Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Promote" Module::Signature from Bundle::CPANxxl to Bundle::CPAN #137

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

"Promote" Module::Signature from Bundle::CPANxxl to Bundle::CPAN #137

wants to merge 1 commit into from

Conversation

dweekly
Copy link

@dweekly dweekly commented Jun 24, 2020

Module::Signature is critical for validating signatures for downloaded CPAN modules; lacking enforced signatures or HTTPS support in CPAN, Perl installs don't know the provenance of the source codes they are downloading and installing on their systems. This is a small patch to "promote" Module::Signature from the XXL bundle to the regular one as step towards checking signatures systematically.

This PR is part of a larger effort to "Secure Perl" - comments welcome at https://docs.google.com/document/d/1DRkiCJhJu4RDI0u_JppBpFa0djouskxEyNHax912U_w/edit#

@briandfoy
Copy link
Contributor

briandfoy commented Oct 31, 2023
edited
Loading

As noted in your Google Doc, Module::Signature doesn't offer any security. It checks that a signature file matches some text in another file, and neither file is secured. Checking two unsecured values against each other gives people the false hope that they are somehow protected. We should not be part of that charade.

There are other ways that we might handle this, some of which you noted in the link. However, this isn't one of the things we should pursue.

@stigtsp
Copy link
Contributor

stigtsp commented Nov 1, 2023
edited
Loading

I agree that Module::Signature should not be used, at least not non-interactively, for the following reasons:

  1. No trust root is checked to ensure you're getting the correct pubkey for the author, instead relying on the users gnupg trust settings.
  2. SIGNATURE data does not contain a reference to the distribution name, author and version, allowing for replay attacks.
  3. The SIGNATURE file is contained inside the distribution package, requiring it to be unpacked before checking signatures, allowing for attacks on i.e. zlib or tar.

Some work being done:

  • Getting TLS support into Perl core would be very helpful, allowing all CPAN clients to default to secure transport, there is an effort underway here.
  • Work has been started in the CPAN Security WG looking at implementing The Update Framework for CPAN. This spec will supports repo signing and author signing.
  • CPAN-Author-Signature is an experimental proof of concept for author signing that I wrote to fix the problems with Module::Signature, using ssh keys instead of pgp keys - but I think The Update Framework is likely a better approach for author signing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dweekly @briandfoy @stigtsp