Not a panacea
All it takes is someone hacking the server (or intermediary proxy) and deploying a trojanned file and updated hash, that's generally easier than manipulating a download in flight. It's an improvement on a blind download, at least.
Brandon Philips, a member of the technical staff at Red Hat, has created a software tool called rget for Linux, macOS, and Windows, to make it easier to determine whether downloaded files can be trusted. The command-line application is intended as an alternative to wget, a widely used tool for fetching files that has been …
This post has been deleted by its author
There's at least two attacks I can think of:
One: hack one of the existing developers and release the code using their identity, chances are they'll use the same credentials for uploading a new version as they do for updating the hash. Or it'll be a somewhat automated tool chain for pushing a new release. This could involve anything from pure social engineering to getting access to their physical hardware (ie stealing their laptop) or anything in between.
Or, pretend to be a good developer and get granted your own credentials (more social engineering).
(Similar to the second one would be buying an existing app from it's creator and updating it to do what you want).
rget
only protects against someone modifying an existing release, and assumes that they can't modify the file and the hash.
I think it's awesome that somebody finally did this. We've all been hearing about hash checks for decades, but this is finally going to make it part of standard checking automatically - or as near as possible.
Sure, there's always a risk, but that does not diminish the value of this tool.
I think it's awesome that somebody finally did this.
There are tools that do this already. E.g. DownThemAll plugin for Firefox can do this (well, the pre-Webextension Firefox anyway).
All this is really doing is merging wget and the many standard utilities that exist for checking hashes anyway, so it removes a manual step (or having to write a trivial script that glues wget and hash checking together).
They are muppets if they do so, unfortunately this is all too common.
The problem with bringing in Javascript from all over the place is that it makes the web page fail if the visitor is running a Javascript blocker, as we do in increasing numbers to stop 3rd party adverts and privacy intrusion from things like google-analytics.
If you want to use jQuery then dish it up from your own server, it is smaller than the corporate logo that you have on every page.
I was thinking of a DNS type system where you have authoritative root hash servers that distribute hash lists to lower level servers.
But I like blockchain better!
Maybe we could also hash the hash list every so often, to makes sure nobody has made unauthorised changes? Then we could hash the hash of hashes just to be really sure? Then it's hashes all the way down?
This rget tool sounds user friendly. But in *nix world you can just pipe or build a 4 line script to:
download the file (wether binary or compressed) using the good old wget
verify the private key (sig) of 'checkum file' with public key of author using OpenSSL
verify the digest of the binary using the 'checksum file'
Done.
With rget there are new weaknesses created, as mentioned above. This tool rget is more convenient and user friendly but less secure, IMO.
It depends a bit on your threat model. It's easier to compromise one resource than two.
Not read the file, but assuming they are using Merkle trees/blockchain, then this does provide a notable improvement in security for old releases.
One would hope that they also provide a mechanism to mark a particular version as known vulnerable.
Not really. Red Hat still exists, it's just now owned by IBM as opposed to being owned by a bunch of shareholders. But it is (and will remain for the foreseeable future) a separate legal entity, and people who work for Red Hat are still employed by that legal entity, not by the legal entity called IBM.
"people who work for Red Hat are still employed by that legal entity, not by the legal entity called IBM"
They will be employed until IBM decides it needs to trim the workforce to cut costs. And as we all know, IBM has become very, very good at doing that of late.
This is agreat idea, because RPM is so complicated that quite often people dont bother.
Software repos exist. But they all get sys specific kruft added till they are too complicated and people resort to wget.
Rget is kinda cool. Wish it wasnt.
You should be able make an rpm with something like
mkrpm foo.rpm .
Because wget isn't "Linux", it's GNU. The design philosophy of *nix is "many tools, each of which do one thing right". Wrap whatever tools you like in a script, and Bob's your Auntie. (Actually, I question the "combine FTP and HTTP into one tool" reasoning behind wget ... but I'll be nice and not go there for the moment.)
Just as a friendly reminder to the kiddies brought up on a GUI: if you have to type it once a month or more, script it (or make it an alias). Saves the heartache of typoes, if nothing else.
For extra points, can you guess why I shy away from distros which think systemd is a good idea?