Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code signing for Piwik releases, and explain to users how to verify PGP signatures #1757

Closed
robocoder opened this issue Oct 6, 2010 · 22 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone

Comments

@robocoder
Copy link
Contributor

As an additional security feature (against MITM attack):

  • Distribute public PGP/GPG keys.
  • Sign releases (as part of the build script)
  • Upload both release package and signature to repository.

Client verification via either (or both):

  • pear.php.net/package/Crypt_GPG (LGPL PEAR package, requires GnuPG executable, "gpg")
  • pecl.php.net/package/gnupg (PECL extension, requires gpgme library)
@halfdan
Copy link
Member

halfdan commented Jan 6, 2011

I suggest providing a md5/sha1 hash for every Piwik release which can then be checked against the distributed files. We could store those hashes on a different machine so that compromising a single machine doesn't comprise everything at once.
Adding dependencies to other binaries (gpg) is not an option in my opinion.

@robocoder
Copy link
Contributor Author

GPG is more of an enterprise IT feature. Most users won't have the pear/pecl packages to use this.

We can certainly generate sha1 hashes. (This is needed by the Web App Gallery.) Storing the hashes on a different machine has its benefit, but is difficult to automate.

@anonymous-matomo-user
Copy link

I think it would be a good idea if it was optional in the Settings, e.g. a checkbox to verify signature of updates, requiring some gnupg extension.

@robocoder
Copy link
Contributor Author

Revised proposal:

  • filesize (in bytes) + sha1 + code signing via openssl

I'm going to defer the logistics of distributing the hashes to other machines. We don't have the infrastructure for that yet.

@mattab
Copy link
Member

mattab commented Apr 27, 2014

Also requested in #5036 Insecure installation archives

@robocoder robocoder added this to the Future releases milestone Jul 8, 2014
@mattab mattab removed the P: normal label Aug 3, 2014
@mattab
Copy link
Member

mattab commented Aug 5, 2014

See Signing Project Releases

@jaakristioja
Copy link

Aren't the hashes of the source archives from http://debian.piwik.org/pool/main/p/piwik/ signed in the respective *.dsc files? Can the package repository be used as a temporary workaround by people who want signed releases? If yes, what would be the correct key to verify the signatures against?

@filippog
Copy link

filippog commented Sep 9, 2014

http://debian.piwik.org has a "how to use", it'd be nice however if it also mentioned the key fingerprint to use but yeah I guess that could be a workaround if upstream authors agree the key can be trusted

@jaakristioja
Copy link

Yes, but the https://debian.piwik.org/repository.gpg key (66FED89E) appears to be different from the key used to sign the *.dsc files (D5D93B9B).

@aureq
Copy link

aureq commented Sep 9, 2014

@jaakristioja Just quickly jumping in. Yes the key is different because it's the maintainer's key (mine). My key is used to sign the packet and that signature is verified when the package is uploaded but before it's published.
If the signature is recognized (aka locally installed and trusted), then the package is published to the repository. This allows the piwik team to have multiple maintainers who can create the package (at the moment it's @mattab and @aureq).

I will read the entire correspondence later in the day (I'm at work) and I'll see if there's anything we can do to improve the overall security.

@aureq
Copy link

aureq commented Sep 10, 2014

@filippog @jaakristioja the page https://debian.piwik.org/ has been updated and now contains the key-id/key-fingerprint associated with the repository and the published packages.

As I said earlier, the most important part is the repository key which signs the entire repository.
This key is used to sign https://debian.piwik.org/dists/piwik/Release and the signature file is http://debian.piwik.org/dists/piwik/Release.gpg. But this is all automated by the local package manager.

Please let us know if that's all good for you.

@filippog
Copy link

@aureq @jaakristioja LGTM, thanks! looking forward to have also signed upstream tarballs

@mattab
Copy link
Member

mattab commented Nov 14, 2014

Good news everyone, from now on I am signing all releases with my PGP key. Kuddos @aureq for improving the package script in https://github.com/piwik/piwik-package

You can find the keys as the filenames with .asc in the builds servers: http://builds.piwik.org/?C=N;O=D

For example latest release: https://builds.piwik.org/piwik.zip.asc

You can verify the signature as follows

gpg --search-key 5590A237
# enter 1
gpg --edit-key 5590A237 trust
# enter 5
# enter y
gpg --verify piwik.zip.asc

See also #6673

I'd like to create a FAQ to let people know. Do I miss anything / is it working well?

@mattab mattab closed this as completed Nov 14, 2014
@mattab
Copy link
Member

mattab commented Nov 14, 2014

IMO the next logical security step is to enable the download of the Piwik builds over SSL from https://builds.piwik.org instead of HTTP. see Download Piwik upgrade packages via HTTPS #6441

@filippog
Copy link

looks good, I'd recommend using the full gpg fingerprint instead of short IDs. also it'd be nice to provide a copy of the key to be downloaded from somewhere too (e.g. linked from the FAQ itself)

+1 to downloading over https and verifying with gpg as mentioned in #6441

btw a simpler way to verify the signature on the file in isolation without relying on the user's keyring:

export GNUPGHOME=<some_temp_dir_with_right_perms>
gpg --keyserver pool.sks-keyservers.net --recv-keys 5590A237
gpg --verify latest.tar.gz.asc || echo "verification failed"

HTH,
filippo

@jaakristioja
Copy link

Seems to work, but a key fingerprint would be nice indeed. I recommend to also put the full public key on the webserver in case connecting to the keyserver fails (e.g. for people behind firewalls blocking outgoing connections to HKP port 11371).

PS: Thanks you very much! :)

@aureq
Copy link

aureq commented Nov 15, 2014

So, the correct way to do this should be:

wget https://builds.piwik.org/latest.tar.gz https://builds.piwik.org/latest.tar.gz.asc
gpg --keyserver keys.gnupg.net --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237
gpg --verify latest.tar.gz.asc

@mattab I agree with @jaakristioja and your public key should be in https://build.piwik.org/signature.asc. you can export it with the following command:

gpg --export --armor  814E346FA01A20DBB04B6807B5DBD5925590A237

@mattab
Copy link
Member

mattab commented Nov 15, 2014

my pgp public key signature is on the builds server now: http://builds.piwik.org/signature.asc

Next is to create an FAQ and maybe a blog post I think, if someone wants to volunteer... 👍

@mattab mattab modified the milestones: Piwik 2.10.0 , Long term Nov 15, 2014
@mattab mattab reopened this Nov 15, 2014
@mattab mattab changed the title Code signing Code signing for Piwik releases, and explain to users how to verify signatures Nov 15, 2014
@mattab mattab changed the title Code signing for Piwik releases, and explain to users how to verify signatures Code signing for Piwik releases, and explain to users how to verify PGP signatures Nov 15, 2014
@mattab
Copy link
Member

mattab commented Nov 19, 2014

@mattab mattab closed this as completed Nov 19, 2014
@thomsh
Copy link

thomsh commented Oct 4, 2016

Hello,
I raise this subject for a little suggestion :
Can you put links "How to verify the cryptographic signature" etc on the download page ?
Have a nice day !

@aureq
Copy link

aureq commented Oct 4, 2016

@mattab I think what @theznx is saying is to add details and instructions on how to verify the signature on this download page: https://piwik.org/download/

what's missing to me is a link to the GPG signature (.asc) and the instruction to check it's all good.

gpg --keyserver keys.gnupg.net --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237
gpg --verify latest.tar.gz.asc

@mattab
Copy link
Member

mattab commented Oct 5, 2016

@theznx we could add such note in the Download page of Piwik. Would you mind creating a new separate issue, as this one is already closed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Development

No branches or pull requests

8 participants