Security and Usability Issues of Clear Signed Checksum Files - Part 2

Please read my previous post, Security and Usability Issues of Clear Signed Checksum Files.

A malicious mirror may be able to trick a naive user into believing a malicious Fedora Linux ISO file is authenticate.

Clear signed checksum files and ISO files are provided by mirror servers (whom may or may not be trustworthy). Assume a malicious mirror is sending tampered checksum files and ISO files.

The tampered checksum file has the following features:

  1. Inserted SHA256 hash outside of the header lines.
  2. The file name Fedora-Workstation-Live-x86_64-40-1-14.iso is a small modification of the file name Fedora-Workstation-Live-x86_64-40-1.14.iso.
  3. The checksum value 80bd...86ab represents the checksum of the tampered ISO file.
SHA256 (Fedora-Workstation-Live-x86_64-40-1-14.iso) = 80bda9b012b90a7147d477d81cc27e656d09f4c1dadfc2352288be3db79586ab

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# Fedora-Workstation-Live-osb-40-1.14.x86_64.iso: 2623733760 bytes
SHA256 (Fedora-Workstation-Live-osb-40-1.14.x86_64.iso) = 8d3cb4d99f27eb932064915bc9ad34a7529d5d073a390896152a8a899518573f
# Fedora-Workstation-Live-x86_64-40-1.14.iso: 2295853056 bytes
SHA256 (Fedora-Workstation-Live-x86_64-40-1.14.iso) = dd1faca950d1a8c3d169adf2df4c3644ebb62f8aac04c401f2393e521395d613
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEEV35rvhXhT7oRF0KBydwfqFbecwFAmYisFcACgkQBydwfqFb
ecxHAhAAuyBb34jmvnR7GTfHfkUjh2s+oyn47Ytj7mhhNSwvg63utYdYbqQs2htS
oplomvcO0lt0vBeHjXGLUL4PeGhPWO/4As9hM7QjdqdRGUiZLYdVv44qzmApesWm
QU+tl9b76cf/QzUOcGSlGrhYWKZ+sZ/Ke9G81WQOlThcwUcVHVDwwJtsHShpsa8e
0WefRZiR3+qRxLxuzBtN7K7lXTBXzAqF4rTPZeBHSQ6oiLnKc8dARMxucov20MQx
MDQfmXXz7zNWilKjucurEuQxYGUkzl08kAHEZbeF4sgkaEqnWerovj7hdgyhW4Fx
Riw7t7B2Y2rMpJmRsH9loGATmB2g+4TyLDcOr8uQvLMTj3ytUw1GD+yPsxv4z2ik
Lx9MPllA+GGaMMUKfUThHLlZMvBOXYymbOlKZVHX/78I+G6t5efmn77v6R2SwgW3
V43/QNJld3+J6V68sk3g3KFpGbrvPoEzYYMXOTzy5gHGB3ppuvdDldgzFKwi2Dsy
LIlORoGpBsLSi6SUGPXw3i/UG04lnna3nX5I0sZMWV2kVbTziI9vit8nichcAXQs
qG2yuINwFxVxC7Gf76n0OIjy5dyapaJfCHWerGFy5cFQbuAv5JvfvBocLm3a58hh
Xfc5x/jQjnRPYBg9o2dA1kEwmoA76yR9apSoqNQtACdnVMMhzrA=
=HgqN
-----END PGP SIGNATURE-----

The tampered ISO file has the following features:

  1. A file name Fedora-Workstation-Live-x86_64-40-1-14.iso.
  2. A checksum value 80bd...86ab.

Assume the user follows the documented ISO verification process (the user already possesses the tamper checksum and ISO files).

  1. Import Fedora’s GPG key(s).
curl -O https://fedoraproject.org/fedora.gpg
  1. Verify the checksum file is valid. Verification is successful, since the inserted data is outside of the header lines.
gpgv --keyring ./fedora.gpg Fedora-Workstation-40-1.14-x86_64-CHECKSUM
  1. Verify the checksum matches.
sha256sum -c Fedora-Workstation-40-1.14-x86_64-CHECKSUM

The sha256sum program with --check/-c reads a file line by line; it will identify file names and check their respective checksums are consistent. The sha256sum program will read data OUTSIDE of the signed data area of the signed checksum file. In other words, sha256sum will check the file checksum that the malicious mirror arbitrarily inserted outside of the header lines. And since the malicious mirror delivered a tampered ISO file with a DIFFERENT file name, the checksum values inside the signed data area (i.e., the legitimate and authentic checksum values) will never be used.

We get the following result from sha256sum:

Fedora-Workstation-Live-x86_64-40-1-14.iso: OK
Fedora-Workstation-Live-osb-40-1.14.x86_64.iso: FAILED open or read
Fedora-Workstation-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: WARNING: 2 listed files could not be read

It is not uncommon for a checksum file to contain multiple checksum for multiple files. Debian and Linux Mint both provide checksum files with multiple lines. A naive user may mistakenly assume that they are simply missing a few ISO files.

Even worse is if sha256sum is used with the --ignore-missing option. Then the output of sha256sum is the following.

Fedora-Workstation-Live-x86_64-40-1-14.iso: OK

The cleartext signature format and errors with Fedora’s file verification documentation could lead to a user accepting a tampered/malicious ISO file. The solution is to use detached signatures, or switch to a modern signing tool like minisign.

Thank you all for reading my post.

Doby Mick

Yeah, it seems weird that we’re asking for users to run an external checksum tool, when the crypto tool (gpg) is already capable of doing that, and authoritatively.

Over in the older thread [1] , people object that it’s a hassle for gpg to import the appropriate fedora key and then verify the signature. Could that initial import be automated? Could Fedora offer a preinstalled keyring for gpg users? Or maybe drive the verification from another frontend that already knows/trusts the fedora keys, maybe rpm? Or a “fedora-gpg” wrapper that PGPHOME’s the fedora keyrings?

[1] Fedora verification process - #7 by vekruse

Removed release-engineering-team

I close this one as it more or less duplicates / overlaps with the ongoing discussion that has already centered in the other topic (I guess that’s already indicated by the topic name :classic_smiley: ). I don’t think it makes sense to split the two. Let’s focus the discussion there: Security and Usability Issues of Clear Signed Checksum Files