Please read my previous post, Security and Usability Issues of Clear Signed Checksum Files.
A malicious mirror may be able to trick a naive user into believing a malicious Fedora Linux ISO file is authenticate.
Clear signed checksum files and ISO files are provided by mirror servers (whom may or may not be trustworthy). Assume a malicious mirror is sending tampered checksum files and ISO files.
The tampered checksum file has the following features:
- Inserted SHA256 hash outside of the header lines.
- The file name
Fedora-Workstation-Live-x86_64-40-1-14.iso
is a small modification of the file nameFedora-Workstation-Live-x86_64-40-1.14.iso
. - The checksum value
80bd...86ab
represents the checksum of the tampered ISO file.
SHA256 (Fedora-Workstation-Live-x86_64-40-1-14.iso) = 80bda9b012b90a7147d477d81cc27e656d09f4c1dadfc2352288be3db79586ab
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
# Fedora-Workstation-Live-osb-40-1.14.x86_64.iso: 2623733760 bytes
SHA256 (Fedora-Workstation-Live-osb-40-1.14.x86_64.iso) = 8d3cb4d99f27eb932064915bc9ad34a7529d5d073a390896152a8a899518573f
# Fedora-Workstation-Live-x86_64-40-1.14.iso: 2295853056 bytes
SHA256 (Fedora-Workstation-Live-x86_64-40-1.14.iso) = dd1faca950d1a8c3d169adf2df4c3644ebb62f8aac04c401f2393e521395d613
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEEV35rvhXhT7oRF0KBydwfqFbecwFAmYisFcACgkQBydwfqFb
ecxHAhAAuyBb34jmvnR7GTfHfkUjh2s+oyn47Ytj7mhhNSwvg63utYdYbqQs2htS
oplomvcO0lt0vBeHjXGLUL4PeGhPWO/4As9hM7QjdqdRGUiZLYdVv44qzmApesWm
QU+tl9b76cf/QzUOcGSlGrhYWKZ+sZ/Ke9G81WQOlThcwUcVHVDwwJtsHShpsa8e
0WefRZiR3+qRxLxuzBtN7K7lXTBXzAqF4rTPZeBHSQ6oiLnKc8dARMxucov20MQx
MDQfmXXz7zNWilKjucurEuQxYGUkzl08kAHEZbeF4sgkaEqnWerovj7hdgyhW4Fx
Riw7t7B2Y2rMpJmRsH9loGATmB2g+4TyLDcOr8uQvLMTj3ytUw1GD+yPsxv4z2ik
Lx9MPllA+GGaMMUKfUThHLlZMvBOXYymbOlKZVHX/78I+G6t5efmn77v6R2SwgW3
V43/QNJld3+J6V68sk3g3KFpGbrvPoEzYYMXOTzy5gHGB3ppuvdDldgzFKwi2Dsy
LIlORoGpBsLSi6SUGPXw3i/UG04lnna3nX5I0sZMWV2kVbTziI9vit8nichcAXQs
qG2yuINwFxVxC7Gf76n0OIjy5dyapaJfCHWerGFy5cFQbuAv5JvfvBocLm3a58hh
Xfc5x/jQjnRPYBg9o2dA1kEwmoA76yR9apSoqNQtACdnVMMhzrA=
=HgqN
-----END PGP SIGNATURE-----
The tampered ISO file has the following features:
- A file name
Fedora-Workstation-Live-x86_64-40-1-14.iso
. - A checksum value
80bd...86ab
.
Assume the user follows the documented ISO verification process (the user already possesses the tamper checksum and ISO files).
- Import Fedora’s GPG key(s).
curl -O https://fedoraproject.org/fedora.gpg
- Verify the checksum file is valid. Verification is successful, since the inserted data is outside of the header lines.
gpgv --keyring ./fedora.gpg Fedora-Workstation-40-1.14-x86_64-CHECKSUM
- Verify the checksum matches.
sha256sum -c Fedora-Workstation-40-1.14-x86_64-CHECKSUM
The sha256sum
program with --check
/-c
reads a file line by line; it will identify file names and check their respective checksums are consistent. The sha256sum
program will read data OUTSIDE of the signed data area of the signed checksum file. In other words, sha256sum
will check the file checksum that the malicious mirror arbitrarily inserted outside of the header lines. And since the malicious mirror delivered a tampered ISO file with a DIFFERENT file name, the checksum values inside the signed data area (i.e., the legitimate and authentic checksum values) will never be used.
We get the following result from sha256sum
:
Fedora-Workstation-Live-x86_64-40-1-14.iso: OK
Fedora-Workstation-Live-osb-40-1.14.x86_64.iso: FAILED open or read
Fedora-Workstation-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: WARNING: 2 listed files could not be read
It is not uncommon for a checksum file to contain multiple checksum for multiple files. Debian and Linux Mint both provide checksum files with multiple lines. A naive user may mistakenly assume that they are simply missing a few ISO files.
Even worse is if sha256sum
is used with the --ignore-missing
option. Then the output of sha256sum
is the following.
Fedora-Workstation-Live-x86_64-40-1-14.iso: OK
The cleartext signature format and errors with Fedora’s file verification documentation could lead to a user accepting a tampered/malicious ISO file. The solution is to use detached signatures, or switch to a modern signing tool like minisign
.
Thank you all for reading my post.
Doby Mick