Pete_Stevens
Posts: 24
Joined: Thu Jun 14, 2012 9:26 pm

Microsoft GPG key suggestion

Thu Feb 04, 2021 10:29 pm

I see Raspberry Pi has installed a Microsoft signing key so that packages from Microsoft (specifically for embedded dev) can be installed.

This is entirely sensible, as it means VSCode can be installed securely using existing trusted mechanisms.

However, it does appear to have triggered the principle of least surprise (why did a signing key get installed without telling me) as well as some very naive analysis about it being a MASSIVE SECURITY THREAT - you implicitly trust Microsoft anyway through Github, and the MS signed bootloader shims on virtually every intel/amd based machine, even if Windows isn't installed. Having a key so you can verify that Microsoft software you asked to install hasn't been tampered with is a good thing. It does mean MS can potentially track RPIs in the wild, but that's an extremely insignificant risk in the scheme of things.

As a suggest, RPi should offer a package that includes the MS signing key which you can optionally include, and put this package into PiOS desktop by default so it al works out of the box for new users.

HappyTux
Posts: 150
Joined: Mon Jan 18, 2021 8:13 pm

Re: Microsoft GPG key suggestion

Thu Feb 04, 2021 11:25 pm

The point being the user should be informed before making changes like this to their system, it is what debconf is for asking for user consent to change THEIR system, the their being the important part. If people wanted things being done behind their back they would be using windows or a mac. Like my bootloader being updated without warning. Then the lack of change logs in the packages is another problem area, the hey idiot we install a package want to know why, sorry about your luck...

Edit: soon we see how long this one lasts before locking...

W. H. Heydt
Posts: 15401
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 12:42 am

Where do you draw the line between things added to an OS distribution that the distributor thinks need to be there, and things that need each and every end user's permission before they're added? Got a list of what's on each side of the line?
HappyTux wrote:
Thu Feb 04, 2021 11:25 pm
Edit: soon we see how long this one lasts before locking...
Not very long, I suspect. The moderators appear to be heartily sick of the entire subject (and I, for one, don't blame them).

egrueda
Posts: 9
Joined: Fri May 27, 2016 7:36 am

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 7:23 am

W. H. Heydt wrote:
Fri Feb 05, 2021 12:42 am
Where do you draw the line?
Having a 3rd party GPG key installed secretly, without knowledge nor permission.
Isn't that enought thick line?
W. H. Heydt wrote:
Fri Feb 05, 2021 12:42 am
The moderators appear to be heartily sick of the entire subject (and I, for one, don't blame them).
Moderators are censoring their community and their customers. And you agree. Fine.

fruitoftheloom
Posts: 27226
Joined: Tue Mar 25, 2014 12:40 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 7:46 am

egrueda wrote:
Fri Feb 05, 2021 7:23 am
W. H. Heydt wrote:
Fri Feb 05, 2021 12:42 am
Where do you draw the line?
Having a 3rd party GPG key installed secretly, without knowledge nor permission.
Isn't that enought thick line?
W. H. Heydt wrote:
Fri Feb 05, 2021 12:42 am
The moderators appear to be heartily sick of the entire subject (and I, for one, don't blame them).
Moderators are censoring their community and their customers. And you agree. Fine.

This Forum is paid for by RPT / RPF and therefore the Moderators, who like all responders do so voluntarily, but they have to abide by guidelines.

There are plenty of other Operating Systems and Forums, so one can accept or walk away.
Take what I advise as advice not the utopian holy grail, and it is gratis !!

egrueda
Posts: 9
Joined: Fri May 27, 2016 7:36 am

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 8:08 am

fruitoftheloom wrote:
Fri Feb 05, 2021 7:46 am
This Forum is paid for by RPT / RPF and therefore the Moderators
This forum is created for community users and customers, each of those that paid $35 are the creators of the community and the only reason this forum is here.
If there were no community nor customers, this forums wouldn't exist. Do I really have to explain that?

Dont forget which role we users have here.
Not being a democracy doesn't mean they can make us shut up if we want to talk about related problems that affect all the community.

[Mod: removed a link which is clearly intended to insult mods]

fruitoftheloom
Posts: 27226
Joined: Tue Mar 25, 2014 12:40 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 8:27 am

egrueda wrote:
Fri Feb 05, 2021 8:08 am
fruitoftheloom wrote:
Fri Feb 05, 2021 7:46 am
This Forum is paid for by RPT / RPF and therefore the Moderators
This forum is created for community users and customers, each of those that paid $35 are the creators of the community and the only reason this forum is here.
If there were no community nor customers, this forums wouldn't exist. Do I really have to explain that?

Dont forget which role we users have here.
Not being a democracy doesn't mean they can make us shut up if we want to talk about related problems that affect all the community.
[Mod: removed a link which is clearly intended to insult mods]

Why did you truncate my response so it has a different meaning ??

To re-iterate the Mods are volunteers :roll:
Take what I advise as advice not the utopian holy grail, and it is gratis !!

egrueda
Posts: 9
Joined: Fri May 27, 2016 7:36 am

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 8:42 am

fruitoftheloom wrote:
Fri Feb 05, 2021 8:27 am
Why did you truncate my response so it has a different meaning ??
To re-iterate the Mods are volunteers :roll:
Were they born as volunteers ?
I dont care wether they are paid or not, they are making a job for a company/foundation.
The kind of contact they do (not) have has nothing to do with the censorship they are creating and being allowed to do.
Or does it means that if a person is a volunteer we must forgive and accept any action they may make?

And again, I'm talking about a GPG key installed in a secret way, not talking about being a volunteer in this forum.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 30125
Joined: Sat Jul 30, 2011 7:41 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 8:54 am

You have moved off the topic of the thread and have started being abusive to the mods, that is unacceptable here. Please don't do it. First, last, only warning.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

LTolledo
Posts: 6228
Joined: Sat Mar 17, 2018 7:29 am
Location: Anime Heartland

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 9:40 am

egrueda wrote:
Fri Feb 05, 2021 8:42 am
And again, I'm talking about a GPG key installed in a secret way, not talking about being a volunteer in this forum.
I guess you're gearing up for a lengthy and expensive legal battle....good luck with that. :lol:
"Don't come to me with 'issues' for I don't know how to deal with those
Come to me with 'problems' and I'll help you find solutions"

Some people be like:
"Help me! Am drowning! But dont you dare touch me nor come near me!"

egrueda
Posts: 9
Joined: Fri May 27, 2016 7:36 am

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 9:44 am

LTolledo wrote:
Fri Feb 05, 2021 9:40 am
I guess you're gearing up for a lengthy and expensive legal battle....good luck with that. :lol:
In the meanwhile, you better get used to let other companies install whatever they want into you own privated system.
It's ok if you don't care who does what in your computers, good luck with that. :lol:

User avatar
pi-anazazi
Posts: 1013
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 9:44 am

I did

Code: Select all

cd /etc/apt/trusted.gpg.d
sudo rm microsoft.gpg
and

Code: Select all

cd /etc/apt/sources.list.d/
sudo rm vscode.list
Is this dead now or will it come back with update/full-upgrade?
Kind regards

anazazi

LTolledo
Posts: 6228
Joined: Sat Mar 17, 2018 7:29 am
Location: Anime Heartland

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 9:52 am

I actually did an update, and scoured the apt list (as indicated be previous posters)... its no where to be found!!
"Don't come to me with 'issues' for I don't know how to deal with those
Come to me with 'problems' and I'll help you find solutions"

Some people be like:
"Help me! Am drowning! But dont you dare touch me nor come near me!"

fruitoftheloom
Posts: 27226
Joined: Tue Mar 25, 2014 12:40 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 10:58 am

Pete_Stevens wrote:
Thu Feb 04, 2021 10:29 pm
I see Raspberry Pi has installed a Microsoft signing key so that packages from Microsoft (specifically for embedded dev) can be installed.

This is entirely sensible, as it means VSCode can be installed securely using existing trusted mechanisms.

However, it does appear to have triggered the principle of least surprise (why did a signing key get installed without telling me) as well as some very naive analysis about it being a MASSIVE SECURITY THREAT - you implicitly trust Microsoft anyway through Github, and the MS signed bootloader shims on virtually every intel/amd based machine, even if Windows isn't installed. Having a key so you can verify that Microsoft software you asked to install hasn't been tampered with is a good thing. It does mean MS can potentially track RPIs in the wild, but that's an extremely insignificant risk in the scheme of things.

As a suggest, RPi should offer a package that includes the MS signing key which you can optionally include, and put this package into PiOS desktop by default so it al works out of the box for new users.

Your initial post appears to has got lost in the "noise", anyway anything that makes it easier for users to get started with VS Code is a good step.

I am sure just like Microsoft buying GitHub the "noise" will die down eventually.

Yes RPT / RPF could / should convey changes, but it has been like this for a decade and though immensely frustrating eventually an answer to WHY is usually forthcoming.
Take what I advise as advice not the utopian holy grail, and it is gratis !!

thradtke
Posts: 724
Joined: Wed May 16, 2012 5:16 am
Location: Germany / EL

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 11:12 am

Serious question: What's the risk with this key?
Rocket Scientist.

LTolledo
Posts: 6228
Joined: Sat Mar 17, 2018 7:29 am
Location: Anime Heartland

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 11:29 am

thradtke wrote:
Fri Feb 05, 2021 11:12 am
Serious question: What's the risk with this key?
...unlocking pent-up enormous FUD on some individuals I guess...

yeah... what's wrong with the key?
please show scientific/verifiable evidence to support your claim...
"Don't come to me with 'issues' for I don't know how to deal with those
Come to me with 'problems' and I'll help you find solutions"

Some people be like:
"Help me! Am drowning! But dont you dare touch me nor come near me!"

User avatar
pi-anazazi
Posts: 1013
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 11:55 am

As a starter you could read the Snowden documents and extrapolate from 10 years ago to presence. For scientific hypothesis making, you know... ;-)
Kind regards

anazazi

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6343
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 12:26 pm

thradtke wrote:
Fri Feb 05, 2021 11:12 am
Serious question: What's the risk with this key?
Hypothetically speaking, Microsoft could decide to upload a package to override something in the existing repos. Here's something an actual human wrote:
They as a charity, relinquished control of all system updates, of their primary product, to a foreign third-party company that coincidentally paid them over $500,000 euros last year.
...
Repositories are hierarchical, software hosted on MS's repo is taking precedent... MS can replace OpenSSH, OpenSSL, the Linux Kernel at any point during daily security updates.
This is coming from the same people who believe that we tried to 'sneak' the repo in hoping nobody would notice. If they believe that we put a message into the postinst script and the changelog explaining exactly what's happening and hoped that nobody would ever read it or notice the very obvious Microsoft repo showing up when they run 'apt update', then they can also believe Micosoft would upload their own version of OpenSSH and hope nobody would notice. While I'd never assume any corporation has anybody else's interests at heart, I don't see them as the hugely incompetent moustache twirling villains people seem to believe they are either.

If they were to start uploading additional packages which could in any way clash with our repo, we'd remove their repo right away. And based on the feedback and suggestions we supposedly ignore and censor, we'll be removing the possibility of that ever happening.

However, I don't think it's really about any of that for most people. While we have trust that MS wouldn't try to maliciously hijack existing packages, adding the key means that we assume everybody else has that level of trust as well, and that's clearly not the case. People don't like others making decisions like that on their behalf so it will always rub them the wrong way.

thradtke
Posts: 724
Joined: Wed May 16, 2012 5:16 am
Location: Germany / EL

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 12:40 pm

I don't see any interest on MS side to hijack our Pi's. Much too dangerous to blow up with something like that. Still interesting that it would be possible this way.

Thanks for explaining!
Last edited by thradtke on Fri Feb 05, 2021 1:00 pm, edited 1 time in total.
Rocket Scientist.

Pete_Stevens
Posts: 24
Joined: Thu Jun 14, 2012 9:26 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 12:42 pm

<i>Serious question: What's the risk with this key?</i>

Microsoft could publish a compromised package to replace a Raspbian one which you'd then pull in on the next update. This isn't a very credible risk - it'd be extremely obvious that this was happening which would tend to stop it very quickly. Were Microsoft motivated and committed to hacking your Pi there are lots of better ways, through Github, through the desktop of anyone involved in the entire hardware/software supply chain etc. They would not only be harder to spot but also provide some plausible deniability.

When you do an update, your system will check to see if there are any updates at Microsoft which means they could log that you've done an update.

I run a linux only company (Mythic Beasts) where we have no Microsoft and this update doesn't cause me any concern. It's far better than curl | bash installers, and is much better than 'install our key + repro' instructions because the key and repro config come signed by RPi. Security impact to everyone minimal. Security and usability improvement for anyone doing Pico development - massive win.

(e.g. had they gone curl | bash, not only do you not get VSCode security updates, but the original install is another point of attack and you could create a botnet of picos).

I don't think apt supports it, but in an ideal world you could install the key and a file containing the packages you're allowed to install with it, so an MS supplied package coudln't replace a Raspbian one.

fruitoftheloom
Posts: 27226
Joined: Tue Mar 25, 2014 12:40 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 12:48 pm

Take what I advise as advice not the utopian holy grail, and it is gratis !!

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6343
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 12:57 pm

Pete_Stevens wrote:
Fri Feb 05, 2021 12:42 pm

I don't think apt supports it, but in an ideal world you could install the key and a file containing the packages you're allowed to install with it, so an MS supplied package coudln't replace a Raspbian one.
By pinning the repo priority to -1 for the whole repo and increasing the priority just for the code packages, its effectively accomplishing the same thing. We haven't done that yet, but it seems like a good idea.

bjtheone
Posts: 1570
Joined: Mon May 20, 2019 11:28 pm
Location: The Frozen North (AKA Canada)

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 1:10 pm

While I am not a MIcrosoft fan, and have been Microsoft free at home for over 20 years, I also am reasonably well connected to reality (anti-Microsoft absolutely, proud member of the tinfoil hat club not so much).

Microsoft has a long reputation of embracing, extending and controlling, of buying and crushing small companies with different ideas, and of not playing particularly nicely with OSS and Linux. They did that as they are a very large company with the sole reason for existing being to make money.

Now that the tides have turned, they are moving towards embracing OSS and Linux. While I do not think they would hesitate for a moment to switch back to being anti OSS and anti Linux if they believed that would generate more money, they are not a stupid company. Attacking the Pi Repos via forcing updates, would (a) easily get discovered and more importantly (b) generate massive bad press. Massive bad press is not aligned with making lots of money.

Having said that, given the amount of history and bad blood between the Linux community and Microsoft, a heads up from RPT prior to adding the repo might have been the wiser course. It certainly made sense to add it when they released the Pico.

Pete_Stevens
Posts: 24
Joined: Thu Jun 14, 2012 9:26 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 2:00 pm

By pinning the repo priority to -1 for the whole repo and increasing the priority just for the code packages, its effectively accomplishing the same thing. We haven't done that yet, but it seems like a good idea.

^-- nice. Do it!

cleverca22
Posts: 4900
Joined: Sat Aug 18, 2012 2:33 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 2:55 pm

Pete_Stevens wrote:
Fri Feb 05, 2021 12:42 pm
When you do an update, your system will check to see if there are any updates at Microsoft which means they could log that you've done an update.
my understanding is that when you "apt-get update", it downloads an index of every package on the given server
they have no idea what packages you have installed, until you try to download a given .deb (during apt-get upgrade), and only if they are already hosting that file to begin with

Return to “General discussion”