Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options

cpan/cpanm integrity and authenticy checks concerns

by hrcerq (Scribe)
on Jul 12, 2021 at 02:44 UTC ( #11134932=perlquestion: print w/replies, xml ) Need Help??

hrcerq has asked for the wisdom of the Perl Monks concerning the following question:

Hello, friends of the Monastery.

I'm not (yet) making heavy use of cpan or cpanm tools, and I'm still getting used to them.

Until now, every module I needed I could obtain from operating system repositories. Naturally, these repositories aren't nearly as comprehensive as CPAN as whole, they offer just a small subset of it, so it's just a matter of time until I need to obtain something using cpan/cpanm.

Not that it's a difficult task, but I have some security-related concerns. I'll explain:

According to CPAN module docs:

  • CPAN supports digital signatures;
  • however, these are not enforced on new modules;
  • beyond that, signature checks are disabled by default;
  • also, for it to be enabled, additional modules are needed (Module::Signature, specifically, and maybe Crypto::OpenPGP, if the gpg program is not available);
  • and finally, access to the keyservers is expected.

According to cpanm utility docs:

  • the --verify flag may be used to perform integrity and authenticity checks if checksum and signature files are available;
  • what happens if these files are not available is not clear (is the installation process aborted?);
  • again, this option is disabled by default.

A more security-aware developer might want to enable check_sigs flag on cpan or use --verify on cpanm, and install appropriate modules (for cpan), but how many will even consider this? Security is often complex by itself and when it's opt-in, it has a great chance of being overlooked. Not to mention there's not much to do if the module you need wasn't even signed to begin with.

Personally, I take it as a serious threat to CPAN ecosystem. Considering how many mirrors there are out there, I believe it's too much a surface attack to be covered without using crypto signatures. Without it, it might be very difficult to determine if some package on any of the mirrors wasn't tampered at some point in time.

I know this is a very long question, but I had to provide some context (so thank you if you got this far). So, here's my question: am I exaggerating, is there anything I'm not aware of? As I said, I'm not entirely familiar with cpan/cpanm, and I hope this community might provide some insight on this matter.

return on_success() or die;

  • Comment on cpan/cpanm integrity and authenticy checks concerns

Replies are listed 'Best First'.
Re: cpan/cpanm integrity and authenticy checks concerns
by Anonymous Monk on Jul 12, 2021 at 07:01 UTC

    You're right, but here's the problem: on the Internet, everyone is an Alice. It's not an Alice and Bob situation where they can engage in some trade-craft and exchange their public key fingerprints during a dinner date because they know each other.

    If we drop the keyserver access requirement, what's to stop an evil mirror from creating a key pair in the name of the module developer and signing an evil module just for you?

      Indeed, the keyserver has a very important role here (at least while OpenPGP is the chosen approach). I actually believe this part is all right as long as Internet access is avaiable.

      But my point is that security is not enforced in any way. Seems almost like it's an afterthought.

      And actually, I think there might be some workarounds (some with OpenPGP, some with other approaches):

      • With OpenPGP approach, maybe some keys from known developers could be shipped together with perl (or maybe in separate packages depending on the operating system). These keys take some time to expire, and could be used to check for new other keys, in a Web of Trust;
      • Outside of OpenPGP approach, however, there are options too. For instance, I like OpenBSD's approach, with signify . Every OpenBSD release contains the key necessary to verify the next release, so indirectly every new key is signed by its predecessor.

        Maybe this could be applied to every Perl distribution, in the sense that every distribution comes with the necessary key for the next version. That way, at least every update will be safe. It's worth noting these keys are relatively small (thanks to ED25519 algorithm), so shipping them is cheap.

        That way, only the first install would be unsafe, and a compromised key could be easily detected during updates.

      I know crypto solutions are not trivial, but I believe there are options. I completely agree with the idea of giving choice to the users, but I think security should be opt-out, not opt-in.

      return on_success() or die;

        Thanks for the idea. Shipping a root key with Perl and signing (perhaps via a few intermediaries) the developers' keys with it to let them sign their distributions would solve part of the Alice problem by providing a way for the user to verify that the package has been signed with a key known to the owner of the key (CPAN) which was signed by the root (Perl) key. I agree that having this system is better than not having a way to validate a developer's key and that this should protect from the evil mirror problem if the existing Perl installation is clean (and that latter assumption we just have to trust, see "Reflections on trusting trust" by Ken Thompson).

        The current situation can be somewhat circumvented by only downloading packages from (effectively limiting oneself to a single mirror, which doesn't quite scale, and having to trust the HTTPS PKI, which is arguably not as good as a dedicated Perl PKI).

        It should also be noted that typical supply chain attacks on modules involve typosquatting and taking over unmaintained modules, which, aside the author's public key visibly changing, wouldn't raise any louder alerts: the attacker would look the same as any other CPAN citizen, but the signed code supplied by them would also be malicious. But that's a social problem, likely impossible to solve by purely technical means.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://11134932]
Approved by kcott
Front-paged by parv
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (4)
As of 2022-06-27 23:27 GMT
Find Nodes?
    Voting Booth?
    My most frequent journeys are powered by:

    Results (89 votes). Check out past polls.