Update dev env logic in case of upstream changes due to signed RPM requirement

[conorsch]

From https://www.qubes-os.org/news/2021/03/19/qsb-067/:

The mitigation forces signature verification in RPM regardless of other options. This means that RPM will refuse to install packages that are unsigned (or signed with an untrusted signature), even when explicitly requested to do so. This breaks use cases such as installing locally-built packages and installing manually-downloaded packages the integrity of which was verified separately (which is often the case for closed-source software).

That'll break the "make dev" behavior we have of installing a local RPM.

[conorsch]

I'm still not encountering any breakage here, which is surprising, given that dom0 reports it's enforcing the signature checks: " Enforcing GPG signature check globally as per active RPM security policy". Will need to perform more testing, because I still expect this behavior to break.

full output from dom0 session

[user@dom0 ~]$ sudo qubes-dom0-update -y
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time...
Warning: Enforcing GPG signature check globally as per active RPM security policy (see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Fedora 25 - x86_64 - Updates                    3.7 MB/s |  24 MB     00:06    
Fedora 25 - x86_64                              6.9 MB/s |  50 MB     00:07    
Qubes Dom0 Repository (updates)                 2.0 MB/s | 2.0 MB     00:01    
determining the fastest mirror (14 hosts).. done.--  B/s |   0  B     --:-- ETA
Qubes Templates repository                      1.0 kB/s | 5.9 kB     00:05    
Dependencies resolved.
Nothing to do.
Complete!
No packages downloaded
Qubes OS Repository for Dom0                                                                                                                                   56 MB/s |  98 kB     00:00    
[user@dom0 ~]$ cd securedrop-workstation/
[user@dom0 securedrop-workstation]$ make clone
Building RPM on sd-dev ...
Cloning code from sd-dev:/home/user/securedrop-workstation ...
[user@dom0 securedrop-workstation]$ make prep-dev
Deploying Salt config...
Uninstalling any previous RPM versions...
7 files removed
No match for argument: securedrop-workstation-dom0-config
Error: No packages marked for removal.
Installing RPM at /home/user/securedrop-workstation/rpm-build/RPMS/noarch/securedrop-workstation-dom0-config-0.5.3-1.fc25.noarch.rpm ...
Qubes OS Repository for Dom0                                                                                                                                   96 MB/s |  98 kB     00:00    
Dependencies resolved.
==============================================================================================================================================================================================
 Package                                                        Arch                               Version                                     Repository                                Size
==============================================================================================================================================================================================
Installing:
 securedrop-workstation-dom0-config                             noarch                             0.5.3-1.fc25                                @commandline                             116 k

Transaction Summary
==============================================================================================================================================================================================
Install  1 Package

Total size: 116 k
Installed size: 295 k
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : securedrop-workstation-dom0-config-0.5.3-1.fc25.noarch                                                                                                                    1/1 
  Verifying   : securedrop-workstation-dom0-config-0.5.3-1.fc25.noarch                                                                                                                    1/1 

Installed:
  securedrop-workstation-dom0-config.noarch 0.5.3-1.fc25                                                                                                                                      

Complete!
Copying config secrets into place...
'config.json' -> '/usr/share/securedrop-workstation-dom0-config/config.json'
'config.json' -> '/srv/salt/sd/config.json'
'sd-journalist.sec' -> '/usr/share/securedrop-workstation-dom0-config/sd-journalist.sec'
'sd-journalist.sec' -> '/srv/salt/sd/sd-journalist.sec'
[user@dom0 securedrop-workstation]$ echo $?
0
[user@dom0 securedrop-workstation]$ sdw-admin --help
usage: sdw-admin [-h] [--apply] [--validate] [--uninstall]
                 [--keep-template-rpm] [--force]

optional arguments:
  -h, --help           show this help message and exit
  --apply              Apply workstation configuration with Salt
  --validate           Validate the configuration
  --uninstall          Completely Uninstalls the SecureDrop Workstation
  --keep-template-rpm  During uninstall action, leave TemplateVM RPM package
                       installed in dom0
  --force              During uninstall action, don't prompt for confirmation,
                       proceed immediately
[user@dom0 securedrop-workstation]$ 

[conorsch]

Ah, now it makes sense: the current mitigation only applies to Fedora-based domUs. Testing an manual installation in a F32-based AppVM properly rejected the installation, complaining about lack of signature. Installation in dom0 still works, although a close read of the QSB notes that:

In the near future, we will also deploy an extra tool to perform preliminary validation of all RPM packages in dom0 before handing them over to RPM.

There is some interesting rustlang tooling mentioned in QubesOS/qubes-issues#6485 that may address.

[eloquence]

(Likely no action required during this sprint, but we'll continue to track.)

[eloquence]

Removing off the board for now but keeping open in case of further upstream changes.

[eloquence]

@rocodes is experiencing issues installing dev packages in dom0 and it appears that _pkverify_level was somehow set to all on her system. We're not aware yet of any recent upstream changes that may have caused that configuration difference in dom0 -- on my system it is still set to digest.

[eloquence]

Investigating with @conorsch, we were able to locate a configuration discrepancy: /usr/lib/rpm/macros.d/macros.qubes exists on Ro's system in dom0 but not on ours, with %_pkgverify_level all set there. This causes installation of dev packages to fail since those are not signed.

Our best guess for now is that the domU updateVM Salt state was accidentally applied to dom0. This is the Salt state that applies the mitigation referenced in the advisory by setting the package verification level:

https://github.com/QubesOS/qubes-mgmt-salt-dom0-update/blob/master/update/qubes-vm.sls

[conorsch]

Our best guess for now is that the domU updateVM Salt state was accidentally applied to dom0.

🚨 *warning: untested and potentially destructive command 🚨 For example, when typing a command such as:

sudo qubesctl --skip-dom0 --target fedora-34 state.sls update.qubes-vm

as:

sudo qubesctl --target fedora-34 state.sls update.qubes-vm

I think would result in this particular broken state.

[sssoleileraaa]

(Removed qubes-4.1-support milestone in favor of the #600 tracking issue that is more cross-repo friendly. Cross-repo milestones is on the github longterm roadmap: github/roadmap#276 though!)

[sssoleileraaa]

Added this to the near-term so someone could take time to understand the issue being reported here and try to repro. I believe @eaon has been running make dev without issue, but I could be wrong.

[zenmonkeykstop]

make dev is also working for me on 4.1.

[zenmonkeykstop]

Closing, no longer a problem.