[Whonix-devel] qubes-builder gpg verification security, check for rollback (downgrade) or indefinite freeze attacks
patrick-mailinglists at whonix.org
Thu Apr 2 14:11:03 CEST 2015
Does qubes-builder check for rollback (downgrade) or indefinite freeze
- a user who builds from source code
- building user successfully verified Qubes' source code
- user doesn't manually ensure after build, that version numbers match,
doesn't read the build log [unless it stops and shows errors], and
relies that the verification chain is intact
- git hosting compromised 
- eventually targeting specific builders
gpg --verify --status-fd=1 $temp_name/content.asc 2>/dev/null|grep -q
It does not check freshness? So any older tag/signature would be
accepted, a rollback attack would succeed?
I am very much into file verification, gpg, wrote gpg-bash-lib  where
I'd appreciate feedback and sometimes report gpg usage security issues
in other projects. [non-exhaustive list ]
Having said that, do you have any other gpg verification code in other
files that I could look into?
 "rollback (downgrade) or indefinite freeze attack"
Defined as per TUF: Attacks and Weaknesses:
* In case github gets hacked  again.
* Or in cases similar to:
* SSL CA's such as DigiNotar was hacked or 
* comodo resellers that got hacked. 
More information about the Whonix-devel