The future of VyOS image signature verification
There's one thing about our releases that we introduced quietly and neglected to explain to those unfamiliar with it: minisign signatures. Let's discuss why we started using them in addition to GPG signatures and what we are going to do next. Read on for details!
From our observations, people rarely verify downloaded images (that includes ourselves!). There are pragmatic reasons for it. First, HTTPS made MitM attacks on downloads nearly impossible, so if you download an image from an official website, it's guaranteed not to be maliciously corrupted in transit. It may still be accidentally corrupted, but that can be detected with a simple hash sum check. Besides, most VyOS image downloads are performed automatically with
add system image and that script already includes a digital signature check.
Still, supply chain attacks are only getting more common, and we have no illusions about our vulnerability to them: we are doing what we can to prevent them, but we are still as vulnerable as everyone else. Domain hijacking and other attacks are more than possible and, if they occur, that can result in permanently attacker-controlled VyOS installations.
One big reason why no one likes verifying images is that, let's face it, PGP signatures aren't trivial to verify. You need to download a key file, import it in your key chain, and only then can you start verifying file signatures with that key. Worse yet, in practice, PGP keys are RSA keys, which means they need to be huge to be secure, and transmitting 4096 bits securely out of band is already a non-trivial task.
PGP's proposed solution was to build a web of trust by having people sign each others' keys, so, hypothetically, if the VyOS release key was signed by its maintainers, and you knew you could trust the keys of maintainers, then you could also trust the release key. In practice, the web of trust remains both sparse (even most people who actually use PGP are unconnected) and shallow (most keys aren't signed).
It seems that the right way to make signatures easier to verify is to make direct transmission of keys from maintainers to users simpler. Oh, and improve verification tool UX, of course.
When we started working on VyOS, GnuPG was not just the most widespread signature verification tool but effectively the only one. However, in 2015, OpenBSD project members developed signify, and another implementation of their protocol soon followed — that's minisign.
So, what's cool about minisign?
First, there is no need to import any keys anywhere: you can just pass the key as a command argument:
minisign -P RWTR1ty93Oyontk6caB9WqmiQC4fgeyd/ejgRxCRGd2MQej7nqebHneP -m ./vyos.iso
Second, its public keys are much smaller than PGP keys. If someone has serious doubts about image integrity, we can potentially transmit our public key over the phone. We can also distribute it as a QR code on VyOS stickers and swag. It doesn't mean they are less secure: signify/minisign use the Ed25519 algorithm, which is computationally much more difficult to break, on either classical or quantum computers.
Third, it's a self-contained executable. Minisign's website provides binaries for GNU/Linux (linked against an old enough glibc), macOS, and Windows that you can just download and run — no installation needed.
Right now we publish both PGP and minisign signatures for LTS release images. When people upgrade from 1.1.x or 1.2.x, the
add system image script looks for a PGP signature, so it's required for a secure transision to the new method. VyOS 1.4, when it's released, will use minisign as its primary mechanism and PGP as a fallback, and subsequent releases will phase out PGP completely.
We encourage everyone to verify LTS image signatures using minisign. Again, here's our public key:
Let's keep the supply chains secure!