[Bug 53356] New: Problems installing WineHQ on Ubuntu 22.04
https://bugs.winehq.org/show_bug.cgi?id=53356 Bug ID: 53356 Summary: Problems installing WineHQ on Ubuntu 22.04 Product: Wine Version: 7.0 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: critical Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: Ulf.Zibis(a)gmx.de Distribution: --- 1. Key and sources list are not saved as root owned files with your current install procedure. This is a SECURITY RISK !!! Correct procedure could be: sudo dpkg --add-architecture i386 # only on 64-bit-systems wget -nc https://dl.winehq.org/wine-builds/winehq.key F=winehq.key && chmod a-w,u+w $F && sudo chown 0:0 $F && sudo mv $F /usr/share/keyrings/winehq-archive.key wget -nc https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources F=winehq-jammy.sources && chmod a-w,u+w $F && sudo chown 0:0 $F && sudo mv $F /etc/apt/sources.list.d/ && sudo apt update sudo apt install --install-recommends winehq-stable winetricks 2. There is on STABLE build for Ubuntu 22.04: $ sudo apt install --install-recommends winehq-stable winetricks Paketlisten werden gelesen… Fertig Abhängigkeitsbaum wird aufgebaut… Fertig Statusinformationen werden eingelesen… Fertig E: Paket winehq-stable kann nicht gefunden werden. workaround: sudo apt install --install-recommends winehq-devel winetricks -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Ulf Zibis <Ulf.Zibis(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Ulf.Zibis(a)gmx.de --- Comment #1 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- A more elegant solution is: sudo dpkg --add-architecture i386 # only on 64-bit-systems sudo -H wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo -H mv winehq.key /usr/share/keyrings/winehq-archive.key sudo -H wget -nc https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources sudo -H mv winehq-jammy.sources /etc/apt/sources.list.d/ && sudo apt update sudo apt install --install-recommends winehq-stable winetricks Or even more elegant: sudo dpkg --add-architecture i386 # only on 64-bit-systems sudo wget -nc -O /usr/share/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key sudo wget -nc -O /etc/apt/sources.list.d/winehq-jammy.sources https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources && sudo apt update sudo apt install --install-recommends winehq-stable winetricks -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Ulf Zibis <Ulf.Zibis(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Problems installing WineHQ |SECURITY RISK installing |on Ubuntu 22.04 |WineHQ and missing STABLE | |build on Ubuntu 22.04 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |o.dierick(a)piezo-forte.be --- Comment #2 from Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> --- Hello, (In reply to Ulf Zibis from comment #0)
1. Key and sources list are not saved as root owned files with your current install procedure.
What install procedure are you referring to (link?)? Regards. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #3 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- (In reply to Olivier F. R. Dierick from comment #2)
What install procedure are you referring to (link?)? https://wiki.winehq.org/Ubuntu
I suspect this bug also applies on https://wiki.winehq.org/debian -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #4 from Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> --- Hello, The files are owned by a user that can 'sudo mv' anything in their place. How would changing the file owner to root make it more secure? You could also simply sudo chown root: /etc/apt/sources.list.d/wine* /usr/share/keyrings/wine* after moving the files. That doesn't prevent the user with sudo privilege to change the files any way they want. Regards. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #5 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- Malicious software, without needing root privileges, could modify the files: - /usr/share/keyrings/winehq-archive.key - /etc/apt/sources.list.d/winehq-jammy.sources Then, as the result of the next automatic update, the original WineHQ binaries could be replaced by malicious binaries. Why do we use security keys at all, when they are not secure from modification? Why not do it correct in the first place, than hoping for the user to correct the owner and rights with chowm and chmod? Anyway, it does not make sense to have user owned files in root owned directories, so all files in /etc/apt/sources.list.d/ and /usr/share/keyrings/ should be: root root rw-r--r-- and not: user user rw-rw-r--
"That doesn't prevent the user with sudo privilege to change the files any way they want." But it prevents users WITHOUT sudo privilege to do that. On multi-user systems, normal users do not have such privileges for a good reason.
-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #6 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- Again a little bit simpler using -P: sudo wget -nc -P /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #7 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- man sources.list says at section Signed-By: The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator.
From my point of view, winehq.key is not managed by the winehq package itself, so it is additionally discussable, if /usr/share/keyrings/ is the right place, rather than /etc/apt/keyrings/.
-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |www-unknown Product|Wine |WineHQ.org Version|7.0 |unspecified CC| |dimesio(a)earthlink.net --- Comment #8 from Olivier F. R. Dierick <o.dierick(a)piezo-forte.be> --- Hello, (In reply to Ulf Zibis from comment #5)
Malicious software, without needing root privileges, could modify the files: - /usr/share/keyrings/winehq-archive.key - /etc/apt/sources.list.d/winehq-jammy.sources Then, as the result of the next automatic update, the original WineHQ binaries could be replaced by malicious binaries.
I agree that this is a valid security risk. Malicious software can't use sudo by themselves so changing the owner to root will prevent this.
Why not do it correct in the first place, than hoping for the user to correct the owner and rights with chowm and chmod?
The wiki cannot do anything more than provide instructions, hoping that the users will follow them and understand what they are doing. I think that it's better to put the change of ownership in a separate command in the wiki instructions, to bring the security concern to the attention of the user. (In reply to Ulf Zibis from comment #7)
The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator.
Older versions of apt (such as the one provided by Debian 8 - apt 1.0.9.8.6) didn't support /etc/apt/keyrings. It's recommended since apt 2.4. I think the wiki instructions are older than that. A note could be added for apt >=2.4. I must say that I don't have permission to edit the wiki since I never did it before. I'm adding Rosanne DiMesio to this bug. Regards. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Rosanne DiMesio <dimesio(a)earthlink.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jkfloris(a)dds.nl --- Comment #9 from Rosanne DiMesio <dimesio(a)earthlink.net> --- The current instructions for Ubuntu and Debian were written by jkfloris (bug 52439), so cc'ing him. Regarding stable packages for jammy, there are none yet because jammy did not exist when 7.0 came out. There will be stable packages for it when 7.0.1 comes out. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #10 from jkfloris(a)dds.nl --- The Wiki pages have been updated. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #11 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- (In reply to jkfloris from comment #10)
The Wiki pages have been updated.
Great! Why not using the shorter one-line form: sudo wget -nc -O /usr/share/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key instead: wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo install -o root -g root -m 644 winehq.key /usr/share/keyrings/winehq-archive.key -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #12 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- (In reply to Ulf Zibis from comment #11) for the current form:
wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo install -o root -g root -m 644 winehq.key /usr/share/keyrings/winehq-archive.key you should also add: rm winehq.key
-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #13 from jkfloris(a)dds.nl --- Good catch! I was looking for a way that would be the same for all Debian and Ubuntu versions. The wiki has been updated accordingly. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Rosanne DiMesio <dimesio(a)earthlink.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|SECURITY RISK installing |SECURITY RISK installing |WineHQ and missing STABLE |WineHQ |build on Ubuntu 22.04 | Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #14 from Rosanne DiMesio <dimesio(a)earthlink.net> --- Thanks, jkfloris! The rule in bugzilla is one problem per bug, so I'm using this one for the wiki and marking fixed. Stable packages for 22.04 are a separate issue, and would be a packaging bug, not a website one. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Rosanne DiMesio <dimesio(a)earthlink.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #15 from Rosanne DiMesio <dimesio(a)earthlink.net> --- Closing fixed. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #16 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- Hi, as I see now, it is not mandatory to host the key in /usr/share/keyrings/. It also could be in /etc/apt/trusted.gpg.d/, but then it must have the extension ".gpg" and then the "Signed-by" part in "winehq-jammy.sources" becomes obsolete. So renaming the key file to "winehq.gpg" would de-complicate things. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Ulf Zibis <Ulf.Zibis(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|CLOSED |UNCONFIRMED --- Comment #17 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- See above comment. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #18 from jkfloris(a)dds.nl --- This is less secure. As explained in Debian Bug 851774 [1]: [quote] I think that extra repositories should *not* have their keys added to /etc/apt/trusted.gpg.d/*.gpg ("the fragment directory") by default, since that authorizes the extra key to make valid signatures for the main archive. If the extra repo has its own key, it should be authorized to make signatures only for the extra repo, and nothing else (similarly, the official debian archive keys *shouldn't* be authorized to make signatures for the extra repo). So if we're talking about adding extra repositories for a debian stretch installer, as i said over on #853858: for Debian 9 ("stretch") and later, you should place these keys (in binary form) someplace within /usr/local/share/keyrings/ and add a "Signed-By:" option to the relevant apt sources (see sources.list(5)). [/quote] [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?att=0;bug=851774;msg=31 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #19 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- (In reply to jkfloris from comment #18)
This is less secure. As explained in Debian Bug 851774 [1]: Thanks for your explication. Yes, you are right.
I came to my proposal, because a college told me, that when a foreign key is in /etc/apt/trusted.gpg.d/ instead /etc/apt/trusted.gpg, there is no such warning: W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Ulf Zibis <Ulf.Zibis(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #20 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- See comment above ... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Ulf Zibis <Ulf.Zibis(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|RESOLVED |UNCONFIRMED --- Comment #21 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- I again think, the install instruction is not 100 % correct. As the WineHQ key is not managed by a package, but manually by admin, the correct location should be /etc/apt/keyrings/ rather than /usr/share/keyrings/ . See this reference here: https://wiki.debian.org/DebianRepository/UseThirdParty ... and note: "In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. It SHOULD be created with permissions 0755 if it is needed and does not already exist." I.e., this niche project does it correct: It is also a nice example, how to provide a 1-line-command installation. An example for a packaged managed keyring is: http://packages.linuxmint.com/pool/main/l/linuxmint-keyring/linuxmint-keyrin... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #22 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- (In reply to Ulf Zibis from comment #21)
I.e., this niche project does it correct: It is also a nice example, how to provide a 1-line-command installation. Correction, here it is: http://www.jpilot.org/download/
-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #23 from jkfloris(a)dds.nl --- The changes are in place. https://gitlab.winehq.org/winehq/tools/-/commit/a04dba287be44fd00a8ed57cef6c... Now we have to wait for the change to be processed by the server. After that, the Wiki can be updated. I think this bug can now be closed. For the incorrect path there is bug 53554 https://bugs.winehq.org/show_bug.cgi?id=53554 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Ulf Zibis <Ulf.Zibis(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |53554 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #24 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- (In reply to jkfloris from comment #23)
I think this bug can now be closed. For the incorrect path there is bug 53554 https://bugs.winehq.org/show_bug.cgi?id=53554
Wouldn't it be possible to provide a a 1-line-command installation like here: http://www.jpilot.org/download/ -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #25 from Austin English <austinenglish(a)gmail.com> --- (In reply to Ulf Zibis from comment #24)
(In reply to jkfloris from comment #23)
I think this bug can now be closed. For the incorrect path there is bug 53554 https://bugs.winehq.org/show_bug.cgi?id=53554
Wouldn't it be possible to provide a a 1-line-command installation like here: http://www.jpilot.org/download/
It's theoretically possible, but I'd argue that curling random scripts and piping them to bash without reviewing them is a huge security risk. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 --- Comment #26 from Ulf Zibis <Ulf.Zibis(a)gmx.de> --- (In reply to Austin English from comment #25)
It's theoretically possible, but I'd argue that curling random scripts and piping them to bash without reviewing them is a huge security risk.
Well, but one also must trust the WineHQ package itself. I personally would trust WineHQ develpers, that such script would be save. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Ken Sharp <imwellcushtymelike(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #27 from Ken Sharp <imwellcushtymelike(a)gmail.com> --- Marking fixed. The instructions on the Wiki create files owned by root. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Bug 53356 depends on bug 53554, which changed state. Bug 53554 Summary: Compliance with Deb822: package archive keyring location https://bugs.winehq.org/show_bug.cgi?id=53554 What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=53356 Ken Sharp <imwellcushtymelike(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #28 from Ken Sharp <imwellcushtymelike(a)gmail.com> --- Closing -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla