[19.03] gnupg: change default keyserver to non-SKS #63964
Conversation
See https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f. The SKS network is vulnerable to certificate poisoning, which can destroy GnuPG installations. keys.openpgp.org is a new non-SKS keyserver that is resistant to this type of attack. With such an attack being possible, it is unsafe to use SKS keyservers for almost anything, and so we should protect our users from a now unsafe default. keys.openpgp.org offers some (but not all) functionality of SKS, and is better than nothing. This default is only present in gnupg22. gnupg20 and gnupg1orig are not affected. (cherry picked from commit c727083)
See discussion at NixOS#63952 (comment). Upstream commit: commit 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Author: Daniel Kahn Gillmor <[email protected]> Date: Sun Jun 30 11:54:35 2019 -0400 dirmngr: Only use SKS pool CA for SKS pool * dirmngr/http.c (http_session_new): when checking whether the keyserver is the HKPS pool, check specifically against the pool name, as ./configure might have been used to select a different default keyserver. It makes no sense to apply Kristian's certificate authority to anything other than the literal host hkps.pool.sks-keyservers.net. Signed-off-by: Daniel Kahn Gillmor <[email protected]> GnuPG-Bug-Id: 4593 (cherry picked from commit ba23c14)
alyssais
added
1.severity: security
grahamc
changed the title
|
Some context. Current default keyserver (SKS pool) allows for certificate poisoning attacks which can effectively brick user's GnuPG installation. Attack is based on adding tens of thousands of signatures to the key, at which point, when user ends up importing the key (including unwillingly, via The problem lies with SKS not having any rate limiting and exacerbated by SKS accepting arbitrary OpenPGP packets, including cryptographically invalid packets, including non RFC compliant packets. There are a few similar attacks documented on SKS BitBucket, and there are likely more. SKS is not being maintained at this point, so this is unlikely to get fixed. https://keys.openpgp.org is more resistant to these kinds of attacks, at cost of losing capability to synchronize between servers. It is a Hagrid keyserver instance that is being run by Sequoia, OpenKeychain and Enigmail developers. |
|
Backwards-incompatibilities:
Seriousness of the issue:
Why the issue is making noise now, while it had been more or less ignored in the wider world until now (though this issue is one of those that prompted development of the software keys.openpgp.org runs and it has been discussed lots of time):
Other mitigations:
So, with all of the above facts now known, my opinion is that this issue is not actually that bad. And that, actually, the fix would, for the stable channel, cause more damage (by breaking all scripts that rely on talking to keyservers and/or using the WoT) than the initial issue causes damage. On the other hand, turning on So I think the path we should choose forward should be:
|
agreed. please help make progress on fixing this
What human usage are you concerned about? The current human usage i'm seeing is that people are finding themselves locked out of their e-mail programs because "mail.app crashes" (probably not relevant for nixos) or "thunderbird is unresponsive" or "sending mail takes forever". I've even heard of people deleting their mail stores to try to debug this problem.
trollwot's git repo dates to 2013. the fact that it is not recent does not mean it is not serious. The time to deal with it as a low-urgency fix was 2013, and we as a community failed to do that. Now that it is actively being exploited it is indeed a high-urgency situation.
gpg also fails when you are using other keys, or even when you are just trying to list the set of keys in your keyring. please see upstream performance reports.
There are definitely more than 3 keys currently flooded (i know of 6 currently) and it is trivial for anyone to flood all of them.
As someone whose certificate was flooded, I am indeed emotionally affected. I wrote about the emotional effect. But the people whose keyrings contain the flooded certs are the ones who are directly affected, not just the people to whom those certificates belong. Any keyring that contains the certs become unusable.
If those scripts are currently used in any critical systems, those scripts are subject to breakage by an arbitrary attacker at any time, and once flooded, the attack will be persistent because even deleting the known key from the keyring can take 15 minutes or more on flooded installations. A clean break that avoids permanent ingestion of flooded certificates seems healthier to me, though I can understand seeing it the other way around too.
I agree that enabling import-clean by default is a reasonable step to take. I've suggested it to upstream too. In general, please consider pushing your own recommendations upstream rather than keeping them local to NixOS.
Encouraging people to create custom configuration files that will linger long after they have forgotten about the problem doesn't seem like a great idea. I don't understand NixOS' "attribute names" so i can't comment on that part. |
This quickly became a 404 upstream. Fixes https://github.com/NixOS/nixpkgs/64256. (cherry picked from commit 4cab729)
|
Please do not merge until #64256 is resolved and the fix can also be backported.
Sorted.
|
|
Thank you for your precisions! For import-clean, I took the idea from the ML, and assumed it was being tracked upstream already -- thank you for pointing out that it wasn't and actually starting tracking it. As for NixOS' “attribute names,” it'd be basically equivalent to providing both the current I think that we now have as much information as we could have, and the last thing we need to do is choose, for the last ~4-5 months 19.03 will live, between Scylla and Charybdis. @lheckemann @samueldr Do you have enough information to make a choice here? I think it'll be hard to gather a consensus around the one best option, but hope everyone will agree that both paths are about as bad, with both pros and cons for each. If other people want to give an opinion on the matter without not-yet-mentioned arguments, I suggest using emojis on this comment:
|
|
Agree with all of dkg's points. This is only going to get worse, and
inaction puts our users at risk at some random future time when
somebody tries to attack them. Mitigating the issue will at least give
our users clear steps to take, and we can communicate, rather than
allowing a third party to disrupt them.
"mail.app crashes" (probably not relevant for nixos)
FWIW Nixpkgs also supports macOS, so we should are concerned about this.
I don't understand NixOS' "attribute names" so i can't comment on that part.
Think of it like a package name in other systems. It's how you refer to
a package to install it.
|
|
@Ekleog, one more thing to keep an eye on is |
|
@wiktor-k In my opinion, if we think of doing |
|
@Ekleog, The real drawback of I'm not pushing for it, just wanted to share the option. (For some closed circles and when one controls the domain Web Key Directory is a fine middle-ground, keys are fetched over secure connection and cannot be spammed. Gentoo and Debian already publish developer key's via WKD, is NixOS planning to? :) ). |
|
@wiktor-k Oh, I was thinking it did not import User IDs either. Thank you for the clarification! (as for WKD, NixOS doesn't provide developers with an @nixos.org email address, so AFAIR NixOS can't provide WKD even if it wanted to :)) |
|
(@Ekleog, got it, for now I'll need to rely on the "centralized" [Member] badge) :) |
@dkg: in this context it means creating a separate GnuPG package with this fix.
Can confirm: my key has also been flooded (likely because of my involvement in SKS issues similar to this one). I don't use it for email (I have a separate Autocrypt key for that), but if anyone tries to fetch it, say to check any of my commit signatures in this repo, their GnuPG install will be broken (and recovery time will depend on how much my key has been flooded: I don't know the exact size).
|
|
5 days in, 2 ❤️ and 1 🚀. I'd like to go ahead and merge this as-is on Wednesday unless there are any concerns left over doing so or vote result changes. |
|
@lheckemann @samueldr Could you confirm whether you're OK or not with merging this? It sounds like a complex enough decision to warrant some comment from one of you. All the information needed for deciding should be available in the comment at #63964 (comment) and the post by @dkg just below. |
|
I'm unsure, though that isn't a -1. Do we have some established procedure for announcing necessary breaking changes in stable versions? |
|
For the time being, none that I know of, apart from an announcement on the discourse. (And, similarly, we have no way that I know of to announce a security vulnerability we can't properly patch on our side, apart from an announcement on the discourse.) Aside: I guess a good first step to solve this other issue might be to open a moderated discourse category and add a paragraph in the manual to tell people to subscribe to it, so that we would at least have a way of pushing information to end-users, until we figure out some way to push information at nixos-rebuild time or similar. |
|
Well, I didn't study details of this, but at least I pushed e8e1eec which is claimed to mitigate the problem (and I see no controversiality about that bump). |
|
Just came across https://bugs.archlinux.org/task/63147, to make the kind of backwards-compatibility breakage I'm speaking of more explicit. (Now, at least in nixpkgs we don't rely on the keyservers, so we wouldn't be breaking all NixOS machines -- “just” the scripts that would behave like pacman does) |
|
Ah, I see it's not as straightforward as I originally thought. |
|
The 19.09 is out. Is this still relevant? |
|
It is not. This change is the default in stable NixOS starting from 19.09. |
Motivation for this change
Backport of #63952. I expect this to be controversial since it is a breaking change, and I know @Ekleog disagrees, so I’m opening this for discussion and to allow the release managers to make the call.
Personally, I think this is the right thing to do. keys.openpgp.org may not support all of SKS’s features, but it’s the only solid way to ensure our users are protected against their GnuPG installations becoming unusable. We could set
import-cleanby default, which protects against the attack iff the attacker has not managed to already get their own key into the user’s key ring, but doing that isn’t exactly difficult, especially if they enableauto-key-retrieve.To summarise our options:
import-cleanby default. Mitigates the attack in some cirmcumstances, but not all by far.Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)