Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Fedora - Web of Trust, Part 2: Tutorial

#1
Web of Trust, Part 2: Tutorial

<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/10/web-of-trust-part-2-tutorial.png" width="1024" height="434" title="" alt="" /></div><div><p>The <a rel="noreferrer noopener" href="https://fedoramagazine.org/web-of-trust-part-1-concept/" target="_blank">previous article</a> looked at how the Web of Trust works in concept, and how the Web of Trust is implemented at Fedora. In this article, you’ll learn how to do it yourself. The power of this system lies in everybody being able to validate the actions of others—if you know how to validate somebody’s work, you’re contributing to the strength of our shared security.</p>
<p> <span id="more-31900"></span> </p>
<h2>Choosing a project</h2>
<p><a href="https://remmina.org/">Remmina</a> is a remote desktop client written in GTK+. It aims to be useful for system administrators and travelers who need to work with lots of remote computers in front of either large monitors or tiny netbooks. In the current age, where many people must work remotely or at least manage remote servers, the security of a program like Remmina is critical. Even if you do not use it yourself, you can contribute to the Web of Trust by checking it for others.</p>
<p>The question is: how do you know that a given version of Remmina is good, and that the original developer—or distribution server—has not been compromised?</p>
<p>For this tutorial, you’ll use <a href="https://flatpak.org/">Flatpak</a> and the <a rel="noreferrer noopener" href="https://flathub.org/home" target="_blank">Flathub</a> repository. Flatpak is intentionally well-suited for making verifiable rebuilds, which is one of the tenets of the Web of Trust. It’s easier to work with since it doesn’t require users to download independent development packages. Flatpak also uses techniques to prevent in‑flight tampering, using hashes to validate its read‑only state. As far as the Web of Trust is concerned, Flatpak is the future.</p>
<p>For this guide, you use Remmina, but this guide generally applies to every application you use. It’s also not exclusive to Flatpak, and the general steps also apply to Fedora’s repositories. In fact, if you’re currently reading this article on Debian or Arch, you can still follow the instructions. If you want to follow along using traditional RPM repositories, make sure to check out <a rel="noreferrer noopener" href="https://fedoramagazine.org/how-rpm-packages-are-made-the-source-rpm/" target="_blank">this article</a>.</p>
<h2>Installing and checking</h2>
<p>To install Remmina, use the Software Center or run the following from a terminal:</p>
<pre class="wp-block-preformatted">flatpak install flathub org.remmina.Remmina -y</pre>
<p>After installation, you’ll find the files in:</p>
<pre class="wp-block-preformatted">/var/lib/flatpak/app/org.remmina.Remmina/current/active/files/ </pre>
<p>Open a terminal here and find the following directories using <em>ls -la</em>:</p>
<pre class="wp-block-preformatted">total 44
drwxr-xr-x. 2 root root 4096 Jan 1 1970 bin
drwxr-xr-x. 3 root root 4096 Jan 1 1970 etc
drwxr-xr-x. 8 root root 4096 Jan 1 1970 lib
drwxr-xr-x. 2 root root 4096 Jan 1 1970 libexec
-rw-r--r--. 2 root root 18644 Aug 25 14:37 manifest.json
drwxr-xr-x. 2 root root 4096 Jan 1 1970 sbin
drwxr-xr-x. 15 root root 4096 Jan 1 1970 share</pre>
<h3>Getting the hashes</h3>
<p>In the <em>bin</em> directory you will find the main binaries of the application, and in <em>lib</em> you find all dependencies that Remmina uses. Now calculate a hash for <em>./bin/remmina</em>:</p>
<pre class="wp-block-preformatted">sha256sum ./bin/*</pre>
<p>This will give you a list of numbers: checksums. Copy them to a temporary file, as this is the current version of Remmina that Flathub is distributing. These numbers have something special: only an exact copy of Remmina can give you the same numbers. Any change in the code—no matter how minor—will produce different numbers.</p>
<p>Like Fedora’s Koji and Bodhi build and update services, Flathub has all its build servers in plain view. In the case of Flathub, look at <a rel="noreferrer noopener" href="https://flathub.org/builds/#/" target="_blank">Buildbot</a> to see who is responsible for the official binaries of a package. Here you will find all of the logs, including all the failed builds and their paper trail.</p>
<figure class="wp-block-image size-large"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/10/web-of-trust-part-2-tutorial.png" alt="Illustration image, which shows the process-graph of Buildbot on Remmina." class="wp-image-31970" /></figure>
<h3>Getting the source</h3>
<p>The main Flathub project is hosted on GitHub, where the exact compile instructions (“manifest” in Flatpak terms) are visible for all to see. Open a new terminal in your Home folder. Clone the instructions, and possible submodules, using one command:</p>
<pre class="wp-block-preformatted">git clone --recurse-submodules https://github.com/flathub/org.remmina.Remmina</pre>
<h3>Developer tools</h3>
<p>Start off by installing the Flatpak Builder:</p>
<pre class="wp-block-preformatted">sudo dnf install flatpak-builder</pre>
<p>After that, you’ll need to get the right SDK to rebuild Remmina. In the manifest, you’ll find the current SDK is.</p>
<pre class="wp-block-preformatted"> "runtime": "org.gnome.Platform", "runtime-version": "3.38", "sdk": "org.gnome.Sdk", "command": "remmina",</pre>
<p>This indicates that you need the GNOME SDK, which you can install with:</p>
<pre class="wp-block-preformatted">flatpak install org.gnome.Sdk//3.38</pre>
<p>This provides the latest versions of the Free Desktop and GNOME SDK. There are also additional SDK’s for additional options, but those are beyond the scope of this tutorial.</p>
<h3>Generating your <strong>own hashes</strong></h3>
<p>Now that everything is set up, compile your version of Remmina by running:</p>
<pre class="wp-block-preformatted">flatpak-builder build-dir org.remmina.Remmina.json --force-clean</pre>
<p>After this, your terminal will print a lot of text, your fans will start spinning, and you’re compiling Remmina. If things do not go so smoothly, refer to the <a rel="noreferrer noopener" href="https://docs.flatpak.org/en/latest/building.html" target="_blank">Flatpak Documentation</a>; troubleshooting is beyond the scope of this tutorial.</p>
<p>Once complete, you should have the directory .<em>/build-dir/files/</em>, which should contain the same layout as above. Now the moment of truth: it’s time to generate the hashes for the built project:</p>
<pre class="wp-block-preformatted">sha256sum ./bin/*</pre>
<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" src="https://www.sickgaming.net/blog/wp-content/uploads/2020/10/web-of-trust-part-2-tutorial-1.png" alt="Illustrative image, showing the output of sha256sum. To discourage copy-pasting old hashes, they are not provided as in-text." class="wp-image-31952" width="565" height="192" /></figure>
</div>
<p>You should get exactly the same numbers. This proves that the version on Flathub is indeed the version that the Remmina developers and maintainers intended for you to run. This is great, because this shows that Flathub has not been compromised. The web of trust is strong, and you just made it a bit better.</p>
<h2>Going deeper</h2>
<p>But what about the <em>./lib/</em> directory? And what version of Remmina did you actually compile? This is where the Web of Trust starts to branch. First, you can also double-check the hashes of the <em>./lib/</em> directory. Repeat the <em>sha256sum</em> command using a different directory.</p>
<p>But what version of Remmina did you compile? Well, that’s in the Manifest. In the text file you’ll find (usually at the bottom) the git repository and branch that you just used. At the time of this writing, that is:</p>
<pre class="wp-block-preformatted"> "type": "git", "url": "https://gitlab.com/Remmina/Remmina.git", "tag": "v1.4.8", "commit": "7ebc497062de66881b71bbe7f54dabfda0129ac2"</pre>
<p>Here, you can decide to look at the Remmina code itself:</p>
<pre class="wp-block-preformatted">git clone --recurse-submodules https://gitlab.com/Remmina/Remmina.git cd ./Remmina git checkout tags/v1.4.8</pre>
<p>The last two commands are important, since they ensure that you are looking at the right version of Remmina. Make sure you use the corresponding tag of the Manifest file. you can see everything that you just built.</p>
<h2>What if…?</h2>
<p>The question on some minds is: what if the hashes don’t match? Quoting a famous novel: “Don’t Panic.” There are multiple legitimate reasons as to why the hashes do not match.</p>
<p>It might be that you are not looking at the same version. If you followed this guide to a T, it should give matching results, but minor errors will cause vastly different results. Repeat the process, and ask for help if you’re unsure if you’re making errors. Perhaps Remmina is in the process of updating. </p>
<p>But if that still doesn’t justify the mismatch in hashes, go to the <a rel="noreferrer noopener" href="https://github.com/flathub/org.remmina.Remmina" target="_blank">maintainers of Remmina</a> on Flathub and open an issue. Assume good intentions, but you might be onto something that isn’t totally right.</p>
<p>The most obvious upstream issue is that Remmina does not properly support reproducible builds yet. The code of Remmina needs to be written in such a way that repeating the same action twice, gives the same result. For developers, there is an <a rel="noreferrer noopener" href="https://reproducible-builds.org/" target="_blank">entire guide</a> on how to do that. If this is the case, there should be an issue on the upstream bug-tracker, and if it is not there, make sure that you create one by explaining your steps and the impact.</p>
<p>If all else fails, and you’ve informed upstream about the discrepancies and they to don’t know what is happening, then it’s time to send an email to the Administrators of Flathub and the developer in question.</p>
<h2>Conclusion</h2>
<p>At this point, you’ve gone through the entire process of validating a single piece of a bigger picture. Here, you can branch off in different directions:</p>
<ul>
<li>Try another Flatpak application you like or use regularly</li>
<li>Try the RPM version of Remmina</li>
<li>Do a deep dive into the C code of Remmina</li>
<li>Relax for a day, knowing that the Web of Trust is a collective effort</li>
</ul>
<p>In the grand scheme of things, we can all carry a small part of responsibility in the Web of Trust. By taking free/libre open source software (FLOSS) concepts and applying them in the real world, you can protect yourself and others. Last but not least, by understanding how the Web of Trust works you can see how FLOSS software provides unique protections.</p>
</div>


https://www.sickgaming.net/blog/2020/10/...-tutorial/
Reply



Forum Jump:


Users browsing this thread:
3 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016