Page MenuHomePhorge
Create Task
Maniphest T3820

Debian 9.0 does not accept SHA1 signature of OBS repository
Closed, ResolvedPublic
Actions

Description

(In the example below I play around with my own OBS project, but the problem also occurs with Winterfell or any other project.)

The output of apt update itself is not really specific:

Ign:4 http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ InRelease
(...)
Get:6 http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release [1058 B]
Get:7 http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release.gpg [481 B]
Err:7 http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release.gpg
  The following signatures were invalid: 79D86A05FDE6C9FB4E43A6C5830C2BCF446D5A45
(...)
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release: The following signatures were invalid: 79D86A05FDE6C9FB4E43A6C5830C2BCF446D5A45
W: Failed to fetch http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0/./Release.gpg
The following signatures were invalid: 79D86A05FDE6C9FB4E43A6C5830C2BCF446D5A45
W: Some index files failed to download. They have been ignored, or old ones used instead.

However, I'm reasonably certain that this error occurs because APT refuses to accept SHA1 signatures for repositories. See https://wiki.debian.org/Teams/Apt/Sha1Removal and the following output:

$ wget http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0/Release.gpg
--2018-04-02 13:05:16--  http://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0/Release.gpg
Resolving obs.kolabsys.com (obs.kolabsys.com)... 95.128.36.7
Connecting to obs.kolabsys.com (obs.kolabsys.com)|95.128.36.7|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 481 [application/pgp-encrypted]
Saving to: ‘Release.gpg’

Release.gpg         100%[===================>]     481  --.-KB/s    in 0s      

2018-04-02 13:05:16 (24.6 MB/s) - ‘Release.gpg’ saved [481/481]

$ pgpdump Release.gpg
Old: Signature Packet(tag 2)(277 bytes)
        Ver 3 - old
        Hash material(5 bytes):
                Sig type - Signature of a binary document(0x00).
                Creation time - Mon Apr  2 12:09:12 CEST 2018
        Key ID - 0x830C2BCF446D5A45
        Pub alg - RSA Encrypt or Sign(pub 1)
        Hash alg - SHA1(hash 2)
        Hash left 2 bytes - 02 d5 
        RSA m^d mod n(2047 bits) - ...
                -> PKCS-1

So I guess the OBS repositories should be signed with SHA256 (or better) instead of SHA1.

Details

Ticket Type
Task

Related Objects

Event Timeline

sicherha created this task.Apr 2 2018, 1:11 PM
sicherha added a project: Bug Reports.Apr 4 2018, 8:40 AM
sicherha added a comment.Apr 8 2018, 12:31 PM

Temporary workaround:

  1. Mark repository as [trusted=yes]
  2. Follow https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872543#10
  3. Hope you don't get MitM'd
sicherha raised the priority of this task from 40 to High.Apr 17 2018, 9:35 AM

Bumping priority because I'm getting closer to providing packages for Debian Stretch.

sicherha added a project: Engineering & Operations.Apr 17 2018, 11:16 AM

Playing around with a custom-created key (osc signkey --create home:sicherha:Testproject) still yields a repository signed with SHA1 only.

So I think OBS needs to be updated - it's currently at version 2.5.51.git20140622.569483c, which is old as dirt.

vanmeeuwen added a comment.EditedApr 19 2018, 2:03 PM

The weakness in SHA1 is a collision risk, not an active compromise vector.

Perhaps Debian will honor the use of SHA1 signatures of repository files, when the URL used is properly HTTPS?

sicherha added a comment.Apr 20 2018, 10:27 AM

Unfortunately it doesn't. I agree that using HTTPS should mitigate the MitM risk, but I still have to explicitly mark the repository as trusted for APT to accept it.

Without [trusted=yes]:

$ sudo apt update 
Ign:1 http://ftp.uni-erlangen.de/debian stretch InRelease
Hit:2 http://ftp.uni-erlangen.de/debian stretch-updates InRelease
Hit:3 http://ftp.uni-erlangen.de/debian stretch Release                        
Hit:4 http://security.debian.org stretch/updates InRelease                     
Ign:5 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ InRelease
Get:6 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release [1061 B]
Get:7 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release.gpg [481 B]
Ign:7 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release.gpg
Reading package lists... Done 
W: GPG error: https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release: The following signatures were invalid: 79D86A05FDE6C9FB4E43A6C5830C2BCF446D5A45
E: The repository 'https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

With [trusted=yes]:

$ sudo apt update 
Ign:1 http://ftp.uni-erlangen.de/debian stretch InRelease
Hit:2 http://ftp.uni-erlangen.de/debian stretch-updates InRelease
Hit:3 http://security.debian.org stretch/updates InRelease     
Hit:4 http://ftp.uni-erlangen.de/debian stretch Release        
Ign:5 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ InRelease
Get:6 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release [1061 B]
Get:7 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release.gpg [481 B]
Ign:7 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release.gpg
Hit:9 https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Packages
Fetched 1542 B in 0s (4423 B/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: GPG error: https://obs.kolabsys.com/repositories/home:/sicherha:/branches:/Kolab:/16/Debian_9.0 ./ Release: The following signatures were invalid: 79D86A05FDE6C9FB4E43A6C5830C2BCF446D5A45

While I think this is a valid temporary workaround, I would personally prefer a clean solution.

sicherha added a comment.Apr 21 2018, 11:04 PM

By the way, OBS has an unfortunate tendency to get stuck when a lot of build jobs exist - such as right now. Maybe that issue is fixed in a newer OBS version as well?

(Naive me, never having administrated an OBS installation, thinks at first glance that the upgrade path doesn't seem unbearably painful.)

Whvneo subscribed.Jun 3 2018, 3:36 PM
sicherha closed this task as Resolved.Jul 3 2018, 3:50 PM
sicherha claimed this task.
sicherha mentioned this in T5193: Debian Stretch Repo.Mar 21 2019, 11:51 PM