PSARC/2008/190 - Preinception IPS
Bart Smaalders
bart.smaalders at sun.com
Fri Aug 1 10:10:11 PDT 2008
Garrett D'Amore wrote:
>> Since each action can contain arbitrary attributes, the customer's
>> signature action can contain whatever data he wants; the packaging
>> system happily ignores that which it doesn't know about so he can
>> add new attributes to his signature ad nauseam.
>>
>> This would mean that any actions that are signatures are simply
>> ignored when computing the hash for signing purposes. Each signature
>> can carry whatever extra data (within reason, of course) is deemed
>> necessary by the signer.
>>
>> If the customer is worried about retrieving these packages from a repo
>> run by a hostile which is attempting to edit his meta data, we can
>> always include just the signature being generated (minus the hash value)
>> in the hash.
>>
>> Thus, each signature stands alone, but if present cannot be altered w/o
>> detection.
>
> I think you want the hash value in the signed portion. Otherwise, how
> do you keep someone from reattaching a different signed meta data from a
> "bad" package to a "good" package?
>
> Possibly all you need is just the hash signature.
>
> I still don't really understand whether meta data can alter the behavior
> of the software (either the installed software or the installation
> software itself) -- can it?
>
> - Garrett
The signed portion of the manifest would consist of all the entries in
the manifest (actions) aside from signatures, _plus_ any metadata
included in the signature being generated.
Thus signatures cannot be spoofed or exchanged, but they may generated
by anyone w/ a key and added to the manifest. They cannot be altered
w/o invalidating that signature. The rest of the manifest cannot be
altered either w/o invalidating all signatures.
For example, suppose the manifest consists of:
set name=fmri value=pkg:/cheeseshop at 1.0
dir group=sys mode=0755 owner=root path=/scripts
file b0b7615454f3a3ec0d0d159677618bbb476052e0 group=bin mode=0444
owner=root path=scripts/cheeseshop.txt
signature ....
and you wish to sign it again with the additional meta data of
airspeed_of_unladen_swallow=20
then the complete hashed text would include the manifest text
minus the already present signature but including the
airspeed_of_unladen_swallow=20 in a canonical format.
- Bart
--
Bart Smaalders Solaris Kernel Performance
barts at cyber.eng.sun.com http://blogs.sun.com/barts
"You will contribute more with mercurial than with thunderbird."
More information about the opensolaris-arc
mailing list