Ticket #106 (new defect)

Opened 7 years ago

Last modified 12 months ago

koji download-build does not work via SSL

Reported by: till Owned by: mikeb
Priority: minor Milestone:
Component: client Version: 1.2.2
Keywords: Cc: matt@…, mcepl, bochecha, pfrields
Blocked By: Blocking:


When I want to download packages from koji, it would be nice to make sure that they are not tampered. Therefore it would be nice to be able to download them via SSL. It works using wget and the getfile URLs, but it does not work using "koji download-build".

Example wget commandline:

wget --ca-certificate=.fedora-server-ca.cert --certificate .fedora.cert --private-key .fedora.cert "https://koji.fedoraproject.org/koji/getfile?taskID=800631&name=xorg-x11-server-Xdmx-"

Change History

comment:1 Changed 7 years ago by mattmccutchen

  • Cc mattmccutchen added

comment:2 Changed 6 years ago by mattmccutchen

  • Cc matt@… added; mattmccutchen removed

I want integrity-protected Koji downloads too. Unfortunately, "getfile" does not seem to work for "old" builds, e.g., your link above does not work now. My current technique is to download the package insecurely and then check the output of rpm -q --qf '%{SIGMD5}\n' -p foo.rpm against the "Payload Hash" value on the RPM info page on Koji. Note also a proposal to sign Koji packages.

comment:3 Changed 3 years ago by mcepl

  • Cc mcepl added

comment:4 Changed 14 months ago by bochecha

  • Cc bochecha added

comment:5 Changed 14 months ago by pfrields

  • Priority changed from minor to major
  • Cc pfrields added

I am raising the priority on this issue in the wake of the newest scary-named security issue (so-called "Shellshock").

Currently there is still no way to securely retrieve Koji builds through the client, without authenticating. Server verification should be done separately from client authentication, so that users who are not Fedora Project members with accounts can still easily download critical builds, and know their packages are not tampered.

To illustrate the problem:

$ # [Edit ~/.koji/config and /etc/koji.conf to use only https:// method...]
$ > .fedora-server-ca.cert
$ koji -s https://koji.fedoraproject.org/kojihub download-build <build>
$ # [Succeeds where it should fail.]

Fedora Project members with a FAS account and proper client certs can use download-build with --force-auth, but this should not be limited to just account holders. The workaround is to use other download methods (Firefox, wget, curl, etc.) and a manual process of verification.

comment:6 Changed 14 months ago by pfrields

  • Priority changed from major to minor

This appears to be both more complex and simpler than I thought... using https://kojipkgs.fedoraproject.org for the topurl, the right thing may be happening already. This is kind of unclear so I am changing the priority back and awaiting enlightenment in the ticket. :-)

comment:7 follow-up: ↓ 8 Changed 14 months ago by kevin

the hub and downloads are actually already completely seperate. ;)

koji.fedoraproject.org -> The hub, uses it's own CA and people need to have a cert to authenticate with it.

kojipkgs.fedoraproject.org -> squid/apache on another machine with access to all koji packages data. This uses a valid digicert (our *.fedoraproject.org wildcard cert) and requires no authentication in order to download anything from it. You can use http or https just fine.

The koji client as shipped in fedora uses http, so you need to edit /etc/koji.conf and tell it to use https and it will do so. ;)

So, we need a update to the koji package in all supported fedora releases with this change and then download-build will start using https for folks.

comment:8 in reply to: ↑ 7 Changed 14 months ago by till

Replying to kevin:

So, we need a update to the koji package in all supported fedora releases with this change and then download-build will start using https for folks.

I am preparing this update. However fedora-packager needs to be updated to do this also for secondary archetecures. Also we should review whether there is no problem when it is run with build-ids or maybe in general and is first getting information from koji via plain http before using kojipkgs to actually download the packages. Is it maybe possible to add a second koji hostname like koji-anon.fpo that allows only HTTPS without authentication or make koji with authentication become only koji-auth.fpo and make koji.fpo available without authentication but a proper certificate?

comment:9 Changed 12 months ago by mikem

So this is not so much an upstream koji issue as a configuration/packaging issue for koji in Fedora. Should we move this to bugzilla then?

Note: See TracTickets for help on using tickets.