From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Thu, 5 Jul 2018 02:54:52 +0200 Subject: Security pitfalls of .tar.asc Message-ID: Hi list, The upcoming cgit 1.2 release will have support for attaching .asc signatures to tarballs. Adding a .tar.xz.asc is straightforward and works as expected. But there's also display logic for showing .tar.asc signatures next to .tar.xz files. The intent is to do something like this: $ curl -LO https://git.zx2c4.com/cgit/snapshot/cgit-1.1.tar.xz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 86268 0 86268 0 0 122k 0 --:--:-- --:--:-- --:--:-- 123k $ curl -LO https://git.zx2c4.com/cgit/snapshot/cgit-1.1.tar.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 858 0 858 0 0 2150 0 --:--:-- --:--:-- --:--:-- 2177 $ unxz cgit-1.1.tar.xz $ gpg --verify cgit-1.1.tar.asc gpg: assuming signed data in 'cgit-1.1.tar' gpg: Signature made Thu 05 Jul 2018 02:34:20 AM CEST gpg: using RSA key AB9942E6D4A4CFC3412620A749FC7012A5DE03AE gpg: issuer "jason at zx2c4.com" gpg: Good signature from "Jason A. Donenfeld " [ultimate] This works fine, but there's something a bit troubling about it: it means that users are instructed to run untrusted tarballs through `unxz`, which is big and complicated and could have nasty vulnerabilities. My understanding is that this is desired because .tar.xz is not stable -- xz might do different things between versions or compression levels -- whereas git considers its .tar output to be a stable format. So I can see why it'd be desirable to host .tar.asc instead of .tar.xz.asc. But from a security perspective, this might be sub-optimal. Thoughts? Regards, Jason