Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Common enough to use it.. linux distros frequently distribute updates over http (and ftp). But those are always signed. Something eScan did not do.


Can’t you switch out the signatures inflight, too?


AFAIK, the worst you could do is serve the victim stale (valid) packages, and prevent them from seeing that there are new updates available.

I maintain a (somewhat) popular mirror server at a university, and we actually ran into this issue with one of our mirrors. The Tier 1 we were using as an upstream for a distro closed up shop suddenly, leaving our mirror with stale packages for some time before users told us they never got any updates.


I don't think that would work with most distros, since you're fetching an (also signed) update list and you'd get notified that the update failed due to a stale list, or that the expected updated package was missing on the mirror.


If it’s based on asymmetric encryption, (e.g. RSA, DH etc) and the private key did not leak, then no.


You could, but then the signature check would fail. Usually the public keys of developers or packagers are shipped with a linux distribution.

However, you shouldn't blindly trust in this in "linux" either. The implementation varies between package managers. Eg. DNF in Fedora has signature checks not enabled for local package installations, by default. There is no warning, nothing. If you want to infect new Fedora users, you MITM RPMFusion repo (codecs etc) installation, because that's a package almost everyone installs locally and the official install instructions don't show how to import the relevant keys beforehand. Arch was also very late to the validation party.


How is Arch vulnerable? While I don't have an Arch system handy, I do have a steam deck that I play around with (in an overlay), and I've certainly run into a lot of signature issues due to Valve making a hackish "pin" of the evergreen Arch with signatures in the Valve tree's snapshot being often out of date.

Those signatures are also checked for local installs unless you explicitly disable them.


Pacman has signature checks by default, for over a decade now, I think, but they have been ridiculously late with universal usage of this feature, relatively speaking. They were still barebacking their machines, when everybody trivially knew the internet was serious business and expected signature checks, therefor.


I realize now it was a stupid question, but the excellent refresher and ensueing discussion of edge cases was well worth the downvote someone felt compelled to leave, haha




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: