Skip to content

pkg/verify: Ensure signature name matches release name #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wking wants to merge 1 commit into from
Closed

pkg/verify: Ensure signature name matches release name #293

wking wants to merge 1 commit into from

Conversation

@wking
Copy link
Member

@wking wking commented Jan 7, 2020

Guard against attackers who present a target image that has been signed by a trusted key, but which is not the expected release image. For example, it could be a bare RHEL image and not an OpenShift release image.

@wking
pkg/verify: Ensure signature name matches release name
9b76336 
Guard against attackers who present a target image that has been
signed by a trusted key, but which is not the expected release image.
For example, it could be a bare RHEL image and not an OpenShift
release image.
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 7, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 7, 2020
@smarterclayton
Copy link
Contributor

smarterclayton commented Jan 7, 2020

/hold

I don't understand the attack here. We explicitly chose not to verify against the arbitrary from spec (which might change in the future arbitrarily).

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 7, 2020
@wking
Copy link
Member Author

wking commented Jan 7, 2020

If a malicious Cincinnati served a RHEL image as a release image update target, the CVO would validate the signature (which would pass). Then it calls targetUpdatePayloadDir, which calls ValidateDirectory, which looks for expected release-image stuff. So we don't need this change to guard against that.

@wking
Copy link
Member Author

wking commented Jan 7, 2020

There is no existing protection for downgrade attacks (e.g. 4.2.13 -> 4.0.0), but sometimes we want downgrades (e.g. if we recommend 4.y.z -> 4.y.(z+1), but 4.y.(z+1) proves unstable, so we recommend 4.y.(z+1) -> 4.y.z to get folks back to a safe place until we can cut 4.y.(z+2)). I'm not worried about that in general.

I am worried that a malicious Cincinnati could attach a name (e.g. 4.2.13) to a different, signed-by-Red-Hat pullspec (e.g. the one for 4.0.0). But @smarterclayton points out that you could guard against that by pulling and inspecting signed metadata before adding releases to ClusterVersion's status.AvailableUpdates, so you don't need this signature-name guard for that.

So I still think we want this PR to ensure we're using images that the signer expected to be OpenShift release images, but I'll survive with us saying "the signer thought the image was good for something, and on layer inspection it seems to be an OpenShift release image".

/close

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 7, 2020

@wking: Closed this PR.

Details

In response to this:

There is no existing protection for downgrade attacks (e.g. 4.2.13 -> 4.0.0), but sometimes we want downgrades (e.g. if we recommend 4.y.z -> 4.y.(z+1), but 4.y.(z+1) proves unstable, so we recommend 4.y.(z+1) -> 4.y.z to get folks back to a safe place until we can cut 4.y.(z+2)). I'm not worried about that in general.

I am worried that a malicious Cincinnati could attach a name (e.g. 4.2.13) to a different, signed-by-Red-Hat pullspec (e.g. the one for 4.0.0). But @smarterclayton points out that you could guard against that by pulling and inspecting signed metadata before adding releases to ClusterVersion's status.AvailableUpdates, so you don't need this signature-name guard for that.

So I still think we want this PR to ensure we're using images that the signer expected to be OpenShift release images, but I'll survive with us saying "the signer thought the image was good for something, and on layer inspection it seems to be an OpenShift release image".

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking wking deleted the verify-name branch January 7, 2020 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crawford crawford Awaiting requested review from crawford

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wking @openshift-ci-robot @smarterclayton