Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Operating Systems BSD

OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto 232

ConstantineM writes "It's official: 'we are moving towards signed packages,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify, was committed into the base tree. The reason a new utility had to be written in the first place is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 public-key signature system from D. J. Bernstein and co., and his public domain code once again appears in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH as well."
This discussion has been archived. No new comments can be posted.

OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto

Comments Filter:
  • by ModernGeek ( 601932 ) on Saturday January 18, 2014 @11:10PM (#46002889)
    I'm surprised that this wasn't implemented a long time ago. Even Windows has had signed code for quiet some time.
    • by Anonymous Coward on Saturday January 18, 2014 @11:11PM (#46002899)
      I'm just bothered that such a decision was made based off of the arbitrary capacity of a floppy diskette. The Floppy-based installer should compensate by having it fit across multiple disks and stored into RAM, or some other solution. What's next? Something won't run on a machine with less than 8MB of RAM, so it will be shoved off?
      • by aliquis ( 678370 )

        But they likely want to keep it being just ONE floppy.

        Not bloat it like NetBSD which require TWO floppies.

        (FreeBSD seem to be even worse! ..)

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      OpenBSD is security by arrogance: nobody cares much to pay any attention to it, and anyone who comes with good intentions gets shouted down.

      Distributing unsigned packages in 2014 shows such a lack of concern for even the most basic risks facing administrators and end users that I can only assume it was intentional.

      • by fisted ( 2295862 ) on Sunday January 19, 2014 @12:02AM (#46003185)

        Wrong. Using binary package is just considered not the right way to do things, in OpenBSD land.
        What you do is, check out the source repository, which does make sure the data you get hasn't been tampered with, then build it from source.
        For mass deployments, you can then create binary packages from the result (secure distribution to other machines is your job, however. although that typically isn't much of a concern since it usually happens on the local network.

        IOW, your comment is pure BS.

        • by Sean ( 422 ) on Sunday January 19, 2014 @01:26AM (#46003449)

          And how exactly do you get the OS and compilers to build the source code with?

          • by fisted ( 2295862 )
            Those "probably" (read: as is the case for any other OS) come with the installation media, which is an entirely different matter.
        • What you do is, check out the source repository, which does make sure the data you get hasn't been tampered with, then build it from source.

          Actually, it doesn't. OpenBSD is still using CVS for revision control. After the FreeBSD cluster compromise a couple of years ago, we found that the CVS repository was the one thing whose integrity we could not verify. The current FreeBSD CVS repository was created by exporting from subversion (which could be verified) and validating it against git (which also can be verified).

          Oh, and OpenBSD does recommend getting the binary packages over using ports (but they don't release security fixes for binary

      • by cold fjord ( 826450 ) on Sunday January 19, 2014 @12:09AM (#46003207)

        So, do you have a timeline for when other *BSD and Linux distributions switched to signed packages? It looks to me that FreeBSD only started that move at the end of October, and doesn't appear to be there yet. I don't think I would call that a "crushing" lead.

        There wouldn't happen to be some trolling going on with your post, is there? Especially the "security by arrogance" bit?

        Thu Oct 31 02:10:33 UTC 2013 [freebsd.org]

        Pkg 1.2 will be released in the coming month which will bring many
        improvements including officially signed packages. FreeBSD 10's pkg
        bootstrap now also supports signed pkg(8) installation.
         

        • by Anonymous Coward on Sunday January 19, 2014 @01:48AM (#46003521)

          Majority of Linux installations use RPM or APT, and those had GPG signing since ~2005.

          • by Cyclops ( 1852 )

            Majority of Linux installations use RPM or APT, and those had GPG signing since ~2005.

            Actually, Red Hat's RPM usage included gpg signing of each of the packages individually since before 2000 :)

        • by Anonymous Coward on Sunday January 19, 2014 @02:03AM (#46003567)

          I'm not as familiary with RedHat or SuSe archives, but I did a little digging over at debian.org.

          The debian-archive-keyring package changelog shows an initial release on 10 January 2006, or eight years ago.

          Digging deeper, the devscripts changelog shows the signchanges program (now called debsign) was added in July 1999. The changelog entry implies that it was to aid an already existing signing system, so Debian has had it for about 15 years, possibly longer.

          Now consider that Debian has a reputation as a late adopter.

          • Debian don't sign the binary packages directly (they do sign source packages but that is more as a conviniance to users who get a source package from somewhere other than the repo). Both the upload and download sides of things are now protected by GPG signatures but the two systems are seperate and one is much newer than the other

            The "upload" (developer--->repo) side of things is secured by a signature on the "changes" file which describes the upload. The changes file in turn contains secure hashes* of t

        • FreeBSD systems traditionally built their own packages from the ports tree. The shipped packages are really just the ones that go on the install media, which are typically out of date by the time you get around to installing it. With the new pkg(7) infrastructure, we are properly supporting binary packages and part of the requirement for this was that we'd sign them and distribute the keys out of band. The signing keys are currently distributed using freebsd-update, which was designed to do binary update

      • Seems the above poster knows almost nothing about openbsd, has formed an ignorant opinion and is arrogantly using that to accuse people of arrogance.
        A lot of people use ports instead of packages. Packages are seen as the convenient alternative that is the inflexible and insecure way to install things.
      • It doesnt have to be secure, nobody uses openbsd outright.
        It exists solely for the purpose of begging for donations while at the same time letting big corporations take its code and include in their products without giving back.

      • by Clsid ( 564627 )

        I don't know, surely de Raadt has a reputation, but those guys have done a great thing in general. Having that attitude is what helps getting stuff done most of the time instead of happy hand holding, we are all good friends kind of attitude. Not signing packages and not wanting to use gnupg is kind of absurd, but I have seen weirdest attitudes in the free software world, like sticking with Vi instead of quick edit and easier tools like nano, or this whole thing about gnu info vs man pages.

        I have been using

      • by Bengie ( 1121981 )
        "Good intentions" may be enough for Linux, but OpenBSD likes to have reasoning behind the ideas. Actually, OpenBSD's target isn't even that of being used, which is why it doesn't support proper multi-threading. Their entire focus is making is secure and doing it correctly the first time. It's a platform that aims more for theoretically correct designs, but it just so happens to be quite decent in many practical applications, like firewalls.
    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Sunday January 19, 2014 @02:13AM (#46003591)
      Comment removed based on user account deletion
      • by dbIII ( 701233 )
        If they go under that just means no conference and having to beg server space from someone. Volunteer groups go over the edge all the time and comparing them to a business is pointless since the aims are very different.
      • by Kjella ( 173770 ) on Sunday January 19, 2014 @10:45AM (#46005161) Homepage

        Theo is the same that he's been for the last 20 years, on the one hand he's militant about the BSD license which gives away all the code to multi-billion corporations then a giant crybaby when the same corporations take the code and give him nothing but a cold shoulder in return. Oddly enough he's managed to gather a small following which barely keeps OpenBSD alive, usually by threatening to shut down OpenSSH development which is their only true success but this is neither the first nor the last time he's making such ultimatums.

        If Linus is the benevolent dictator for life, Theo is the not-so-benevolent dictator for life. He started OpenBSD so he could run the show and any oppositition is harshly cut down. Don't argue with him about how the project's managed, what costs are necessary, everything is as Theo has decided it should be and he's only complaining that nobody is willing to fund his masterpiece. Your input is not wanted, just your wallet and he treats everyone from the smallest individual contributor to giant corporations the same. He's got balls of steel and an ego the size of a planet, but in the end he'll always be going around with a beggar's cup.

      • Actually, for the comments, one has to go pretty deep, so here it is [marc.info]

        Yeah, I too think that OS won't be around too long, so it will be down to FreeBSD and NetBSD. On the Linux side of things, even distros like Debian have discontinued support for things like HP PA-RISC, which is less ancient than VAX. FreeBSD has dropped support for DEC Alpha. That's what not just companies, but even volunteer organizations do when a platform is no longer in circulation. Yet that rack had a number of ancient boxes like

    • by Bengie ( 1121981 )

      I'm surprised that this wasn't implemented a long time ago. Even Windows has had signed code for quiet some time.

      Having code signed by a central CA seems to be again what OpenBSD and FreeBSD are trying to do. They don't want to play god and gate keeper. They held off as long as they could to see if a new distributed public key system could have came out. Unfortunately, a new public key system has not come out and the security benefit is too grate, even if against their ideology.

  • by macraig ( 621737 ) <mark...a...craig@@@gmail...com> on Saturday January 18, 2014 @11:17PM (#46002923)

    What does openBSD have to do with tattooing your Johnson?

  • Floppy disks? (Score:3, Interesting)

    by thue ( 121682 ) on Saturday January 18, 2014 @11:27PM (#46002977) Homepage

    Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      And when you want to use a hopelessly antiquated computer for something, OpenBSD will be there for you.

      • And if it wasn't hopelessly antiquated already, just install OpenBSD and, like magic ... POOF ... it is antiquated!
    • Well, I haven't followed the discussion, but I do know that one of OpenBSD's major markets is basically semi-embedded systems: Firewalls and routers. It's likely they won't have much in the way of external storage attachment, or much in the way of internal storage at all. Given that, it might make sense. I don't know.

      • Re:Floppy disks? (Score:5, Insightful)

        by gwolf ( 26339 ) <gwolf@g[ ]f.org ['wol' in gap]> on Saturday January 18, 2014 @11:59PM (#46003171) Homepage

        No, it won't make much sense even with that in mind. Even less, in fact.

        Embedded systems are usually factory-installed. In the factory, they don't do the installs via floppies. Most OpenBSD installs today are done off their (very good!) CD-ROM media, or maybe even more, by USB.

        Floppy disks are used for a tiny percentage of installs (yes, even of *their* installs). Alright, they don't want to dump very old architectures that are known to work and have no other acceptable bood medium, but in the end... Basing the entire OS in the least common denominator takes a toll on the general usability of the system in everyday settings.

        • I said semi-embedded for a reason: I'm more thinking of hobiest/custom firewalls and routers. The ones from the factory tend to run a version of Linux or PFSense - But you can get similar devices from manufacturers without an OS that you can install your own OS onto.

          Not that I'm sure I disagree with you. Just trying to think of a rational reason and give them the benefit of the doubt. However hard that is.

          • None of these devices have floppy disks though. Compact Flash cards are a more common requirement, as they're basically IDE devices. I had one a few years ago with a custom firewall distribution that fitted onto a 32MB CF card, but a year later it was hard to buy a CF card smaller than 4GB and so I switched to a full OS install.
        • by TarPitt ( 217247 )

          As far as OpenBSD is concerned, "the general usability of the system in everyday settings" is the bottom priority.

          No, in fact the lack of general usability is a goal OpenBSD strives for.

          Be grateful they aren't still using punched paper tape for installs.

        • I gather that more serious OpenBSD admins simply boot from network and be done with it. (Google PXE, if you haven't got a clue what I'm talking about) I haven't used a USB or CD-Rom for ages to install mainstream Linuxes or OpenBSD.
        • Re:Floppy disks? (Score:5, Informative)

          by Tom ( 822 ) on Sunday January 19, 2014 @05:10AM (#46004099) Homepage Journal

          In a recent interview I can't find right now, Theo gave a perfectly good reason for this insane legacy support: OpenBSD is a volunteer project, and some of the most valuable contributors want this stuff to remain. Dumping the legacy systems would most likely mean losing those contributors. If they are important enough to the project, then the legacy support is the price it pays to keep them around.

          • Another good reason I found on a relevant mailing list thread is that testing on a large variety of architectures often exposes bugs that remain under the radar otherwise (but may still come to bite users as security holes). That large variety is only available by supporting legacy architectures.
    • by dbIII ( 701233 )

      Being limited by floppy disk support requirement sounds like a bad joke

      Why are you making it then? Out of the dozen machines I've put *bsd on there is only one that had a floppy disk drive. I installed via USB on that one just like all the others.

  • Nah, too easy.

    • And asked why so many commercial operating systems still have nothing as advanced as the ZFS on *bsd in 2014.
      It will take than long to get a greatly improved MS system win10, Windows RAP or whatever they want to call it.
      It makes a grown man cry.
  • I cannot find a back reference right now, but didn't DJB switch away from FreeBSD to Ubuntu precisely because of the signed packages?
  • by X0563511 ( 793323 ) on Saturday January 18, 2014 @11:44PM (#46003101) Homepage Journal

    I call bullshit:
    Copied right from /usr/bin:
    "-rwxr-xr-x. 1 person staff 744K Nov 11 2010 gpg"

    Packed with upx --best: (note this runtime unpacks, there is no loader library etc)
    "-rwxr-xr-x. 1 person staff 327K Jan 19 05:40 gpg"

    I should note this is a static binary.

    • $ ls -lh `which gpg`
      -rwxr-xr-x 1 root wheel 892K Jan 19 06:09 /usr/pkg/bin/gpg
      $ file !$
      file `which gpg`
      /usr/pkg/bin/gpg: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for NetBSD 6.1.2, stripped
      $ ldd !$
      ldd `which gpg`
      /usr/pkg/bin/gpg:
      -lintl.1 => /usr/lib/libintl.so.1
      -lgcc_s.1 => /usr/lib/libgcc_s.so.1
      -lc.12 => /usr/lib/libc.so.12
      -lz.1 => /usr/lib/libz.so.1
      -lbz2.1 => /usr/lib/libbz2.so
      • Also important is: which version are you looking at? The 1.4 series (still updated) is intended for smaller/embedded installs, while the 2.x series is intended for mainstream (especially desktop) usage
        • Also important is: which version are you looking at? The 1.4 series (still updated) is intended for smaller/embedded installs, while the 2.x series is intended for mainstream (especially desktop) usage

          It's also important to ask why they are even looking at the main gpg executable and not gpgv?

          gpgv is a stripped-down version of gnupg which is only able to check signatures. It is smaller than the full-blown gnupg and uses a different (and simpler) way to check that the public keys used to make the signature are trustworthy.

      • by fisted ( 2295862 )
        $ gpg --version
        gpg (GnuPG) 1.4.15


        (good call, broken_chaos)
    • Even giving it the benefit of the doubt, what would break the process so horribly if a separately packed floppy disk installer does not check signatures (link gpgv to /bin/true for instance) while the other installers do? Floppy users don't lose or gain anything while the rest get the benefit of an untampered source assurance. Or are they also trying to argue that adding signatures won't let the regular installation packages fit on floppy disks?

  • Overly paranoid (Score:5, Interesting)

    by johnwbyrd ( 251699 ) on Saturday January 18, 2014 @11:47PM (#46003117) Homepage

    I started using OpenBSD in 1998. It was a viable, timely competitor to Linux at the time, especially for building firewalls as such.

    OpenBSD is a great example of what happens when you make life too difficult for end users and administrators in the name of Security. OpenBSD has never embraced the most recent release of anything -- if it's new, by definition it's insecure and it can't be trusted. Ergo, if you have to demonstrate the latest technology in whatever you're doing, you start with a Linux distribution.

    From the article: "We wanted a tool that would fit on installation media, which meant minimizing code size and external dependencies." That's the breakage mode, in a nutshell. NO ONE in the world has been clamoring for an OpenBSD signing tool that runs on a floppy. But the designers are imagining the user requirements based on their own biases. This way lies the death of any commercial or open source software product.

    • by ls671 ( 1122017 )

      How can it be possible to be "overly paranoid" when it comes to machines hooked up to the Internet?

      • When you can't run the software that your job requires on them.

        • by ls671 ( 1122017 )

          You put that "software" on less secure machines behind reverse-proxies, WAP, traffic analysis software, firewalls etc. which run on OSes designed by overly paranoid people.

        • Military IT security motto is: We are not happy until you are not happy.
        • by Burz ( 138833 )

          Run whatever software you need on Qubes. [qubes-os.org] Even then your system is likely to be more secure than OpenBSD.

    • You are not paranoid if they really are out to get you and a large part of the OpenBSD userbase is Government/Military, so that is why.
    • This is utter bullshit. Do you know how easy it is to connect to a WPA2 network with # ifconfig ? Do you know how easy it is to activate a proven secure httpd, named and other unix services including deployments such as access points and firewalls. Do you really believe iptables is easier than pf? Do you really think selinux is easy? Do you jump on every bandwagon like everyone else and now have all your tweets stored on the library of congress and all your information in the hands of facebook mark "th

  • by danpbrowning ( 149453 ) on Sunday January 19, 2014 @12:28AM (#46003275)

    Many members are up in arms over the large new utility: "Programmers these days with their fancy new computers and their gigantic 'five and a quarter' new-age magnetic spinning discs are constantly looking down on us 'old-fashioned' punch-card programmers. Why can't they write a new utility that supports six rows of 8-bit EBCDIC? Laziness. This just proves that OpenBSD don't care about small, home-built systems. Sixty four bytes is big enough for anybody."

    • You know they aren't really writing large programs since they haven't been forced to use 8" floppies [wikipedia.org].

    • OK, you jest, but I am not: Military/Government is a large part of the OpenBSD userbase. They still use a large number of antiquated and extremely, unbelievably expensive equipment. So it makes sense after all.
      • Let's pretend your are right about the Millitary/Government having antiquated expensive equipment using OpenBSD that only has a floppy drive.

        Why do they they need to install the newest version on it?

  • I know dupes are a long time Slashdot tradition, so I'm asking: is this a dupe from 1995 or something? Because it sure feels like it.
    • It's not a dupe, it's just that everyone installs from source on OpenBSD, so signing the binary never made much sense.

      • by Burz ( 138833 )

        It's not a dupe, it's just that everyone installs from source on OpenBSD, so signing the binary never made much sense.

        Yeah, because its realistic for people to be their own code auditors for a whole OS, and for each install and update.

        I'm sorry, but this makes OpenBSD users sound like morons. IMO, they shouldn't try to justify the myopia that has lead to this situation.

        • by thogard ( 43403 )

          If I compile from source, I can ensure that the binary I have is unlike any other in the world. That has protected my machines in the past so I will keep doing it.

        • by petrus4 ( 213815 )
          Yeah, because its realistic for people to be their own code auditors for a whole OS, and for each install and update. It is entirely realistic if you know what you are doing. My default FreeBSD install fits into 65 Mb of RAM. As I have observed before on this site many times; narrow mindedness and aggression have a marked tendency to go together. The more ignorant a person is, the more adamant they usually are about expressing it. Not all of us live according to argumentum ad novitatem [wikipedia.org].
  • by Animats ( 122034 ) on Sunday January 19, 2014 @02:38AM (#46003667) Homepage

    This is probably because they want the signature checker to fit in the CD boot loader. For historical reasons [mit.edu], bootable CDs imitate a floppy during the initial boot process, and contain an image of a 1.44MB floppy with a FAT file system. When you boot an PC-type x86 machine from CD, that simulated floppy (the file "floppy54.fs" for OpenBSD) is read by the BIOS and a file from it is executed.

    This process is so retro that the initial program loaded is executed in 16-bit X86 mode.

    • by buchanmilne ( 258619 ) on Sunday January 19, 2014 @03:39AM (#46003871) Homepage

      But, if you are booting from CDs, and the CD has the rest of the media, why do you need the utility for verifying signatures on the boot media (1.44MB image)? Bootstrap the installation image from the iso9660 part of the CD (or network in the case if a network install)? and have that contain the signature verification utility.

      Hint: RPM-baswd distro have been doing this since rpm 3.x, or about 1999.

      Really, who uses floppies for installation these days? Sure, maybe floppy emulation on a DRAC or iLO or ILOM, but they all
      -support CDROM or DVD emulation
      -PXE boot (with relatively large images possible via TFTP)

      If none of these are options, just write the whole (hybrid) ISO image to a 4GB USB flash disk and be done with it.

      I personally haven't used an actual CD-RW or DVD to install a syatem in about 5 years. Either network install booted via PXE for servers, or USB flash disk for laptops.

    • This is probably because they want the signature checker to fit in the CD boot loader. For historical reasons [mit.edu], bootable CDs imitate a floppy during the initial boot process, and contain an image of a 1.44MB floppy with a FAT file system.

      Bootable CDs can emulate a floppy during boot but that is not the only supported boot method.

      This process is so retro that the initial program loaded is executed in 16-bit X86 mode.

      That's just PC BIOS booting in general though, not really much different from booting off any other media. It does mean your first state bootloader has to be small though

An adequate bootstrap is a contradiction in terms.

Working...