crouton's debootstrap call does not verify the packages it installs

[eighthave]

Since no keyring is provided and no gpgv binary present, crouton's invokation of debootstrap does not verify any of the packages that it downloads via plain text HTTP. That means that anyone with access to the network traffic can easily root the new crouton install. For example, if an attacker exploits a home router, which is easy to do these days, then that attacker can feed any file they want to when crouton's debootstrap's HTTP requests, and debootstrap will just install it. Additionally, debootstrap runs as root, so that attacker can also gain root by feeding bad packages to that HTTP connection.

Luckily, the fix is well documented and not too hard: download a gpgv binary and keyring from Debian over HTTPS, and point debootstrap to them. But as I said before #2067, I'm not going to sign this CLA, so I'm making a HOWTO for someone else to write the code, instead of a pull request.

get the keyring

• You can retrieve individual signing keys just like how debootstrap is fetched, i.e.: https://anonscm.debian.org/cgit/keyring/keyring.git/plain/debian-role-keys-gpg/0x2702CAEB90F8EEC5
• or extract the keyring from the Debian package, like I did in Lil' Debi: https://github.com/guardianproject/lildebi/blob/master/external/debian-archive-keyring/Makefile

building gpgv options

• build a static version, and commit to crouton.git: guardianproject/lildebi@e6f3eab
• use Debian's dynamically linked binary: https://packages.debian.org/gpgv
• push for an official Debian package of a static gpgv: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806940

Then gpgv needs to be in the path, and debootstrap can be run like this, similar to how I did it in Lil' Debi:

PATH="$newpath" DEBOOTSTRAP_DIR="$tmp" $FAKEROOT \
    "$tmp/debootstrap" --foreign --arch="$ARCH" --keyring=$KEYRING \
    "$RELEASE" "$tmp/$subdir" "$MIRROR" 1>&2

[dnschneid]

Thanks for the tips. I'll merge #2103 into here.

[sunnyps]

I thought I would work around this by specifying an https mirror with -m, e.g. mirrors.kernel.org/debian. However, that doesn't have any effect on where the debootstrap is downloaded from.

[eighthave]

does debootstrap support installing from an HTTPS mirror? Its not really very hard to do the proper GPG verification. The hardest part is really building gpgv. I've asked the GnuPG maintainers to provide a static build of gpgv, so that chroot managers like crouton could just download that one and use it. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806940 Some more traffic on that bug report would help give it visibility.

[eighthave]

gpgv-static is now built as part of Debian: https://packages.debian.org/gpgv-static making this quite easy to achieve now:

1. download from HTTPS debian mirror like https://mirrors.kernel.org: debootstrap debian-archive-keyring gpgv-static
2. unpack debian-archive-keyring and gpgv-static and put the files where debootstrap can find them
3. set --keyring= when calling debootstrap.

[dnschneid]

Thanks for the walkthrough, and for doing the evangelizing on the Debian side of things.

[anakimluke]

Please, correct me if I'm wrong, but shouldn't this be marked as kind of a priority?

[dnschneid]

Looks like debootstrap now automatically falls back on HTTPS