Jump to content

Bad signature warnings


aRTee
 Share

Recommended Posts

Quick question: do others using Mdv2006 also see so many Bad signature warnings? I get those a lot (really a lot), and not just on packages from remote ftp servers, also when I install things from the clubmember dvd.

 

Am I the only one or is everyone already conditioned to ignore these?

 

The latter would be really bad..

 

Please speak up!

Link to comment
Share on other sites

I usually only get them when I get stuff from cooker and even then not consistantly.

When I do get them it is usually for quite a large number at one time. I rarely get them when I get rpms from Main, Contrib or Updates but it does happen for an ocassional package.

I generally ignore them and in all the years that I have been using Mandrake/Mandriva have never had a problem as a result, in this regard.

 

As I understand it the signature is mainly to confirm that the rpm has come from its legitimate original source. It is not like the checksum which helps to confirm that the package has not been corrupted during download or transfer or burning.

I think you can safely ignore.

 

Cheers. John.

Link to comment
Share on other sites

I get them often, and I don't know where the cooker is! I know that it is something to do with new stuff that is still in development stages, or at least beleive that is the case. Anyway, I always ignore them. I guess I'm conditioned that way too.

 

Shane

Link to comment
Share on other sites

John, I agree that for now you can safely ignore.

But - a time will come that you can't.

 

Recall the events of the last 12 months: gnome server hacked into, gnu? server hacked into, and recently, a mozilla fansite spread trojans inside mozilla installers.

 

The point being: Linux distributions are way ahead in terms of security.

The signatures are intended to prove the source of the rpm.

 

Now, think how one could get a trojan into a Linux system that's being used according to the rules. In Linuxland people don't just go to any website and download these cool programs, no, they just download from the official repositories.

So setting up some website with lots of cool nice freeware programs - that just happen to be infested with trojans/spyware etc - is not an option.

 

Infecting an ftp server that serves packages would be the way to go, because that's where people get their code that they have executed on their system.

 

Replace an rpm on that ftp server may have people download this infected programs - but the signature will warn that it's not been packaged properly. So even this - currently non-existant - threat is already dealt with.

If the sig is wrong, it means the source is not trusted. It gets better: even if the ftp server/mirror gets hijacked, and the keys on the server get replaced (ooh, lots of work) to match the keys of the infected packages, this would get noticed in two ways: first, all non infected packages that were signed with the correct key will now give an error, and chances are that the repository was added way before this particular piece of software gets installed at the users request.

So the only ones who will get infected are those who add (update?) the repository, getting the new fake/wrong key and doing an installation of an infected package.

All others will be in the clear.

 

In comes Mandriva, training their users for years that one should just ignore the signature warning, and the whole idea is wide open to abuse.

 

_THIS_ is why I don't like it. Really, in terms of security Linux is ahead of the curve, but if you take the shortcut you risk ending up in the water.

Well, admittedly this is not a problem today, but the system is so well thought out that letting it break like this is really not good...

 

 

 

Anyway, are you and/or others also having issues with packages from mdv06 main, contrib or the dvd?

Link to comment
Share on other sites

You are preaching to one who knows all that. That is why I make a personal judgement thing on it each time. If I do believe the particular package is truly from that source then I ignore the message. Note that I said what it is for. So yes I do make a judgement each time. While there is a possibility of the sort of situation you mention, I do not let paranoia colour my judgement. I think there is more thaan just a smidgeon of paranoia about at the moment. As I said also in my post, I still think it safe to ignore.

 

If troubles started to develop in that area then Mandriva could change the default of the system to NOT permit install of a package if the signatures did not match.......then you would have bellyaching that the user no longer has control over their own computer. At the moment you have control to be able to make that decision for yourself. If you don't like that freedom then don't use the suspect packages. This is becoming just another paranoia version of the working in root versus not working in root. A person I respect very much, BVC, knows this discussion very well.

 

Whenever the question has been put here to MUB, the answer has usually been yes, it is safe to ignore the message and it still is. How this can be construed to be Mandriva irresponsibly training users to ignore the message is beyond me. They have never done anything of the sort.

Only a check sum method will detect if a covert malware change has been made to a package. Signatures won't. Like I said signatures basically only help to confirm the source and would NOT uncover that a server that had been hacked and had a package substituted with a phoney one. From what I have read, a lot of the times it is the programmer of the particular package that does not do the last bit of detail that enables a signature. A criticism ???. Not at all. They do the whole thing at their own expense, time and effort so if we feel strongly enough about it then we are free to ignore their packages. It is really that simple.

 

No I am not having any difficulties with any of the packages I have downpoaded for 2006-official. I am presently experiencing difficulty downloading updating of updates of 2006-official, for Main and Contribs, at the moment even though I have tried a couple of my more reliable mirror sites. I have not been trying cooker since I went the full upgrade to 2006-official just these few days ago. I am thinking of trying cooker again some time this coming mid week.

 

Do you know a hint of something that we don't ???. If so then please let us in on it otherwise just hinting feeds paranoia.

 

Cheers. John.

Link to comment
Share on other sites

This is about proper behaviour.

 

Just as the root example, bvc can ignore proper behaviour and he'll be fine.

Some others will be in trouble that they can't get out of at some point.

 

Do we want only those people who have inside knowledge about Linux to be using it without issue?

 

Are those on MSWIn who have a spambot without knowing it at fault, those who run one-click email trojans (anna_kournikova_naked.jpg.vbs), or could the system possibly be set up in a smarter way that prevents issues?

If the answer to the latter is yes (when would anyone EVER have to execute an attachment received via email? Just make those attachments non-executable and it's done - except that MSWin doesn't allow this due to the way it works), then the system is at fault and the user is not the only one to carry the blame.

Sure, the user should/could be educated about how to use his computer - but that's just not realistic.

 

 

In UNIX, the proper behaviour is not to run as root. Specialists like bvc can ignore that, but that doesn't make it proper behaviour, it just proves that it _is_ doable.

 

 

As for signatures and source, AFAIK the signature is signed on top of the whole package, just as a regular email pgp signature,

 

The signature tells you that the package is from someone who has the other end of the key and confirms package integrity.

If I'm mistaken about this, I take back what I said here. I have done some googling and find that indeed the signature check is pgp based and is the only means that the end user has to verify the origin of the package. The man page also mentions this.

 

 

I agree that at this moment it's not a big issue to ignore the warning, I'm just saying that this is an indication that things aren't working as they should.

And that is just some 'unpolished' behaviour from what I believe to be the best distribution from Mandriva/Mandrake so far, only possibly outdone or met by the most recent releases of other distributions (K-Ubuntu 5.10? SUSE10? Still have to try).

 

Besides, if Mandriva is the first distribution whose users get trojans on their systems (which may not be far away if ignoring / clicking away the warning is the standard way to install any package), it's really bad for Linux in general and Mandriva in particular.

 

So basically, I'm not speading paranoia, but I see a gaping whole that can easily be closed, with just a bit of effort - that should go with building packages on the developers side, and with responsability on the users side.

 

Just suppose that all packages are signed properly. As was the case with Mdv05LE for most packages. Imagine an ftp server gets hacked, people who get infected with trojans because of that _are at fault themselves_ !

They chose to ignore the "incorrect signature" warning.

 

Now, if most packages give the "incorrect signature" warning when one installs them, and people get their machines infected with trojans after some ftp server gets 0wn3d, you can't possibly blame them; not ignoring those sig warnings would have left them with an unusable barebone system. So the blame would be on the packagers and ultimatively on the distribution maker, in our case Mandriva, because in fact, the mechanism to avoid trojans is already broken.

 

The reason I started this topic is to know if others also see this, because as I just said, mdv05le was very clean in this respect. I'm still not sure if something went wrong in my installations (though it happens on all 3 machines I installed)...

 

I would like to know what others think of this - maybe it's time for a poll...

 

 

In any case, to rebut some of your arguments that I disagree with and to comment further:

 

That is why I make a personal judgement thing on it each time. If I do believe the particular package is truly from that source then I ignore the message. Note that I said what it is for. So yes I do make a judgement each time.

 

So based on _what_ do you actually believe that a package is truly from a certain source?

The only thing that one may assume is that it comes from the ftp server that holds your repository - and even that could be hacked around, purely technically spoken.

Moreover, YOU may be able to judge (I still don't see based on what), but how can novice judge anything? It will just scare and worry them.

I think you base your believe that it's ok to continue on the fact that there is no publicised case of such a trojan-ftp-hack at this moment. Do you realise that that will only happen AFTER people's machines are infected? Wouldn't it be nice if it DIDN'T happen to Mandriva?

 

I do not let paranoia colour my judgement.

If I did, I wouldn't install those packages. Please don't imply paranoia on my part, I find it personally insulting and misplaced. If you believe it's not, read my message again. I'm not afraid _today_ that this will get people in trouble. I'm just explaining why _tomorrow_ it can.

 

As I said also in my post, I still think it safe to ignore.

From the user point of view, sure, most likely. From the system point of view (how things are supposed to work), things have to change. There's no reason not to go for the proper methods if they are readily available.

 

If troubles started to develop in that area then Mandriva could change the default of the system to NOT permit install of a package if the signatures did not match...

Well, if troubles started this would really be a black moment for Linux. It would be too late for those affected. And, worst of all, it could ALL have been avoided. By using the available mechanisms in the correct way.

 

At the moment you have control to be able to make that decision for yourself. If you don't like that freedom then don't use the suspect packages.

At which point today you won't have fun with your MDV06 system, considering all the packages you wouldn't be able to use. OOo2pre, to name a popular one.

Again, based on what can a novice (who Mandriva really loves to have) make that decision? Remember, not everybody comes here and finds out what is what. Most people don't care, and if things break the system is at fault in their eyes. Which in this case can easily be defended. Oh and for sure those people (novices who feel they get burnt) either run back to where they came from or move to another distribution with the intention never to come back.

 

This is becoming just another paranoia version of the working in root versus not working in root.

I'm not telling anyone not to use packages with this issue, whereas I will advice anyone not to run as root. And I'm not paranoia even if you say/imply so. Please stop the ad hominem.

 

How this can be construed to be Mandriva irresponsibly training users to ignore the message is beyond me. They have never done anything of the sort.

Message on forum: hey I get his warning, so I didn't continue, now I don't have my software installed!

Reply: Just ignore.

Answer: ok, thanks, now it works.

 

This is what I mean, and we have had those threads.

If packages that Mandriva SHIP on the Powerpack dvd would not have this issue, no one would get conditioned to ignore warnings.

 

Only a check sum method will detect if a covert malware change has been made to a package. Signatures won't.

This is incorrect. Read the manpage, search with google. Read my above comments.

Signatures serve EXACTLY the purpose of offering a way to detect trojans and tampering etc outside of the doings of the packager.

 

From what I have read, a lot of the times it is the programmer of the particular package that does not do the last bit of detail that enables a signature. A criticism ???. Not at all.

And I thought that Linux / Free Software was about the hightest standard... Anyway, it's just one single command to sign a package. Of course, if no one complains about it, this will be standard behaviour. So I'm doing the complaining, if no one else will.

 

They do the whole thing at their own expense, time and effort so if we feel strongly enough about it then we are free to ignore their packages.

I do the translation for Mdv at my own expense. Firstly, I do get rewarded as do those packagers, with a VIP (~silver) membership. Secondly, if someone sends me a message that my translation is not up to standards, and especially how it can be done better, I will improve it. If people just decide not to use the localised version that I translate for, HOW CAN IT GET BETTER?

 

I think Mandriva is getting very professional, the looks of the new site are great, they are doing better pr, and Mandriva Linux seems to be all that. I just think the i's should be dotted, and see no reason not to.

Link to comment
Share on other sites

I agree that at this moment it's not a big issue to ignore the warning, I'm just saying that this is an indication that things aren't working as they should.

...

Besides, if Mandriva is the first distribution whose users get trojans on their systems (which may not be far away if ignoring / clicking away the warning is the standard way to install any package), it's really bad for Linux in general and Mandriva in particular.

I agree with you completely. This is a security thing that shouldn't be taken lightly, even if it was in the past. If you have some critical data on your systems and cannot afford a loose that data or cannot afford a downtime of your system, then package integrity is a must.

 

For us, who are a bit more experienced, it might not seems very problematic right now but who knows waht the future will bring? The more secure Mandriva gets, the more success it will have - no doubt there.

 

PS: If I decide to do the ftp-install with 2006, will I encounter the signature problem, too? Any ideas / experience?

Link to comment
Share on other sites

aRTee

 

I am getting the same error. According to the cooker mailing list this is a temp. problem of some/the majority of the mirrors where in the /media_info dir a/all md5sum of the hdlists is/are missing, and urpmi is complaing.

It's weekend in Paris, sun is shining bride, we are having a wonderful autumn - and I believe they will fix it after the weekend.

 

Cheers to Zuerich,

 

--chris, sighing about the mdv mirror mess, same as every year :-)

Link to comment
Share on other sites

Thanks arctic.

 

Chris / anna, good to know they will fix it, however, I'm seeing these with the powerpack dvd, not just external ftp/web repositories, so this is not going to be fixed for mdv2006... supposedly this dvd is the same thing that will be the boxed product, hence my 'paranoia'.

 

Any others??

 

 

John, did I stroke your feathers the wrong way? Can't say that it was intentional. Hope you get over it at some point.

 

Hi BVC, I think I just joined your unofficial club.

This has NOTHING to do with working as root.

I don't see why you want to drag bvc into this, firstly how can you be so sure he agrees with you, secondly, are you afraid you need someone on your side because your reasoning is flaky and you ran out of arguments and hope he may have some for you?

 

As for your lack of counter arguments, I take it that you either agree with mine or haven't processed them properly yet.

I got one more for you:

You are preaching to one who knows all that.

...

Only a check sum method will detect if a covert malware change has been made to a package. Signatures won't. Like I said signatures basically only help to confirm the source and would NOT uncover that a server that had been hacked and had a package substituted with a phoney one.

From the manpage of rpm:

The --checksig option checks all the digests and signatures contained in PACKAGE_FILE to ensure the integrity and origin of the package.

From www.seifried.org/lasg/software/:

This signature can be checked to ensure the package has not been tampered with or is a trojaned version.

From this it is clear that the signature is used to check both the integrity and origin of packages.

 

So go ahead, go on believing you know all that. IMO your position is based on belief, not knowledge. Fine with me, freedom of religion and all.

Now be my guest and show us some more sarcasm, who knows, some may find amusement in it.

In case you care to rebut my arguments, I might follow up.

 

 

 

BTW any others who see the warnings when installing stuff from the official Mandriva iso's?

 

 

PS: AVG works like a charm! Maybe now I can sleep at night once more. :lol:

Link to comment
Share on other sites

Why just 3hours ago, I sucessfully downloaded 25 updates for 2006 official and ony one lacked a signature. I am using the British mirror that I generally use and earlier in the day could not get downloads so they must have been updating the mirror. Unlike ANNA I haven't tried cooker for the past 4 days and don't plan to until later in the week so I am not sure if I would get the same probem she experiences.

 

 

I didn't talk about 'cooker' but about the cooker 'mailing list' where also bug reports/mirror reports of the Official distribution(s) are discussed.

 

BTW you don't see the error because the 'update' tree on the mirrors does have the md5sum file which matches the hdlist.

Edited by anna
Link to comment
Share on other sites

Okay, ftp-install is finished (it was so smooth...), I checked everything but didn't get any signature warnings. Maybe because the ftp-install grabs the latest packages by default? Dunno... Once I get bad signatures, I will inform you. :)

Link to comment
Share on other sites

arctic, I think you normally won't get sig warnings at installation, could you try one or some of the following:

imwheel, lirc, setserial, librrdtool2 (dependency of lm_sensors), gqview, openoffice.org-go-ooo-2.0-0.m129, openoffice.org-go-ooo-kde-2.0-0.m129.3mdk, libSTLport4-4.6.2-1mdk (dependency of OOo2pre)

 

This is a list of packages that I got signature warnings with, and they are what I consider useful software, so in case you don't know these programs, give them a try ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...