Log hash of each package going to be installed during template build

[marmarek]

Currently template build process rely on digital signature verification of all downloaded components. This is expected to be done by appropriate package manager. But attacker who control distribution signing key, or found a bug in signature verification code (like CVE-2016-1252) may try to perform targeted attack against specifically template build process. Currently we mitigate this kind of targeted attacks by downloading all the components through tor. This force the attacker to expose infected packages to wider community to have successful attack, but also increase the risk of being caught.
We'd like to extend this process by logging hash of each downloaded package, before it has a chance to compromise logging component itself (so, before being extracted, before executing any script from inside of it). Thanks to #2023 we may have reasonably protected append-only build log of templates.
The missing part is actual logging the hashes. This should be implemented by each builder plugin separately, as it is specific to package manager running there.

[marmarek]

I've implemented this for Debian already:

• QubesOS/qubes-builder-debian@f1e2283
• QubesOS/qubes-builder-debian@a8b7cd1
• QubesOS/qubes-builder-debian@0408d55

Example build log: https://raw.githubusercontent.com/QubesOS/build-logs/master/release/release_2016-12-17_16-33-43

Other distributions (at least Fedora) still pending.

[andrewdavidwong]

This is an excellent idea.

• Could it be extended to apply to packages that users install in templates?

• Could it be paired with a system that uploads the hashes somewhere (if the user opts in), so that everyone's hashes can be compared automatically?

[tasket]

I realize its not the only reason to have a logging function while building templates, but isn't CVE-2016-1252 about a bug in NTP? The fact that OpenSSL was involved seems tangential. It does not refer to verification code contained within a crypto tool and has nothing to do with GPG.

I mention this because Andrew referred to this issue in qubes-devel as inspiration for a hash-based scheme for dom0 updates about which I have reservations.

[marmarek]

but isn't CVE-2016-1252 about a bug in NTP?

No, it's apt bug: https://security-tracker.debian.org/tracker/CVE-2016-1252

[andrewdavidwong]

I realize its not the only reason to have a logging function while building templates, but isn't CVE-2016-1252 about a bug in NTP? The fact that OpenSSL was involved seems tangential. It does not refer to verification code contained within a crypto tool and has nothing to do with GPG.

As Marek said, it's the recent APT bug for which we published QSB 28.

[marmarek]

Done for Fedora too.