[tex-live] TeX Live repository currently unsigned

Jonas Witschel jonas.witschel at tu-ilmenau.de
Tue Sep 12 18:13:28 CEST 2017


Hi,

currently there seems to be a problem with the PGP signature of the main
TeX Live repository: running

tlmgr update --list --repository
"http://dante.ctan.org/tex-archive/systems/texlive/tlnet"

(using the root node here only to verify that it is not a problem with
my mirror) returns

tlmgr: package repository
http://dante.ctan.org/tex-archive/systems/texlive/tlnet (not verified:
not signed)

Indeed the signature of the TeX Live database
(http://mirror.ctan.org/tex-archive/systems/texlive/tlnet/tlpkg/texlive.tlpdb.sha512.asc)
appears to be missing, judging by some older mirrors since yesterday
(September 11).

While I suspect this might be an issue with the TeX Live build system
that can be fixed soon, this actually shows the deeper problem that
tlmgr would happily update from the unsigned repository with the default
configuration. This means all an adversary needed to do in order to
install arbitrary updates would be to make sure that the signature of
the database cannot be accessed, provided that the user does not
carefully check the output of "tlmgr update --list" before updating.

In my opinion tlmgr should exit with an error if GnuPG is installed on
the system, but the repository is unsigned, at least for the main TeX
Live repository. This feature is already implemented as the
"--require-verification" argument and configuration option, but is not
activated by default. I maintain that it should be the default for
systems that have GnuPG installed.

I appreciate that this will create problems for custom repositories that
might not be signed at all. On the other hand, the only public
repositories I am aware of are TeX Live contrib
(http://contrib.texlive.info/) and the KOMA-Script repository
(https://komascript.de/node/2049), both of which are signed anyway.
Moreover even if this problem arises it can be fixed (at the expense of
security) by using "--no-require-verification".

Kind regards,
Jonas Witschel


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://tug.org/pipermail/tex-live/attachments/20170912/71c896d5/attachment.sig>


More information about the tex-live mailing list