Comments (9)
@joelpurra So, the repository should now be used using SHA512 rather than SHA1. I forced the digest algo by adding digest-algo SHA512
in ~/.gnupg/gpg.conf
. The I used reprepro
to export once more the repository.
It should be easy to check using the following commands:
wget https://debian.piwik.org/dists/piwik/Release https://debian.piwik.org/dists/piwik/Release.gpg
gpg --verbose --keyring /etc/apt/trusted.gpg Release.gpg
gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
Detached signature.
Please enter name of data file: Release
gpg: Signature made Sun 01 Jan 2017 12:36:03 AM UTC using DSA key ID 66FED89E
gpg: using PGP trust model
gpg: Good signature from "Piwik Open Source Analytics (Debian Package) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1FD7 5257 1FE3 6FF2 3F78 F91B 81E2 E78B 66FE D89E
gpg: binary signature, digest algorithm SHA512
Could you please check on your side if you're still having the issue? Thanks
from matomo-package.
@joelpurra @mattab As for now, the GPG keys are bundled within the package itself which will allow us to upgrade them more smoothly. I've included a 4096 RSA key which will replace the 1024 DSA key in a few months.
from matomo-package.
Nicely done 👍
from matomo-package.
An alternative is to have a mini-package with no dependencies (other than standard packages) which sets up both the new apt repository and the keys on the target system. Then, when the real Piwik package is installed, it will be done inside the trusted environment. Although this requires one extra step for the user, the mini-package is just a few lines of code so it is very easy for security-conscious users to review.
from matomo-package.
Thanks for the report. @aureq maybe you would be able to investigate this?
from matomo-package.
@joelpurra After reading a fair bit, the issue may not be related to the GPG key type, but instead to the digest applied as part of the signing process (SHA1). But as you correctly pointed out, the instructions are vague.
I've done some test and Debian 7 (Wheezy) is fine and so is Debian 8 (Jessie). I didn't get any error message. I need to spin up an EC2 instance running Ubuntu to check how it behaves.
Going forward, I need to work on the repository to ensure the digest used is secure. So, SHA-256 or above should be used instead.
We (the piwik community) needs to plan and execute a migration plan to a stronger GPG key by using at least RSA-2048. On the Debian wiki it's mentioned that the repository should be signed with 2 GPG keys, but I'm not sure how is this meant to be done. If you know, feel free to chime in.
from matomo-package.
@aureq: thank you for looking in to it!
@joelpurra After reading a fair bit, the issue may not be related to the GPG key type, but instead to the digest applied as part of the signing process (SHA1). But as you correctly pointed out, the instructions are vague.
...
We (the piwik community) needs to plan and execute a migration plan to a stronger GPG key by using at least RSA-2048.
Yes, I do believe the preferred way forward is to upgrade both the digest and key algorithm/length. The Debian recommendation specifically state that DSA keys first need to be upgraded to RSA keys, but does not state that there is a check for the key algorithm/length. It seems a RSA-4096 bit key and SHA-512 digest is the preferred way forward though.
@joelpurra So, the repository should now be used using SHA512 rather than SHA1. I forced the digest algo by adding digest-algo SHA512 in ~/.gnupg/gpg.conf. The I used reprepro to export once more the repository.
...
Could you please check on your side if you're still having the issue? Thanks
Running the commands I get the below output. All looks good regarding the digest algorithm.
gpg --verbose --keyring /etc/apt/trusted.gpg --verify Release.gpg Release
gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
gpg: Signature made Sun 01 Jan 2017 01:47:00 AM CET
gpg: using DSA key 81E2E78B66FED89E
gpg: using pgp trust model
gpg: Good signature from "Piwik Open Source Analytics (Debian Package) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1FD7 5257 1FE3 6FF2 3F78 F91B 81E2 E78B 66FE D89E
gpg: binary signature, digest algorithm SHA512, key algorithm dsa1024
With the new digest algorithm, sudo apt-get install piwik
also works well. This fixes my issues. Good news indeed.
I leave it up to the project maintainers to keep this issues open, or to close it in favor of a new issue pertaining to the repository key algorithm upgrade.
Thanks again @aureq!
from matomo-package.
@danielhjames I considered this solution (along with setting the package repository) but I'm unlikely to implement it just yet. As you noted, that's an extra step for the end user. Yes, it add flexibility but not necessarily some security.
I'll keep that in the back of my mind but for a later time.
from matomo-package.
Hi @aureq I have an example of the mini-package which you might like to take a look at here: https://github.com/danielhjames/airtime-easy-setup
For me, the security question is "how much code am I asking the user to trust before trust is established?" which is why the mini-package is kept small and easy to review.
For this particular package, I used a long list of dependencies so that when the main package was installed, there would be no extra packages required. However I think it would be better to depend on packages in Debian/Ubuntu's 'standard' task only for the mini-package, as this makes the mini-package easier to install with tools that do not do dependency resolution, such as dpkg. Tools such as gdebi-core are easier for users but may have unwanted dependencies in a server environment, such as Python 3.
from matomo-package.
Related Issues (20)
- Smaller release file (remove not needed files from release) HOT 2
- Do not prepend autoloader HOT 1
- Package for 3.15.5 HOT 3
- On upgrade "The Matomo JavaScript tracker file "/matomo.js" & "/piwik.js" is not writable" HOT 2
- No debian package since 3.13.6 HOT 17
- Automate the packaging of Matomo beta/rc/stable releases via Github actions HOT 6
- Remove the WAG build from the script
- Releasing Matomo 4.0 for Debian HOT 13
- Don't include JS test files in the release
- Exclude phpcs.xml from release package
- Is the Matomo Debian package dead? HOT 72
- Working on debian package generation: .eslintrc ? HOT 1
- Working on debian package generation: autoload.php HOT 1
- Manifest / Integrity check has issues with symlinks HOT 2
- Changes in website format prevents pulling changelog when generating Debian package HOT 8
- Matomo 3.8.1 update? HOT 9
- libmaxminddb recommendations HOT 22
- matomo.php and matomo.js are missing from debian package HOT 1
- Security / Policy breach /usr/share/matomo/misc/user HOT 6
- Debian stretch (Matomo will stop supporting PHP 7.0 in the next major version.) HOT 17
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from matomo-package.