Comment on A sneaky demonstration of the dangers of curl bash
ShortN0te@lemmy.ml 23 hours agoNot completely correct. A lot of updaters work with signatures to verify that what was downloaded is signed by the correct key.
With bash curl there is no such check in place.
So strictly speeking it is not the same.
xylogx@lemmy.world 23 hours ago
Signatures do not help if your distribution infra gets compromised. See Solarwinds and the more recent node.js incidents.
axx@slrpnk.net 20 hours ago
Please tell me you are not seriously equating a highly sophisticated attack line the Solarwind compromise with piping curl to bash?
ShortN0te@lemmy.ml 22 hours ago
This is incorrect. If the update you download is compromised then the signature is invalid and the update fails.
To achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.
xylogx@lemmy.world 22 hours ago
If I can control your infra I can alter what is a valid signature. It has happened. It will happen again. Digital signatures are not sufficient by themselves to prevent supply chain risks. Depending on your threat model, you need to assume advanced adversaries will seek to gain a foothold in your environment by attacking your software supplier. in these types of attacks threat actors can and will take control over the distribution mechanisms deploying trojaned backdoors as part of legitimately signed updates. It is a complex problem and I highly encourage you to read the NIST guidance to understand just how deep the rabbit hole goes.
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
ShortN0te@lemmy.ml 21 hours ago
No you cannot, the pub key either needs to be present on the updater or uses infrastructure that is not owned by you. Usually how most software suppliers are doing it the public key is supplied within the updater.