Skip to content
This repository was archived by the owner on Jul 16, 2020. It is now read-only.

Key revocation for pip without TUF

Jump to bottom
Trishank Karthik Kuppusamy edited this page Sep 21, 2013 · 7 revisions

We show how easy it is to revoke compromised keys with TUF. You may manually sign packages with PGP, and keys could implicitly expire with time, but how would you explicitly and immediately revoke compromised keys?

First, we set up the virtual environment (for cleanroom testing) and install pip-without-TUF:

$ cd  /tmp
$ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.10.1.tar.gz
$ tar xvfz virtualenv-1.10.1.tar.gz
$ python virtualenv-1.10.1/virtualenv.py --no-site-packages key-revocation-without-tuf
$ source key-revocation-without-tuf/bin/activate

First, let us download the current FooBar package. Assume that the FooBar package developer has not been compromised:

$ pip install FooBar --index-url http://mirror1.poly.edu/test-pip/key-revocation/repository.previous/targets/simple/
Downloading/unpacking FooBar
  Downloading FooBar-0.1.tar.gz
  Running setup.py egg_info for package FooBar
    
Installing collected packages: FooBar
  Running setup.py install for FooBar
    FooBar 0.1
    
Successfully installed FooBar
Cleaning up...

Now, suppose that the FooBar package developer has been compromised, but that he does not know it. He does not release any new FooBar package, and this is what the user who previously installed the FooBar package would see:

$ pip install --upgrade FooBar --index-url http://mirror1.poly.edu/test-pip/key-revocation/repository.current/targets/simple/
Requirement already up-to-date: FooBar in ./key-revocation-without-tuf/lib/python2.7/site-packages
Cleaning up...

Sure enough, there is no new (benign) package. However, suppose that the hacker who has compromised the FooBar package developer releases a malicious FooBar package in his place:

$ pip install --upgrade FooBar --index-url http://mirror1.poly.edu/test-pip/key-revocation/repository.next/targets/simple/
Downloading/unpacking FooBar from http://mirror1.poly.edu/test-pip/key-revocation/repository.next/targets/packages/source/F/FooBar/FooBar-0.2.tar.gz#md5=10831baad99c6acbcd59103b1099d13c
  Downloading FooBar-0.2.tar.gz
  Running setup.py egg_info for package FooBar
    
Installing collected packages: FooBar
  Found existing installation: FooBar 0.1
    Uninstalling FooBar:
      Successfully uninstalled FooBar
  Running setup.py install for FooBar
    TAMPERED FooBar 0.2
    
Successfully installed FooBar
Cleaning up...

Unfortunately, this user has now been compromised with a malicious FooBar package. This situation could have been avoided with the explicit key revocation offered by PyPI-with-TUF.

Clone this wiki locally