Google Chrome Repository Insecurity[edit]

Summary[edit]

As per 14 March 2021,

Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
Repository download happens over plain http without encryption/authentication (TLS) (https).

Source[edit]

Signing Key[edit]

As per 14 March 2021, Google wants you to run the following command. (archived ^[archive])

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.

What this does is using the wget command line downloader to download an APT signing key and then using Debian's apt-key utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg. Sidenote: both apt-key and /etc/apt/trusted.gpg are deprecated by Debian ^[1] but that doesn't have a security impact here.

1) Download https://dl.google.com/linux/linux_signing_key.pub ^[archive]

2) View OpenPGP key information.

gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub

gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub

3) Will show.

pub   dsa1024/A040830F7FAC5991 2007-03-08 [SC]
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                            Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048/4F30B6B4C07CB649 2007-03-08 [E]

gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                            Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]

The first key shows dsa1024 which means a DSA key with only 1024 bits.

In January 2011 the National Institute of Standards and Technology (NIST) stated, quote ^[archive]:

Disallowed after 2013

Google seems to agree with this assessment since their signing key file linux_signing_key.pub already contains a newer key rsa4096 (RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024 in the signing key file linux_signing_key.pub.

Repository[edit]

1) Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb ^[archive] (archived google-chrome-stable_current_amd64.deb ^[archive])

2) Extract or open with ark the google-chrome-stable_current_amd64.deb compressed archive file.

ark google-chrome-stable_current_amd64.deb

3) Extract or open control.tar.gz a file inside the google-chrome-stable_current_amd64.deb compressed archive file.

4) Open the file postinst (the Debian package maintenance script by the google-chrome-stable_current_amd64.deb Debian package).

5) Line 137 is:

REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"

6) Conclusion.

Using plain http instead of https (TLS).

Other sources showing using http instead of https:

https://github.com/brave/brave-browser/issues/1084 ^[archive]

Bug Reports[edit]

Related[edit]

Footnotes[edit]

↑ Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/ ^[archive]
apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.

Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.

Jobs in USA

Follow:

Support:

Donate:

Want to make Whonix ™ safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee ^[archive] of the Open Invention Network ^[archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian ^[archive]. Debian is a registered trademark ^[archive] owned by Software in the Public Interest, Inc ^[archive].

Whonix ™ is produced independently from the Tor® ^[archive] anonymity software and carries no guarantee from The Tor Project ^[archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

[1] Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/ ^[archive]
apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.

[1]

Google Chrome Repository Insecurity

From Whonix

Contents