1
1
Fork
You've already forked iguana
1

missing: verify trusted comment #2

Closed
opened 2026年07月01日 03:21:42 +02:00 by pancelor · 1 comment

I have a similar script, and recently I realized I'd skipped one of the verification steps:

https://ziglang.org/download/community-mirrors/

After downloading a tarball, the following verification steps are required: (never skip these steps)

  • ...
  • To prevent downgrade attacks, a "file" field in the trusted comment is provided that must be verified to match the name of the requested tarball. The reference implementation, minisign, will verify the trusted comment but does not look for a "file" field, so this verification step must be implemented manually.

I fixed mine with this:

	echo "verifying"
	minisign -Vm "$filename" -P "$pubkey" || _fail 'minisign' || return 1
+	# check trusted comment; https://ziglang.org/download/community-mirrors/
+	trusted_comment="$(minisign -QVm "$filename" -P "$pubkey")"
+	trusted_filename="$(cut -d'	' -f 2 <<< "$trusted_comment")" # extract second field. brittle?
+	[[ "$trusted_filename" == "file:$filename" ]] || _fail 'trusted comment' || return 1

My implementation feels a bit gross (e.g. verifying a second time just to get the trusted comment), maybe you can find a nicer way to do it.

I have a similar script, and recently I realized I'd skipped one of the verification steps: https://ziglang.org/download/community-mirrors/ > After downloading a tarball, the following verification steps are required: (never skip these steps) > - ... > - To prevent downgrade attacks, a "file" field in the [trusted comment](https://jedisct1.github.io/minisign/#:~:text=Trusted%20comments) is provided that must be verified to match the name of the requested tarball. The reference implementation, minisign, will verify the trusted comment but does not look for a "file" field, so this verification step must be implemented manually. I fixed mine with this: ```diff echo "verifying" minisign -Vm "$filename" -P "$pubkey" || _fail 'minisign' || return 1 + # check trusted comment; https://ziglang.org/download/community-mirrors/ + trusted_comment="$(minisign -QVm "$filename" -P "$pubkey")" + trusted_filename="$(cut -d' ' -f 2 <<< "$trusted_comment")" # extract second field. brittle? + [[ "$trusted_filename" == "file:$filename" ]] || _fail 'trusted comment' || return 1 ``` My implementation feels a bit gross (e.g. verifying a second time just to get the trusted comment), maybe you can find a nicer way to do it.
mslapek added reference bugfix-verify-trusted-comment 2026年07月01日 11:25:06 +02:00

I've made a failing test to confirm the bug, added to the attached branch to this issue.

 # this should pull the poisoned package from the cache,
 # instead of trying to download it
 result = subprocess.run(
 [workdir / "iguana", "install", "0.66.7"], capture_output=True
 )
> assert result.returncode != 0
E AssertionError: assert 0 != 0

Iguana indeed happily installed Zig 0.16.0 disguised as 0.66.7 with return code 0, hence confirming the bug.

@pancelor Thanks for this issue! Great catch.

I'll add the trusted comment verification to satisfy the test.

I've made a failing test to confirm the bug, added to the attached branch to this issue. ``` # this should pull the poisoned package from the cache, # instead of trying to download it result = subprocess.run( [workdir / "iguana", "install", "0.66.7"], capture_output=True ) > assert result.returncode != 0 E AssertionError: assert 0 != 0 ``` Iguana indeed happily installed Zig 0.16.0 disguised as 0.66.7 with return code 0, hence confirming the bug. @pancelor Thanks for this issue! Great catch. I'll add the trusted comment verification to satisfy the test.
Sign in to join this conversation.
bugfix-verify-trusted-comment
No labels
bug
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
mslapek/iguana#2
Reference in a new issue
mslapek/iguana
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?