{{Title|title=Google Chrome Repository Insecurity}}
{{Header}}
{{#seo:
|description=Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key and downloads over plain http without TLS verification. Software download not protected by https (TLS).
|image=Insecurechromiumrepo.jpg
}}
[[File:Insecurechromiumrepo.jpg|thumb]]
{{intro|
Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key and downloads over plain http without TLS verification. Software download not protected by https (TLS).
}}
= Google Chrome Repository Insecurity =
== Summary ==

As per <code>14 March 2021</code>,

* Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
* Repository download happens over plain http without encryption/authentication (TLS) (http'''s''').

== Source ==
=== Signing Key ===
As per <code>14 March 2021</code>, Google wants you to run the following command. ([https://web.archive.org/web/20210314103851/https://www.google.com/linuxrepositories/ archived])

<pre>
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
</pre>

This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.

What this does is using the <code>wget</code> command line downloader to download an APT signing key and then using Debian's <code>apt-key</code> utility to install the signing key to the system's APT keyring <code>/etc/apt/trusted.gpg</code>. Sidenote: both <code>apt-key</code> and <code>/etc/apt/trusted.gpg</code> are deprecated by Debian <ref>
Quote https://blog.jak-linux.org/2021/02/18/apt-2.2/

<blockquote>apt-key was made obsolete in version 0.7.25.1, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.</blockquote>
</ref> but that doesn't have a security impact here.

'''1)''' Download https://dl.google.com/linux/linux_signing_key.pub

'''2)''' View OpenPGP key information.

{{CodeSelect|code=
gpg --keyid-format long --import --import-options show-only --with-fingerprint linux_signing_key.pub
}}

'''3)''' Will show.

<pre>
pub   dsa1024/A040830F7FAC5991 2007-03-08 [SC]
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                            Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub   elg2048/4F30B6B4C07CB649 2007-03-08 [E]

gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                            Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]
</pre>

The first key shows <code>dsa1024</code> which means a DSA key with only 1024 bits.

In January 2011 the National Institute of Standards and Technology (NIST) stated, [https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf quote]:

<blockquote>Disallowed after 2013</blockquote>

Google seems to agree with this assessment since their signing key file <code>linux_signing_key.pub</code> already contains a newer key <code>rsa4096</code> (RSA with 4096 bits). There is however no need whatsoever to still include the weak <code>dsa1024</code> in the signing key file <code>linux_signing_key.pub</code>.

=== Repository ===
'''1)''' Download https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb ([https://web.archive.org/web/20210311120542/https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb archived <code>google-chrome-stable_current_amd64.deb</code>])

'''2)''' Extract or open with <code>ark</code> the <code>google-chrome-stable_current_amd64.deb</code> compressed archive file.

<pre>
ark google-chrome-stable_current_amd64.deb
</pre>

'''3)''' Extract or open <code>control.tar.gz</code> a file inside the <code>google-chrome-stable_current_amd64.deb</code> compressed archive file.

'''4)''' Open the file <code>postinst</code> (the Debian package maintenance script by the <code>google-chrome-stable_current_amd64.deb</code> Debian package).

'''5)''' Line <code>137</code> is:

<pre>
REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
</pre>

'''6)''' Conclusion.

Using plain http instead of http'''s''' (TLS).

Other sources showing using http instead of http'''s''':

* https://github.com/brave/brave-browser/issues/1084

= Bug Reports =
* [https://bugs.chromium.org/p/chromium/issues/detail?id=1188057 Security: Chrome Linux (Debian) Package Repository using unauthenticated HTTP instead of authenticated HTTPS (TLS)]
* [https://bugs.chromium.org/p/chromium/issues/detail?id=1188054 Security: Debian Package Repository using unauthenticated HTTP instead of authenticated HTTPS]

= Related =
* [[Chrome]]
* [[Chromium]]
* [[Dev/Chromium]]
* [[Dev/Default Browser]]
* [https://forums.whonix.org/t/chromium-browser-for-kicksecure-discussions-not-whonix/10388 Chromium Browser for {{project_name_short}} Discussions (not Whonix)]

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]