0

I'm doing a manual install on Linux of the .NET runtime which can be downloaded from dotnet.microsoft.com.
MS do provide a SHA512 checksum of the file on the site, but that can't be use to verify the sincerity of the file.

So am I missing something or does MS really not provide any way to verify that the file hasn't been modified (injected with malicious code e.g. if the site get hacked)?

E.g. by signing the file with a public signed certificate (either using a file-format with support this or provide an additional external file for the purpose)

schroeder
  • 125,553
  • 55
  • 289
  • 326
MrCalvin
  • 99
  • 3
  • I guess I could extract the files from one of the Linux packages (.deb or .rpm), which should be signed and verifiable. Hopefully the maintainers for those packages compile from source-code and not just grab binaries from the MS site. Or compile myself of course. – MrCalvin Mar 27 '22 at 11:05
  • 2
    I propose to close the question since it is based on false assumptions. Microsoft provides runtimes for the various distributions in their native packet format (dep, rpm, ...). These are signed. See for example https://docs.microsoft.com/en-us/dotnet/core/install/linux-ubuntu – Steffen Ullrich Mar 27 '22 at 12:09
  • Just because there are other repositories/packages of the runtimes doesn't mean there isn't a problem with the way files a distributed on the site. I'm not asking how to get those files securely, I'm asking if there really is a security issue by the way files a distributed by MS/the site, which is seems. No hasn't came up with any valid counter-arguments. – MrCalvin Mar 27 '22 at 12:53
  • You're welcome to file a new issue and request the necessary files: https://github.com/dotnet/runtime/issues – Artem S. Tashkinov Mar 27 '22 at 10:16
  • But isn't this extremely bad practice? These runtimes are installed on thousands, perhaps millions, computer and no mitigation in place to prevent supply-chain-attack. Even I, having small one-man-business, wouldn't provide binaries non-signed. And we're talking MS! – MrCalvin Mar 27 '22 at 10:29
  • SHA256 and 512 remain 100% secure at the moment and digital signatures don't really provide more safety than these hashing algos. Microsoft is not the only company which provides Linux software which is not digitally signed: thousands of companies and individuals do that, most provide absolutely nothing: *"here, download my code and trust it's OK"*. For instance, the Wine project provides neither signatures, nor hashsums. And Wine is a lot more popular and more widely used than .Net. – Artem S. Tashkinov Mar 27 '22 at 10:48
  • 1
    First of all, checksum provide NO measure to verify the file hasn't been modified since it left the computer of the developer (the one who compiled the binaries). Secondly, it's not a very good argument that others distribute software in an unsecure manner too. It doesn't make it any better. – MrCalvin Mar 27 '22 at 11:01
  • @MrCalvin How does not a robust checksum verify the file has not been modified? – vidarlo Mar 27 '22 at 11:29
  • A checksum and SSL connection only ensure that the file you end up having on your computer a 100% equal to the one on the website. But that's NOT the issue.. The issues is if the site get hacked and the file is replace with a version with malicious code (and the hacker will of course change the checksum too)! You need to be able to verify the file is actual the one that the developer created at first. Either have a checksum or a complete different and independent site or sign the file with a public certificate. – MrCalvin Mar 27 '22 at 12:47
  • 1
    @MrCalvin: Having only the download and the checksum on the same site does not provide security. If this is what you ask than your question is a duplicate of questions like [Does hashing a file from an unsigned website give a false sense of security?](https://security.stackexchange.com/questions/1687/does-hashing-a-file-from-an-unsigned-website-give-a-false-sense-of-security). – Steffen Ullrich Mar 27 '22 at 13:30
  • @MrCalvin So, given that the Linux binaries are signed, does that answer your question? It seems like you have a false premise to the question. – schroeder Mar 28 '22 at 10:22
  • @schroeder: What do you mean by `Linux binaries`? The one contained in the archive in question? Or are you talking about the distro packages from other repos. If the former I would be surprised, I didn't know Linux binaries could be signed (not talking packages, that's archives) If the later then I'll say it's irrelevant to the thread – MrCalvin Mar 28 '22 at 14:10
  • I'm talking about docs.microsoft.com/en-us/dotnet/core/install/linux-ubuntu – schroeder Mar 28 '22 at 15:05

1 Answers1

1

Are .NET runtime really not signed?

It depends on what you mean.

If you mean to ask whether each individual shared library file packaged within the tgz you linked is signed, the answer is no. And so, to answer your negative question: Yes, the shared library files are really not all signed. However, as you point out, the Microsoft website provides a SHA512 hash value that you can use for checking the integrity of the tgz.

If you mean to ask whether the .NET package installer, as linked in the comments, is signed. At least certain versions are signed. The documentation on that link states that: "Before you install .NET, run the following commands to add the Microsoft package signing key..." (Emphasis added).

So, whether you download and trust the Microsoft signing key, or you trust the SHA512 value, you can perform integrity checking one way or the other. And in either case you trust that you either received the right hash or you received the right public key.

hft
  • 4,940
  • 17
  • 32