[Whonix-devel] qubes-builder gpg verification security, check for rollback (downgrade) or indefinite freeze attacks

[Patrick Schleizer]

Hi!

Does qubes-builder check for rollback (downgrade) or indefinite freeze
attacks [1]?

Threat model:
- a user who builds from source code
- building user successfully verified Qubes' source code
- user doesn't manually ensure after build, that version numbers match,
doesn't read the build log [unless it stops and shows errors], and
relies that the verification chain is intact
- git hosting compromised [2]
- eventually targeting specific builders

function:
verify_tag

link:
https://github.com/QubesOS/qubes-builder/blob/7d21e6b7b0a5ab3a68e8acdbc3f540f2221b47c0/scripts/verify-git-tag#L38

code:
gpg --verify --status-fd=1 $temp_name/content.asc 2>/dev/null|grep -q
'^\[GNUPG:\] TRUST_\(FULLY\|ULTIMATE\)$'

It does not check freshness? So any older tag/signature would be
accepted, a rollback attack would succeed?

I am very much into file verification, gpg, wrote gpg-bash-lib [6] where
I'd appreciate feedback and sometimes report gpg usage security issues
in other projects. [non-exhaustive list [7]]

Having said that, do you have any other gpg verification code in other
files that I could look into?

Cheers,
Patrick

[1] "rollback (downgrade) or indefinite freeze attack"
Defined as per TUF: Attacks and Weaknesses:
- https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
- http://www.webcitation.org/6F7Io2ncN
[2]
* In case github gets hacked [3] again.
* Or in cases similar to:
 * SSL CA's such as DigiNotar was hacked or [4]
 * comodo resellers that got hacked. [5]
[3]
http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted
[4] https://en.wikipedia.org/wiki/DigiNotar
[5]
http://www.scmagazine.com/two-more-comodo-resellers-owned-in-ssl-hack/article/199620/
[6] https://github.com/Whonix/gpg-bash-lib
[7] https://phabricator.whonix.org/T245