[MacPorts] #59763: MacPorts gpg signatures are meaningless without access to the public key

MacPorts noreply at macports.org
Tue Nov 26 18:53:23 UTC 2019 

#59763: MacPorts gpg signatures are meaningless without access to the public key
----------------------+--------------------
 Reporter:  cohunter  |      Owner:  (none)
     Type:  defect    |     Status:  new
 Priority:  Normal    |  Milestone:
Component:  website   |    Version:
 Keywords:            |       Port:
----------------------+--------------------
 BLUF:

 * Please add a link to the checksums to the install guide at the following
 URL: https://guide.macports.org/chunked/installing.macports.html

 * Please also add a link to the public signing key at the above URL and
 the main website: https://www.macports.org/install.php

 ----------


 Hello,

 In 2014 this issue was brought up (#50429), but closed as the key was said
 to be posted on jmr's profile page and a key server.

 That seems to no longer be the case:

 * Opening the linked wiki page of jmr and searching for "gpg" and "key"
 return no matches.

 * The linked key server now returns an error page.

 Even beyond those issues, finding the issue #50429 itself takes
 significant effort. Why are there zero references to the key on the main
 website and guide?

 This is a critical security issue (though I've selected Normal priority in
 the interest of respecting maintainer's time) because new users should be
 able to verify the downloads. To be usable, the public key must be as
 readily accessible as the signed downloads.

 Simply writing that it is on a public key server does not provide
 verification. Anyone can sign a file with a different key and put it on
 public key servers -- nowhere on the main MacPorts site or installation
 guides is it written that the key used is jmr's. (Also note that anyone
 can make a key claiming to represent any name/email address; only WKD.)

 If you don't take my word for this issue, please at least consider that
 gpg itself warns about this:

 {{{
 $ gpg2 --verify ~/Downloads/MacPorts-2.6.2-10.15-Catalina.pkg.asc
 ~/Downloads/MacPorts-2.6.2-10.15-Catalina.pkg
 gpg: Signature made Sun Oct 20 15:00:30 2019 PDT
 gpg:                using DSA key C403793657236DCF2E580C0201FF673FB4AAE6CD
 gpg: Good signature from "Joshua Root <jmr at macports.org>" [unknown]
 gpg:                 aka "Joshua Root <josh+pgp at root.id.au>" [unknown]
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the
 owner.

 }}}

 For additional reasons that this should be changed, please also refer to
 recent developments such as noted here: https://medium.com/faun/gpg-has-
 been-running-with-a-well-known-security-flaw-for-a-decade-never-got-
 around-to-fixing-the-5d2ddb66ff6

 From the article:

 >Recently, an attack took place that resulted in the indefinite, possibly
 permanent, corruption of the GPG public network.

 >Due to the attack on its infrastructure, the integrity of all keyserver
 stored public keys is now called into question as any certificate may be
 poisoned.

 >GPG is unable to facilitate public key discovery for users who do not
 know each other.

 >There is no time frame for when a 100% fix will be available and the best
 mitigation at present is to stop using the SKS keyserver network.

 By searching DuckDuckGo for the text contents of the key, I was able to
 find it hosted here: https://trac.macports.org/raw-
 attachment/wiki/jmr/jmr_at_macports_org-2013.pubkey

 But I wasn't able to find any links to it at all, except by using a search
 engine ''and already having the key'' (downloaded from another public key
 server without verification).

 Please fix this critical security issue and enable new users to verify
 download signatures by adding a link to the public signing key alongside
 the link to the file checksums in the install guide at the following URL:
 https://www.macports.org/install.php

 Please also consider adding a link to the checksums and/or the signing key
 in the install guide at the following URL:
 https://guide.macports.org/chunked/installing.macports.html

 It may also be prudent to consider alternative distribution methods like
 WKD, but for the purposes of this issue, simply adding a link to the key
 on the website and/or guide would enable users to verify the downloads.

 It is incredibly important to instruct users to verify downloaded
 packages. Consider attacks such as the [recent Monero website
 compromise](https://arstechnica.com/information-technology/2019/11
 /official-monero-website-is-hacked-to-deliver-currency-stealing-malware/)
 -- if users had been expected to simply download and run packages without
 any verification (at least checksums, ideally signatures), as the
 guide.macports.org currently instructs for MacPorts, such compromises
 would possibly remain undiscovered for long periods of time.

 Thank you,

 Corey Hunter

-- 
Ticket URL: <https://trac.macports.org/ticket/59763>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list