Actions

Google Chrome Repository Insecurity

From Whonix



Insecurechromiumrepo.jpg

Google Chrome Repository Insecurity[edit]

Summary[edit]

As per 14 March 2021,

  • Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
  • Repository download happens over plain http without encryption/authentication (TLS) (https).

Source[edit]

Signing Key[edit]

As per 14 March 2021, Google wants you to run the following command. (archived [archive]) 

wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.

What this does is using the wget command line downloader to download an APT signing key and then using Debian's apt-key utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg. Sidenote: both apt-key and /etc/apt/trusted.gpg are deprecated by Debian [1] but that doesn't have a security impact here.

1) Download https://dl.google.com/linux/linux_signing_key.pub [archive]

2) View OpenPGP key information. 

gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub

3) Will show. 

pub   dsa1024/A040830F7FAC5991 2007-03-08 [SC]
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                            Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048/4F30B6B4C07CB649 2007-03-08 [E]

gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                            Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]

The first key shows dsa1024 which means a DSA key with only 1024 bits.

In January 2011 the National Institute of Standards and Technology (NIST) stated, quote [archive]:

Disallowed after 2013

Google seems to agree with this assessment since their signing key file linux_signing_key.pub already contains a newer key rsa4096 (RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024 in the signing key file linux_signing_key.pub.

Repository[edit]

1) Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb [archive] (archived google-chrome-stable_current_amd64.deb [archive])

2) Extract or open with ark the google-chrome-stable_current_amd64.deb compressed archive file. 

ark google-chrome-stable_current_amd64.deb

3) Extract or open control.tar.gz a file inside the google-chrome-stable_current_amd64.deb compressed archive file.

4) Open the file postinst (the Debian package maintenance script by the google-chrome-stable_current_amd64.deb Debian package).

5) Line 137 is: 

REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"

6) Conclusion.

Using plain http instead of https (TLS).

Other sources showing using http instead of https:

Bug Reports[edit]

Related[edit]

Footnotes[edit]

  1. Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/ [archive]

    apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.
Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Google Chrome Repository Insecurity&body=https://www.whonix.org/wiki/Google_Chrome_Repository_Insecurity link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Google_Chrome_Repository_Insecurity&title=Google Chrome Repository Insecurity link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Google_Chrome_Repository_Insecurity&t=Google Chrome Repository Insecurity link=https://mastodon.technology/share?message=Google Chrome Repository Insecurity%20https://www.whonix.org/wiki/Google_Chrome_Repository_Insecurity&t=Google Chrome Repository Insecurity

We are looking for contributors and developers.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Google_Chrome_Repository_Insecurity&oldid=67615"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information