Skip to content

Comments

Verify FILE_CKSUM (sha256) in pkg_summary(5) on download.#141

Open
riastradh wants to merge 2 commits intoNetBSDfr:masterfrom
riastradh:riastradh-20260105-hashfile
Open

Verify FILE_CKSUM (sha256) in pkg_summary(5) on download.#141
riastradh wants to merge 2 commits intoNetBSDfr:masterfrom
riastradh:riastradh-20260105-hashfile

Conversation

@riastradh
Copy link

@riastradh riastradh commented Jan 6, 2026

This is important for detecting version rollback attacks -- verifying a signature on the package itself doesn't help, because the old one also has a valid signature.

Relies on patch proposed for pkg_install to make pkg_info -X generate the FILE_CKSUM lines: https://mail-index.NetBSD.org/tech-pkg/2026/01/06/msg031853.html

(Based on #140 to make schema changes easier and more reliable.)

Rather than having to craft a new CHECK_DB_LATEST that fails with all
old schema versions and works with the new schema version every time
we make a schema change, we can just change the user_version number.
This is important for detecting version rollback attacks -- verifying
a signature on the package itself doesn't help, because the old one
also has a valid signature.
@riastradh riastradh force-pushed the riastradh-20260105-hashfile branch from 263c235 to 204174b Compare January 17, 2026 21:40
@jperkin
Copy link
Contributor

jperkin commented Jan 28, 2026

I have a couple of issues with this.

Firstly it breaks builds outside of pkgsrc:

$ make
/Library/Developer/CommandLineTools/usr/bin/make  all-am
  CC       pkgin-actions.o
actions.c:45:10: fatal error: 'sha2.h' file not found
   45 | #include <sha2.h>
      |          ^~~~~~~~
1 error generated.
make[1]: *** [pkgin-actions.o] Error 1
make: *** [all] Error 2

I've put a reasonable amount of effort into making pkgin build separately from pkgsrc, and would like to retain that. There are some options for pulling in a compat sha2 if the system doesn't provide one but they either use a different API or end up pulling in quite a lot more code. I'd need to investigate this further.

Secondly I'm not keen on sha256 being hardcoded in a bunch of places, and have an aversion to spaces in column names. Given the pkg_summary format allows for arbitrary hashes, I think I'd prefer a separate table where these are stored along with an associated hash per entry for extensibility.

I'm happy to work on this, but just wanted to post something to say that I am looking at this, as I need to cut a new pkgin release now for the pkgtools upgrade issue and this will have to be deferred until later. I have added initial FILE_CKSUM to pkgsrc-rs so have a test-bed for this, and am looking to extend that to support different hash types.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants