Dear developers: sign your code!
Yesterday the domain belonging to the Bastille Linux server hardening project was taken over by a domain squatter who is demanding $10,000 to give it back.
So far the squatter hasn’t done anything malicious with the web site, but how much can you trust someone whose business model is extortion? The Bastille scripts are popular, especially among less experienced sysadmins. Just the right audience to foist a “new and improved” hardening script onto… containing rootkits and botnet clients.
That scenario would be made a little less easy if the Bastille project cryptographically signed their files. Unfortunately, none of the files produced by the project are signed by Gnu Privacy Guard (GPG) or Pretty Good Privacy (PGP). Without a strong way to verify that the files are unaltered, hosting malicious versions on the now hijacked web site would be trivial.
Nearly all of the larger open source projects now sign their code, with a few appalling omissions:
| Apache HTTPd | Individual GnuPG signatures |
| MySQL community server | Individual GnuPG signatures |
| ISC BIND DNS server | Individual GnuPG signatures |
| CentOS Linux ISOs | Signed MD5SUM and SHA1 files |
| Ubuntu Linux ISOs | Signed MD5SUM file |
| Fedora Linux ISOs | Signed SHA1 checksums |
| Novell OpenSuSe Linux ISOs | unsigned MD5SUMs only |
| Perl source code | unsigned MD5SUMs only |
| Python source code | Individual GnuPG signatures |
| PHP | unsigned MD5SUMs only |
| GNU CC (GCC) compilers | Individual GnuPG signatures (but not on all mirrors) |
| OpenSSH | Individual GnuPG signatures |
| Netfilter iptables packet filter | Individual GnuPG signatures |
So when building a typical LAMP server it’s possible to verify the authenticity of all components except the PHP and Perl interpreters… unless you’re building on OpenSUSE in which case the entire OS is unverifiable.
The situation is better than a few years ago. In 2002 there were separate incidents where backdoors were inserted into Sendmail and into OpenSSH. Those incidents woke up many developers to the importance of signing their code.
Most of the major open source projects got the message but smaller projects like Bastille rarely sign their files. Seems a little silly when the typical open source source code is mirrored on hundreds of servers around the world, many of which are either rooted or run by less than trustworthy individuals. It’s like a chef meticulously preparing a fine meal then giving it to a random passerby to deliver to the customer.
Of course, cryptographic signing of files is not foolproof: the “web of trust” model for verifying keys used by GPG is hardly robust, and GPG is clunky to use (though various front-ends make it less of a chore).
So developers… please sign your code. Right now it’s the best open solution there is to prevent someone from doing evil things to your hard work, even if you forget to renew your domain registration.
Many tutorials exist on creating a GPG key and using it to sign files. The GNU Privacy Handbook itself is awful, but these are pretty good:
Related posts:
Tags: application security, code signing, file signing, gpg, rant, secure coding, trojans