Bugzilla – Full Text Bug Listing
| Summary: | Emit warning (in log) when no or only unsafe checksum algorithms are used for an artifact | ||
|---|---|---|---|
| Product: | [Eclipse Project] Equinox | Reporter: | Mickael Istria <mistria> |
| Component: | p2 | Assignee: | Mickael Istria <mistria> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | enhancement | ||
| Priority: | P3 | CC: | akurtakov, Ed.Merks, jonah |
| Version: | unspecified | ||
| Target Milestone: | 4.22 M2 | ||
| Hardware: | All | ||
| OS: | All | ||
| See Also: |
https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/186138 https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/186272 https://git.eclipse.org/c/www.eclipse.org/eclipse/news.git/commit/?id=47e5088b92d8ecda9b3cf6e9bc559392bd0426ba https://bugs.eclipse.org/bugs/show_bug.cgi?id=576528 https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/186418 https://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/?id=fdff8cdc16ee50427975f872e8e4f3b01eea641d |
||
| Whiteboard: | |||
| Bug Depends on: | |||
| Bug Blocks: | 575688 | ||
|
Description
Mickael Istria
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/186138 Mickael, please add N&N entry. New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/186272 Gerrit change https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/186272 was merged to [master]. Commit: http://git.eclipse.org/c/www.eclipse.org/eclipse/news.git/commit/?id=47e5088b92d8ecda9b3cf6e9bc559392bd0426ba As a bit of a cross-reference it looks like lots (~10%) of bundles in SimRel will log this warning. See Bug 576528 Comment 5 I have raised a Q&A on Tycho for information on generating the checksums - https://github.com/eclipse/tycho/discussions/326 This new message that the user sees suggests that he should consider doing something:
onlyInsecureDigestAlgorithmUsed = Only insecure digest algorithms ({0}) are being used to verify {1}. Consider using a safer digest algorithm.
But in the end, the user is powerless to act, isn't she? The user doesn't produce these IUs. So we've giving him worries for which, in the end, she have no recourse.
Are we doing this to protect the users or just to shift responsibility for any potential problems to the users?
In the end though, I'm not sure we should generate this message for a signed artifact. The signature is checked regardless of whether a less than 100% secure digest algorithm additional confirms the security...
I agree that the message is not best but if we are taking security seriously we can not rely on unsecure checksums. Signing is not an absolute requirement from p2 POV and I think that checksums are used prior to loading the signed jar (not 100% sure) thus this may lead to actually replacing signed jar with your own not signed one if faking the checksum. Mickael, is it possible to enhance the message to be explicit about user requesting the vendor (Bundle-Vendor, repository url, etc. as data) to not use unsecure checksums. (In reply to Ed Merks from comment #6) > In the end though, I'm not sure we should generate this message for a signed > artifact. The signature is checked regardless of whether a less than 100% > secure digest algorithm additional confirms the security... As mentioned by Alex, if there are no checksums, one can easily inject a different artifact; which could be either not digitally signed or signed with a fraudulous certificate; and users install it without a clue it's not the expected artifact. Jar Signature verification does take place too late (after the transfer) to give the guarantee the artifact we get is the one we want. New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/186418 Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/186418 was merged to [master]. Commit: http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/?id=fdff8cdc16ee50427975f872e8e4f3b01eea641d |