Thread: Insecure instructions for installing YUM repo
Hi! The instructions on http://yum.postgresql.org/howtoyum.php for installing the PostgreSQL YUM repository are insecure. You are asking people to download and install the repo RPM package over HTTP. A MITM attack could serve an arbitrary RPM and trick users into installing arbitrary software. The first option to fix this is to continue to use HTTP, but tell people to get the signing key and verify the key and package *before* installation. For this to work, you should publish your public key and fingerprint prominently on the site. If possible, provide the key over HTTPS so the key verification step can be skipped. Step-by-step instructions should be included like: 1. download our public key with fingerprint FOO 2. verify our public key at https://pgp.mit.edu/ or some other source you trust 3. import our key into the RPM DB: rpm --import keyfile.key 4. download the RPM package for your distribution 5. verify the RPM package: rpm -K postgres.rpm 6. install the RPM package The second way to fix the issue is to provide the repo RPM package over HTTPS. This option would be much easier for most users and will require less documentation. Please see https://securityblog.redhat.com/2015/08/19/secure-distribution-of-rpm-packages/ for more details about why the current instructions are inadequate. Thanks, Mike
Hi, On Fri, 2016-02-19 at 02:03 -0400, Michael Gauthier wrote: > The instructions on http://yum.postgresql.org/howtoyum.php for > installing the PostgreSQL YUM repository are insecure. > > You are asking people to download and install the repo RPM package over > HTTP. A MITM attack could serve an arbitrary RPM and trick users into > installing arbitrary software. Thanks for the heads up. I updated the links on that page, so that they point to https://download.postgresql.org . Does it work for you? Please let us know if you see more issues with this. Regards, -- Devrim GÜNDÜZ Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer Twitter: @DevrimGunduz , @DevrimGunduzTR
Attachment
On 2/19/2016 5:48 AM, Devrim GÜNDÜZ wrote: > > Hi, > > On Fri, 2016-02-19 at 02:03 -0400, Michael Gauthier wrote: >> The instructions on http://yum.postgresql.org/howtoyum.php for >> installing the PostgreSQL YUM repository are insecure. >> >> You are asking people to download and install the repo RPM package over >> HTTP. A MITM attack could serve an arbitrary RPM and trick users into >> installing arbitrary software. > > Thanks for the heads up. I updated the links on that page, so that they point > to https://download.postgresql.org . Does it work for you? > > Please let us know if you see more issues with this. > > Regards, > Hi Devrim, Thanks for the quick update to use HTTPS! This is indeed much better than before and works for me. Cheers, Mike