequences. The solution is to move the signature outside of the gzip header. New workflow is 1/ fetch data -> 2/ check signature -> 3/ uncompress -> 4/ process data Since step 1/ is privsep, as long as step 2 is airtight, 3/ and 4/ are no longer vulnerable. Just committed some preliminary code into signify that allows that. Guidelines: - small, self-contained code to parse simple gzip headers - signify-style signature in the gzip comment. Contains checksums of 64K blocks of the compressed archive - don't even think about passing the original gzip header through - use as a pipeline step: does not need to download full archive to use it, and never ever pass any data to the gunzip part before it's been verified. Note that afaik we haven't had any hole in our gunzipping process. Well... waiting for an accident to happen is not how we do things. Hopefully, this should prevent future mishaps. -- Marc