Reject weak keys (SHA-1 signature) in admin gpg-validate script #6928
Conversation
|
Per #6796 (comment), will keep the behaviour that checks all keys against sq linter, not just the Submission Key. This will likely mean some additional support tickets as users have to update their keys and push them to the server (and to other Admin workstations) - we may even want to create a docs page and link to it in the console error message. |
There was a problem hiding this comment.
Just skimming right now, will do a more complete review shortly. I missed that there was another copy of the test_journalist_key.pub in the admin/ hierarchy, I fixed that key in 4b5ef49 to not use SHA-1 signatures. I would suggest we copy the fixed key into admin/ (so they're in sync) and then commit your generated bad key as the failure example.
(I'm not asking you to rewrite it, but I don't understand why our Python code is shelling out to a shell script, this logic seems much easier to do in Python IMO...)
I don't personally see the need since we're getting it from Debian/Tails. One note is that the packaged sequoia stuff is using nettle as the crypto library (instead of openssl, which we're using for redwood) but we're not doing any crypto stuff here, just examining the keys, so the difference doesn't matter. |
rocodes
force-pushed
the
6796-reject-sha1-signed-key
branch
from
64c6e79 to
f0b0908
Compare
…. Include sq linting in validation check to prevent keys using SHA-1-based signatures from validating.
should fail sq-keyring-linter.
Key details
gpg --fingerprint 40F1C17B7E7826DAB40B14AE7786B000E6D0A76E
pub rsa1024 2023-08-21 [SC]
40F1 C17B 7E78 26DA B40B 14AE 7786 B000 E6D0 A76E
uid [ultimate] BADKEY (Should fail sq-keyring-linter) <[email protected]>
sub rsa1024 2023-08-21 [E]
rocodes
force-pushed
the
6796-reject-sha1-signed-key
branch
from
f0b0908 to
a5b9edf
Compare
There was a problem hiding this comment.
- visual review makes sense and console error messages in securedrop-admin are clear
- admin-tests are passing
- check out this branch in Tails admin workstation and run ./securedrop-admin setup -- the sq-keyring-linter package should be installed FAILED when admin/.venv3 already exists
- the validate-gpg.sh script correctly handles various cases:
- a good GPG pubkey successfully validates, return code 0;
- a GPG pubkey with mismatched fingerprint does not successfully validate, return code 1 (passes except when key is truncated by 1 char;
- and a GPG pubkey with correct fingerprint but weak key (SHA-1 signed) does not validate, return code 2.
Also tested via ./securedrop-admin --force sdconfig - the validation happens and an error is displayed for bad keys, but the site-specific file is still created, so an admin could miss the error and still install.
admin/bootstrap.py
Outdated
| @@ -125,7 +125,8 @@ def install_apt_dependencies(args: argparse.Namespace) -> None: | |||
| virtualenv \ | |||
| libffi-dev \ | |||
| libssl-dev \ | |||
| libpython3-dev", | |||
| libpython3-dev \ | |||
| sq-keyring-linter", | |||
There was a problem hiding this comment.
This will not be run on systems where there's an existing virtualenv. So the sq-keyring-linter package would not be installed by most GUI updater runs.
| @@ -58,7 +69,16 @@ printf "Validating fingerprint and public key key match...\n" | |||
| printf "\t Public key: %s\n" "${key_location}" | |||
| printf "\t Fingerprint: %s\n" "${fingerprint}" | |||
|
|
|||
| gpg2 --fingerprint "$fingerprint" | |||
| gpg2 --fingerprint "$fingerprint" || report_error $KEY_MISMATCH | |||
There was a problem hiding this comment.
This returns positive for cases where the supplied fingerprint is truncated by 1 char.
rocodes
force-pushed
the
6796-reject-sha1-signed-key
branch
2 times, most recently
from
12aa1fd to
707670a
Compare
Improve error codes in validate-gpg-key.sh script.
rocodes
force-pushed
the
6796-reject-sha1-signed-key
branch
from
707670a to
6875fcb
Compare
|
Thank you for your comments @zenmonkeykstop - I think I've addressed them in 6875fcb. I've also stepped through ./securedrop-admin setup and config on a Tails machine with and without the apt dependencies already installed, to make sure all cases are covered (sorry about that oversight). Re: the truncated fingerprint: Using |
|
(Just mentioning out loud something that was said in standup) However, it was mentioned that this is a pretty flaky part of the workstation and might lead to frustration (the "check network status and try again" issue), which is a good point. In that case, I'd propose to revert that change to the PR (so we'd be back to only checking apt dependencies if there's no venv present). The script already handles cases where the sq-keyring-linter package is not installed by doing the rest of the gpg validation, just skipping the key linting. (And then optionally if we wanted to, to handle the 'existing venv' case, we could print a message to console, eg advising them to run @zenmonkeykstop is that a better approach? I admit that network flakiness wasn't top of mind when I wrote this pr. |
| """ | ||
| # apt-cache -q0 policy $dependency1 $dependency2 $dependency3 | grep "Installed: (none)" | ||
| apt_query = f"apt-cache -q0 policy {APT_DEPENDENCIES_STR}".split(" ") | ||
| grep_command = ["grep", "Installed: (none)"] |
There was a problem hiding this comment.
@zenmonkeykstop if the admin workstation has all the right dependencies, is_missing_dependency won't prompt for sudo or do any network calls.
If a package name changes (eg sq-keyring-linter gets replaced by sq), this still won't try and install sq-keyring-linter, because the apt-cache policy results wont be Installed: (none), they'll be N: unable to locate package $funnyname.
If you're not a fan, let me know and we can at least move the check into the branch of envsetup where no existing venv is detected.
| libssl-dev \ | ||
| libpython3-dev \ | ||
| sq-keyring-linter" | ||
|
|
There was a problem hiding this comment.
(dependencies refactored from line 120)
Status
Ready for review:
sq-keyring-linterbefore including it on admin workstations? (discussed: it's in default repos, not happening now and Tails is considering including it stock ,so we aren't doing review for now)Description of Changes
Fixes #6796
Changes proposed in this pull request:
sq-keyring-linterpackage to admin bootstrap deps and use it to perform additional validation on pubkeys.Note: In cases where there is more than one Admin workstation at an organization, any users on a non-updated admin workstation (who have not imported the updated pubkey) will see this validation error. I have tried to address this case in the console error message that the user sees.
Testing
How should the reviewer test this PR?
./securedrop-admin --force setup-- thesq-keyring-linterpackage should be installed./securedrop-admin setupcompleted): User should be informed that a dependency is missing, then prompted for their passphrase and the sq-keyring-linter package will be downloadedvalidate-gpg.shscript correctly handles various cases: a good GPG pubkey successfully validates, return code 0; a GPG pubkey with mismatched fingerprint does not successfully validate, return code 1; and a GPG pubkey with correct fingerprint but weak key (SHA-1 signed) does not validate, return code 2.validate-gpg.shgracefully handles case where sq-keyring-linter package is missing (prints a warning but continues with validation).Here is a sample bad key for ease of testing, or you can generate one with
gpg --full-generate-key(choose RSA, 1024 bit):key details:
Deployment
TK
Checklist
If you made changes to the server application code:
make lint) and tests (make test) pass in the development containerIf you made changes to
securedrop-admin:make -C admin test) pass in the admin development container not yet, tkIf you made changes to the system configuration:
If you added or removed a file deployed with the application:
If you made non-trivial code changes:
Choose one of the following:
If you added or updated a production code dependency:
Production code dependencies are defined in:
admin/requirements.inadmin/requirements-ansible.insecuredrop/requirements/python3/requirements.inIf you changed another
requirements.infile that applies only to developmentor testing environments, then no diff review is required, and you can skip
(remove) this section.
Choose one of the following: