incorrectly reported signature validation failure (Rust 1.8.0 to Rust 1.21.0, some nightlies) #3250
Comments
|
The actual signatures do match, this is yet another problem of the pgp library used by rustup rejecting still valid signatures (like the issue that prompted rustup 1.25.2 to be released). You can manually verify it matches with: |
|
rustup mistakenly says signatures are not verified from Rust 1.8.0 to Rust 1.20.0. |
rbtcollins
changed the title
ChaiTRex
changed the title
|
Found out that 1.14 is fine and 1.21 is not. Failures list |
|
This is happening on 1.67.1 and 1.69.0-nightly for me so I don't think it's limited to 1.8 to 1.20. Just today on macOS. I'm surprised this was just a warning and it didn't bail out and require me to manually override. Seems like if this was an actual mismatch, I could be in some trouble and have just downloaded untrusted/unverified code. I do understand that TLS mitigates this; I just kinda expect that if a project does elect to use the extra layer of signature checks, that they serve their purpose and aren't mere theatre. I could be misunderstanding this warning though. |
rbtcollins
changed the title
|
We haven't been confident enough in the system in place to promote the signature validation from warning to blocking. There's also been discussion about TUF but I don't think anyone is actively pushing on those concerns currently. |
rbtcollins
changed the title
rbtcollins
changed the title
|
Getting this warning updating to 1.68: Agree with @dcow on this that the default behaviour is surprising. The enduser could always be prompted to use |
@pietroalbini, I'd appreciate it if you could describe what valid signatures sequoia is rejecting so that we can fix sequoia.
Can you explain what you mean here. I'm a bit confused about the comparison to the 1.25.2 issue: My recollection of that issue is that the security of the certificate used to create the signatures relied on SHA-1. SHA-1 is broken, so those signatures were not valid. Are you saying those signatures were (are?) valid? |
|
@nwalfield I suspect we have multiple different cases though, as the reported nightly issue above doesn't reproduce for me: I'm not sure what infra's take on the current situation is. Mine (a rustup team-lead) is: we don't currently depend on the PGP signature validity for our security: our primary security mechanism today is transport security and trusted mirrors. We have stalled work in progress towards TUF or some such thing, and we have a PGP validation layer that is warn-only (though users can opt into strict checks). I would like us to have PGP or TUF or some similar form of transport-independent verification of the distributions we're installing, because the sheer number of corporate MITM proxies makes depending solely on transport security iffy. There are a number of things we likely need to do to get to that point, though what the minimum work is is currently unclear. HTH |
I can not reproduce it on my M1 Macbook Pro too. |
|
Discussion on zulip and discord seems to have consensus that there is no harm, and some benefit just removing the gpg code for now.
I think (will have to check) we have a regular checksum in the channels that we can use to detect bit-errors and short-reads without GPG. So this should be fairly easy, though its not going to be a super-tiny patch. The other detail to consider is users that have opted into strict gpg validation. Should we make their config files error (to surface their config not applying anymore), or just ignore the key? I think erroring is marginally better, but welcome input! |
|
The signature for the 1.8.0 channel uses SHA-1: As @pietroalbini points out, gpg accept this: That's because FWIW, I also can't reproduce the nightly issue either. And, looking at the signature, it seems fine: @pietroalbini says:
Right now, I don't see any evidence that the pgp library used by rustup is rejecting still valid signatures. The policy explicitly opted into by That said, I'd strongly recommend not allowing the use of SHA-1 for signatures. To address this specific issue, my recommendation is to resign the files that use signatures that rely on SHA-1. It appears that at least the following signatures are affected: |
Is that actually possible? |
No, my fleshy ChatGPT-4 implementation was hallucinating :) . Daniel and I discussed it at one point I think. |
This is a breaking change: the gpg config settings, variables, and related cli commands are all removed. Fixes: rust-lang#3250 by removing our GPG support. - the foundation's new security engineer Walter Pearce is working on a new system, not based around GPG, for validation of distributions - we don't rely on the signatures today - these warnings are not errors by default - sustained ignored, unfixable signature errors will teach folk to ignore them, which is harmful to everyone - we could do streaming unpacking (with some changes) if we trust the transport rather than the current monolithic signature validation, which could improve performance Downloads still have a checksum which is verified.
|
@rbtcollins @pietroalbini Is there any problem with accepting sha-1 completely for now, as opposed to removing the entire signature check? |
|
I don't think keeping gpg support while accepting sha-1 has any value tbh. |
Problem
Older versions of Rust (on
x86_64-unknown-linux-gnu) report a signature verification failure, so I cannot trust them, so I can't check which of those versions of Rust my code works on.Steps
rustup toolchain install 1.8Possible Solution(s)
No response
Notes
This applies to more than just 1.8, but here is the output for 1.8, which I stopped early.
Rustup version
rustup 1.25.2 (17db695f1 2023-02-01)Installed toolchains
The text was updated successfully, but these errors were encountered: