Bug 2225188 - Circular reasoning in source code verification
Summary: Circular reasoning in source code verification
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: bitcoin-core
Version: 39
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Simone Caronni
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-24 13:55 UTC by Björn Persson
Modified: 2023-08-16 07:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Björn Persson 2023-07-24 13:55:24 UTC 
Description of problem:
Since the packaging changes made for bitcoin-core 25.0, a program extracted from the source tarball – verify.py – is used to verify the signatures on that same tarball. The thing that's supposed to be authenticated is allowed to assert that it is authentic. That's useless.

If an attacker crafts a malicious source tarball, they will include a malicious verify.py that pretends to verify the signatures and feigns success. Thus the verification step is neutered, and the build will continue as if the malicious tarball had been verified.

Version-Release number of selected component:
25.0-1.fc39
Comment 1 Simone Caronni 2023-08-11 09:02:55 UTC 
This is the upstream method, with the difference that the official way is to download the binaries/tarballs/gpgkeys on the fly, which we are not allowed to do:

https://github.com/bitcoin/bitcoin/blob/master/contrib/verify-binaries/README.md

The last example of the readme file is exactly that.

I preferred the old method but I could not make it work.

Patches are welcome!
Comment 2 Fedora Release Engineering 2023-08-16 07:54:22 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Note You need to log in before you can comment on or make changes to this bug.