[Future] Code Signing and Enhanced Security Against Supply-Chain Attacks

[paragonie-scott]

Before I begin, here's some supplementary reading material. I'll try to make this feature request make sense without reading any of this material, but in case I fail this should fill in any of the gaps:

• The basics of secure code delivery, by @defuse
• An in-depth guide to building a secure automatic update system (which is predicated on secure code delivery)
• [Secure Code Delivery] Stream Updates to a Chronicle packagist#797 - Related Packagist issue
• AnarchKey: Experimental PKI for Securing Software Updates paragonie-scott/public-projects#5 - AnarchKey: PKI without authorities based on append-only cryptographic ledgers
• Chronicle: An append-only cryptographic ledger that obviates the need for blockchain technology for many use cases

---

Background

Supply-chain attacks against package managers are an underappreciated threat. Even if we assume that the only entities capable of pulling off such an attack are in the employ of government agencies around the world, there is no guarantee that such exploits will never be used (especially in a time of international conflict).

A supply-chain attack against a package manager (i.e. Packagist) would involve gaining privileged access to the package manager infrastructure (GitHub, the Packagist servers) in order to deliver malware when someone attempts to install/update a dependency. These attacks can either be targeted (e.g. only towards IP addresses in a given country) or widespread (e.g. all Symfony users).

Unfortunately, most of the security industry gravitates towards the red team side of affairs, where they're incentivized to build better attacks rather than designing resilient infrastructure, so it's likely that the day the threat of supply-chain attacks becomes tangible, there will be little-to-no recourse unless proactive measures are taken, starting today.

A lot of the groundwork has been laid by other projects (i.e. The Update Framework), but as of 2017-12-26 there are no package managers deployed at scale that solve this problem adequately.

Mitigating Supply-Chain Attacks Against Composer/Packagist

First, we need mechanisms built into Composer and Packagist for developers to:

1. Register public keys for their project's namespaces.
   • Probably nobody except @sebastianbergmann should be able to issue public keys for the phpunit vendor, for example.
2. Sign their releases using one of their secret keys.

There's a few other things that are implied here (i.e. the ability to generated Ed25519 keypairs). I plan on developing a composer plugin in the coming weeks that handles this, but it will need a corresponding API built into Packagist to receive public keys and signed release metadata.

Aside: I'm open to alternative proposals for getting signed release metadata into Packagist, but directly signing/releasing them from the command line is by far the best UX design I could come up with.

• Creating a signed file and expecting users to attach it while filling out the "New Release" form on Github seems too error-prone.
• Wrapping git tag -s seemed complicated and too locked into git (no love for Mercurial, SVN, etc.)
• Creating a file and committing/tagging for the user seems undesirable for most projects.
• (Your idea might be better than mine!)

Next, Packagist will need to stream all software updates and signatures to a Chronicle instance. It's a good idea to also publish new public key<->vendor associations here too.

Finally, integrate with Herd (either directly or via a Composer plugin) to verify all future updates.

Once these pieces are in place:

• Vendors will be able to sign their own software updates. (Tentatively, composer release <version>.)
• Vendors will own their own signing keys.
  • In emergency situations, the "core vendor" for the ecosystem (i.e. Composer) can issue revocations and/or new keys, and the client-side can choose whether or not to accept these core-signed key changes. This is a break-glass feature that cannot be abused silently, and users can outright disable in their configuration.
• Users will be able to verify that:
  1. The update they're seeing really came from the vendor.
  2. They're seeing the same updates that everyone else in the world sees.
  3. (Knowing the git commit data): They can reproduce the same .zip, .tar.gz, etc. from the source code.

Current Progress of this Project

• Chronicle (developed by P.I.E.)
• Herd (developed by P.I.E.)
• Quill, for writing to a Chronicle (developed by P.I.E.)
• Composer - plugins and/or core changes described above (P.I.E. will develop these soon)
• Packagist - necessary changes to accommodate this feature

I'm not sure what an appropriate milestone is, but I'd consider making this a v2.0 feature (assuming we can elevate the PHP requirement to 7.0+ for Composer v2 and use sodium_compat so we don't have to go further and make it 7.2+).

[Ayesh]

I think it's worth mentioning a few approaches we already have to look at.

• NPM's discussions on the same topic: Signed and certified packages node-forward/discussions#29. NPM's packages are published from npm publish, so it gives a lot of possibilities for them to implement signing. With your suggestions in adding a composer release command, I think we are going the right direction.
• Phar.io currently has gpg verification for a few known packages and almost every Github release if it publishes the signature. Primary packages have a manifest file with all information including signature. phpunit (and many, if not all, packages by Sebastian are published here)
• A GPG verification Roave/composer-gpg-verify plugin by @Ocramius

As for Github tagged releases, the tag endpoint should return their signed status and the gpg key ID. We of course have to take GitHub's word for it because we do not have the the full gpg key to verify. Perhaps integrating with Keybase can help get the full image.

Having read your contributions and efforts in WordPress releases (39309) and composer/packagist#797 to bring these features to users who don't even have latest PHP version running.
Direct GitHub download method works quite well for everyone, including the PHP 5.3 users. All downloads are served over HTTPS, where I believe OCSP responses are properly checked. Logging TLS certificates to a public append-only log is practically mandatory nowadays, and the PKI infrastructure the Chronicle project you mentions is already here for TLS. One can't check for reproducible builds or refer the package signatures with peers though.

All packages you have mentioned have 0, 0 and 3 downloads at the time I'm writing this. I believe it's a good measure to say that there are not many people who actively use and can help maintain the infrastructure and code in Composer/packagist. It's almost end of 2017 and we don't even have a reliable way to validate TLS certificates properly or implement TLS 1.3 because Internet is full of bugs, internet connections suck. Without a well-tested infrastructure, we'd also invent a new point of failure to everyone using composer.

[paragonie-scott]

[... all GPG suggestions...]

GPG is fine, but only GPG2+ with Ed25519 should be considered in-scope for this.

In particular, we want:

• No RSA, especially PKCS1v1.5
• No ECDSA that requires random nonces

Logging TLS certificates to a public append-only log is practically mandatory nowadays, and the PKI infrastructure the Chronicle project you mentions is already here for TLS.

Yep, Chronicle is very much in line with a Certificate Transparency use-case rather than a "blockchain" use-case.

All packages you have mentioned have 0, 0 and 3 downloads at the time I'm writing this.

Yes, that's my fault. Unfortunately, my skills lie within the realm of cryptography and security engineering rather than marketing.

It's almost end of 2017 and we don't even have a reliable way to validate TLS certificates properly or implement TLS 1.3 because Internet is full of bugs, internet connections suck.

For part of that, Certainty exists. TLS 1.3 is blocked by terrible vendors.

Without a well-tested infrastructure, we'd also invent a new point of failure to everyone using composer.

What sort of testing do you have in mind?

[Ayesh]

Ed25519 signatures are a great idea. With sodium in core/compat (thanks to you of course), Ed25519 should be easily possible. Github commit/tag signing works well with ed25519 as well, but unfortunately Gitlab and Bitbucket are not (only rsa1024-4096). This is if we are even checking Git tag signatures in first place.

I'm sorry I didn't mean anything negative with the download counts remark. I was simply saying we probably won't have many eyes watching the code as we should, specially considering this is a security-related project. This sounds like an entire PKI system that we have to plan, implement, and maintain. Even The Update Framework is not used in any package/dependency manager yet, at least that I know of. Apart from you/P.I.E, I don't think anyone knows the inner systems of Chronicle and other packages well enough to make immediate fixes or maintain the code in long term.

Relying on existing tools, even if we lack all the security gains yet, is a small but more robust step. I personally admire how Phive works. It integrates nicely with existing gpg signatures. For example, authors you trust outside phive are automatically trusted in Phive as well.

[paragonie-scott]

Ed25519 signatures are a great idea. With sodium in core/compat (thanks to you of course), Ed25519 should be easily possible. Github commit/tag signing works well with ed25519 as well, but unfortunately Gitlab and Bitbucket are not (only rsa1024-4096). This is if we are even checking Git tag signatures in first place.

This is exactly why I didn't just use GPG as a basis for package signing. My concerns about RSA aren't entirely academic, as demonstrated in July this year.

I'm sorry I didn't mean anything negative with the download counts remark. I was simply saying we probably won't have many eyes watching the code as we should, specially considering this is a security-related project.

That's fine, I didn't take it that way, but those numbers are the consequence of an unrelated problem that I'm really not great at solving.

Apart from you/P.I.E, I don't think anyone knows the inner systems of Chronicle and other packages well enough to make immediate fixes or maintain the code in long term.

I feel like the long-term solution here is finding more developers who are interested in cryptography and helping them grow to become experts.

Relying on existing tools, even if we lack all the security gains yet, is a small but more robust step.

That's probably a fair point. I'd like to hear others' ideas as well.

[theseer]

This may seem a bit off topic but please bear with me for a second but you asked for ideas.
Disclaimer: I'm one of the core developers of phive.

As phive requires to have gpg signed releases for every phar managed with it, it probably does not come as a surprise that I am/we are very much in favor of having cryptographic proof before installing anything. We decided to adopt the Redhat approach and require every Phar to be signed by a gpg key. Funny enough, this basic requirement seems to be not even common practice in the linux world as for instance Debian does not sign packages but merely repository meta data (afaik at least).

That being said, one of the most common questions asked is how to disable signature checks when installing something with phive (Answer: there is no way). As that's one of the core ideas behind it, that's kind of devastating but maybe the reason is a mere lack of signed releases?

Getting people to sign their releases though feels like a never ending task, requiring a lot of convincing. But as long as even composer's official documentation asks users to run a downloaded binary without any means of verification, I guess one can't really blame them...

Apart from composer currently lacking means to verify and enforce signed releases, it's also not that easy to automate the process of creating said releases. I guess it's a common practice to use travis-ci these days but being required to trust 3rd parties like travis-ci with a private key to automate building and signing comes as a problem to the paranoid. But maybe that's a special case for phive as we deal with build artifacts and not just git tags.

Regarding key types: Despite all the known potential attack vectors to me GPG and the public key server infrastructure are currently the best option available. While I also agree that GPG2 and elliptic curve keys seem to be the better choice, getting people to sign their releases to begin with is more important - regardless whether they use GPG2 or GPG 1.x. And regardless whether they go for non-RSA keys or not.

Btw, Redhat/Fedora for their current version 27 use RSA-4096:

root@nyda /etc/pki/rpm-gpg $ gpg2 RPM-GPG-KEY-fedora-27-primary 
pub   rsa4096 2017-02-21 [SCE]
      860E19B0AFA800A1751881A6F55E7430F5282EE4
uid           Fedora 27 (27) <fedora-27@fedoraproject.org>

tl;dr:
Signed releases are a must have in today's automated world and it's a shame composer doesn't enforce that already all the way. For signing, imho a pub/private key system should be used that is widely adopted and has a working (public) infrastructure as well as means to share public keys. To me, the only option here is GPG. Openssl signatures - as composer uses for itself atm - do not satisfy this requirement. Forcing Ed25519 type gpg keys might be a future option, but for now the focus should be to get the infrastructure right. Particularly if not all vendors support Ed25519 type keys yet.

[alcohol]

On this subject, https://sigstore.dev/what_is_sigstore/ could be interesting to keep an eye on.