Actions

Google Chrome Repository Insecurity

From Whonix

(Redirected from Google)



Insecurechromiumrepo.jpg

Google Chrome Repository Insecurity[edit]

Summary[edit]

As per 14 March 2021,

  • Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
  • Repository download happens over plain http without encryption/authentication (TLS) (https).

Source[edit]

Signing Key[edit]

As per 14 March 2021, Google wants you to run the following command. (archived [archive])

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.

What this does is using the wget command line downloader to download an APT signing key and then using Debian's apt-key utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg. Sidenote: both apt-key and /etc/apt/trusted.gpg are deprecated by Debian [1] but that doesn't have a security impact here.

1) Download https://dl.google.com/linux/linux_signing_key.pub [archive]

2) View OpenPGP key information.

gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub

3) Will show.

pub   dsa1024/A040830F7FAC5991 2007-03-08 [SC]
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                            Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048/4F30B6B4C07CB649 2007-03-08 [E]

gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                            Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]

The first key shows dsa1024 which means a DSA key with only 1024 bits.

In January 2011 the National Institute of Standards and Technology (NIST) stated, quote [archive]:

Disallowed after 2013

Google seems to agree with this assessment since their signing key file linux_signing_key.pub already contains a newer key rsa4096 (RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024 in the signing key file linux_signing_key.pub.

Repository[edit]

1) Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb [archive] (archived google-chrome-stable_current_amd64.deb [archive])

2) Extract or open with ark the google-chrome-stable_current_amd64.deb compressed archive file.

ark google-chrome-stable_current_amd64.deb

3) Extract or open control.tar.gz a file inside the google-chrome-stable_current_amd64.deb compressed archive file.

4) Open the file postinst (the Debian package maintenance script by the google-chrome-stable_current_amd64.deb Debian package).

5) Line 137 is:

REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"

6) Conclusion.

Using plain http instead of https (TLS).

Other sources showing using http instead of https:

Bug Reports[edit]

Related[edit]

Footnotes[edit]

  1. Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/ [archive]

    apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.



text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Google Chrome Repository Insecurity&body=https://www.whonix.org/wiki/Google_Chrome_Repository_Insecurity link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Google_Chrome_Repository_Insecurity&title=Google Chrome Repository Insecurity link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Google_Chrome_Repository_Insecurity&t=Google Chrome Repository Insecurity link=https://mastodon.technology/share?message=Google Chrome Repository Insecurity%20https://www.whonix.org/wiki/Google_Chrome_Repository_Insecurity&t=Google Chrome Repository Insecurity

Want to help create awesome, up-to-date screenshots for the Whonix ™ wiki? Help is most welcome!

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.