PSARC/2008/190 - Preinception IPS

Darren J Moffat Darren.Moffat at sun.com
Fri Aug 1 11:13:08 PDT 2008 

Bart Smaalders wrote:
> Garrett D'Amore wrote:
>>> Since each action can contain arbitrary attributes, the customer's
>>> signature action can contain whatever data he wants; the packaging
>>> system happily ignores that which it doesn't know about so he can
>>> add new attributes to his signature ad nauseam.
>>>
>>> This would mean that any actions that are signatures are simply
>>> ignored when computing the hash for signing purposes.  Each signature
>>> can carry whatever extra data (within reason, of course) is deemed
>>> necessary by the signer.
>>>
>>> If the customer is worried about retrieving these packages from a repo
>>> run by a hostile which is attempting to edit his meta data, we can 
>>> always include just the signature being generated (minus the hash value)
>>> in the hash.
>>>
>>> Thus, each signature stands alone, but if present cannot be altered w/o
>>> detection.
>> I think you want the hash value in the signed portion.  Otherwise, how 
>> do you keep someone from reattaching a different signed meta data from a 
>> "bad" package to a "good" package?
>>
>> Possibly all you need is just the hash signature.
>>
>> I still don't really understand whether meta data can alter the behavior 
>> of the software (either the installed software or the installation 
>> software itself) -- can it?
>>
>>    - Garrett
> 
> The signed portion of the manifest would consist of all the entries in 
> the manifest (actions) aside from signatures, _plus_ any metadata 
> included in the signature being generated.
> 
> Thus signatures cannot be spoofed or exchanged, but they may generated 
> by anyone w/ a key and added to the manifest.  They cannot be altered
> w/o invalidating that signature.  The rest of the manifest cannot be
> altered either w/o invalidating all signatures.
> 
> For example, suppose the manifest consists of:
> 
> set name=fmri value=pkg:/cheeseshop at 1.0
> dir group=sys mode=0755 owner=root path=/scripts
> file b0b7615454f3a3ec0d0d159677618bbb476052e0 group=bin mode=0444 
> owner=root path=scripts/cheeseshop.txt
> signature ....
> 
> and you wish to sign it again with the additional meta data of
> airspeed_of_unladen_swallow=20
> 
> then the complete hashed text would include the manifest text
> minus the already present signature but including the 
> airspeed_of_unladen_swallow=20 in a canonical format.

This makes perfect sense to me.

-- 
Darren J Moffat

More information about the opensolaris-arc mailing list