Bug 39591 – Verify digital signatures of appcenter files

Bug 39591 - Verify digital signatures of appcenter files


Summary:	Verify digital signatures of appcenter files

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC - App-Center
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1
Assigned To:	Arvid Requate
QA Contact:	Stefan Gohmann

URL:
Keywords:	interim-2

Depends on:	39590
Blocks:	39194
	Show dependency tree / graph

Reported:	2015-10-19 17:04 CEST by Arvid Requate
Modified:	2016-09-21 18:10 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2015-10-19 17:04:36 CEST

When downloading files from the app center, the file hashes need to be verified against the signed index.json (Bug #39590).


+++ This bug was initially created as a clone of Bug #39194 +++

The Docker images and all used scripts are cryptographically signed, for example the pre-installation script. The signature is verified during the installation. If the signature is invalid, an error message is shown and the installation is aborted.

Comment 1 Arvid Requate

2015-10-19 18:43:31 CEST

We will also include the SHA256 hash of the image manifest in the signed index.json. To verify that we will need to implement an equivalent of this command in appcenter-docker:

curl -X GET https://ucs:readonly@docker.software-univention.de/v2/ucs-appbox-amd64/manifests/4.1-0 | sha256sum

Comment 2 Arvid Requate

2015-10-22 20:20:07 CEST

* For apps referencing a DockerImage the index.json now contains the sha256 hash of the DockerImage Manifest in the key "DockerImageManifestV2S1". It also lists the URL where this Manifest can be downloaded

* The index.jason.gz is now signed

* univention-appcenter checks the signature unless appcenter/index/verify=false

* The index.json.gz + .gpg are now cached locally. Maybe this comes handy at some later point in the future, where one could just fetch the .gpg and if the signature ist still fine, then the index.json.gz doesn't need to be downloaded again.

* When downloading the Docker Image, the Manifest hash is compared against the hash documented in the signed index.json.

* Until now I didn't find out, where Docker Registry v2 (aka "Distribution") holds it's private crypto key, which it uses to put a JWS / JOSE signatures into the Docker Image Manifest. Restarting the registry doesn't change the Manifest, so I currently assume that the Manifest hashes will remain constant.

Changelog adjusted.

Note: Currently the notification traceback is a bit ugly, in case the signature verification fails for the index.json. I asked an expert for advice, so this may still improve.

Comment 3 Stefan Gohmann

2015-10-30 15:14:01 CET

OK, it works. Some tests are checked in 80_docker/59_app_center_signature.

Comment 4 Stefan Gohmann

2015-11-17 12:12:38 CET

UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".