https://bugs.winehq.org/show_bug.cgi?id=53356
Bug ID: 53356 Summary: Problems installing WineHQ on Ubuntu 22.04 Product: Wine Version: 7.0 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: critical Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: Ulf.Zibis@gmx.de Distribution: ---
1. Key and sources list are not saved as root owned files with your current install procedure. This is a SECURITY RISK !!! Correct procedure could be: sudo dpkg --add-architecture i386 # only on 64-bit-systems wget -nc https://dl.winehq.org/wine-builds/winehq.key F=winehq.key && chmod a-w,u+w $F && sudo chown 0:0 $F && sudo mv $F /usr/share/keyrings/winehq-archive.key wget -nc https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources F=winehq-jammy.sources && chmod a-w,u+w $F && sudo chown 0:0 $F && sudo mv $F /etc/apt/sources.list.d/ && sudo apt update sudo apt install --install-recommends winehq-stable winetricks
2. There is on STABLE build for Ubuntu 22.04: $ sudo apt install --install-recommends winehq-stable winetricks Paketlisten werden gelesen… Fertig Abhängigkeitsbaum wird aufgebaut… Fertig Statusinformationen werden eingelesen… Fertig E: Paket winehq-stable kann nicht gefunden werden. workaround: sudo apt install --install-recommends winehq-devel winetricks
https://bugs.winehq.org/show_bug.cgi?id=53356
Ulf Zibis Ulf.Zibis@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |Ulf.Zibis@gmx.de
--- Comment #1 from Ulf Zibis Ulf.Zibis@gmx.de --- A more elegant solution is: sudo dpkg --add-architecture i386 # only on 64-bit-systems sudo -H wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo -H mv winehq.key /usr/share/keyrings/winehq-archive.key sudo -H wget -nc https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources sudo -H mv winehq-jammy.sources /etc/apt/sources.list.d/ && sudo apt update sudo apt install --install-recommends winehq-stable winetricks
Or even more elegant: sudo dpkg --add-architecture i386 # only on 64-bit-systems sudo wget -nc -O /usr/share/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key sudo wget -nc -O /etc/apt/sources.list.d/winehq-jammy.sources https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources && sudo apt update sudo apt install --install-recommends winehq-stable winetricks
https://bugs.winehq.org/show_bug.cgi?id=53356
Ulf Zibis Ulf.Zibis@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Problems installing WineHQ |SECURITY RISK installing |on Ubuntu 22.04 |WineHQ and missing STABLE | |build on Ubuntu 22.04
https://bugs.winehq.org/show_bug.cgi?id=53356
Olivier F. R. Dierick o.dierick@piezo-forte.be changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |o.dierick@piezo-forte.be
--- Comment #2 from Olivier F. R. Dierick o.dierick@piezo-forte.be --- Hello,
(In reply to Ulf Zibis from comment #0)
- Key and sources list are not saved as root owned files with your current
install procedure.
What install procedure are you referring to (link?)?
Regards.
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #3 from Ulf Zibis Ulf.Zibis@gmx.de --- (In reply to Olivier F. R. Dierick from comment #2)
What install procedure are you referring to (link?)?
https://wiki.winehq.org/Ubuntu
I suspect this bug also applies on https://wiki.winehq.org/debian
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #4 from Olivier F. R. Dierick o.dierick@piezo-forte.be --- Hello,
The files are owned by a user that can 'sudo mv' anything in their place. How would changing the file owner to root make it more secure?
You could also simply sudo chown root: /etc/apt/sources.list.d/wine* /usr/share/keyrings/wine* after moving the files. That doesn't prevent the user with sudo privilege to change the files any way they want.
Regards.
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #5 from Ulf Zibis Ulf.Zibis@gmx.de --- Malicious software, without needing root privileges, could modify the files: - /usr/share/keyrings/winehq-archive.key - /etc/apt/sources.list.d/winehq-jammy.sources Then, as the result of the next automatic update, the original WineHQ binaries could be replaced by malicious binaries.
Why do we use security keys at all, when they are not secure from modification?
Why not do it correct in the first place, than hoping for the user to correct the owner and rights with chowm and chmod?
Anyway, it does not make sense to have user owned files in root owned directories, so all files in /etc/apt/sources.list.d/ and /usr/share/keyrings/ should be: root root rw-r--r-- and not: user user rw-rw-r--
"That doesn't prevent the user with sudo privilege to change the files any way they want."
But it prevents users WITHOUT sudo privilege to do that. On multi-user systems, normal users do not have such privileges for a good reason.
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #6 from Ulf Zibis Ulf.Zibis@gmx.de --- Again a little bit simpler using -P: sudo wget -nc -P /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #7 from Ulf Zibis Ulf.Zibis@gmx.de --- man sources.list says at section Signed-By: The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator.
From my point of view, winehq.key is not managed by the winehq package itself,
so it is additionally discussable, if /usr/share/keyrings/ is the right place, rather than /etc/apt/keyrings/.
https://bugs.winehq.org/show_bug.cgi?id=53356
Olivier F. R. Dierick o.dierick@piezo-forte.be changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |www-unknown Product|Wine |WineHQ.org Version|7.0 |unspecified CC| |dimesio@earthlink.net
--- Comment #8 from Olivier F. R. Dierick o.dierick@piezo-forte.be --- Hello,
(In reply to Ulf Zibis from comment #5)
Malicious software, without needing root privileges, could modify the files:
- /usr/share/keyrings/winehq-archive.key
- /etc/apt/sources.list.d/winehq-jammy.sources
Then, as the result of the next automatic update, the original WineHQ binaries could be replaced by malicious binaries.
I agree that this is a valid security risk. Malicious software can't use sudo by themselves so changing the owner to root will prevent this.
Why not do it correct in the first place, than hoping for the user to correct the owner and rights with chowm and chmod?
The wiki cannot do anything more than provide instructions, hoping that the users will follow them and understand what they are doing.
I think that it's better to put the change of ownership in a separate command in the wiki instructions, to bring the security concern to the attention of the user.
(In reply to Ulf Zibis from comment #7)
The recommended locations for keyrings are /usr/share/keyrings for keyrings managed by packages, and /etc/apt/keyrings for keyrings managed by the system operator.
Older versions of apt (such as the one provided by Debian 8 - apt 1.0.9.8.6) didn't support /etc/apt/keyrings. It's recommended since apt 2.4. I think the wiki instructions are older than that.
A note could be added for apt >=2.4.
I must say that I don't have permission to edit the wiki since I never did it before.
I'm adding Rosanne DiMesio to this bug.
Regards.
https://bugs.winehq.org/show_bug.cgi?id=53356
Rosanne DiMesio dimesio@earthlink.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jkfloris@dds.nl
--- Comment #9 from Rosanne DiMesio dimesio@earthlink.net --- The current instructions for Ubuntu and Debian were written by jkfloris (bug 52439), so cc'ing him.
Regarding stable packages for jammy, there are none yet because jammy did not exist when 7.0 came out. There will be stable packages for it when 7.0.1 comes out.
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #10 from jkfloris@dds.nl --- The Wiki pages have been updated.
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #11 from Ulf Zibis Ulf.Zibis@gmx.de --- (In reply to jkfloris from comment #10)
The Wiki pages have been updated.
Great! Why not using the shorter one-line form: sudo wget -nc -O /usr/share/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key instead: wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo install -o root -g root -m 644 winehq.key /usr/share/keyrings/winehq-archive.key
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #12 from Ulf Zibis Ulf.Zibis@gmx.de --- (In reply to Ulf Zibis from comment #11) for the current form:
wget -nc https://dl.winehq.org/wine-builds/winehq.key sudo install -o root -g root -m 644 winehq.key /usr/share/keyrings/winehq-archive.key
you should also add: rm winehq.key
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #13 from jkfloris@dds.nl --- Good catch! I was looking for a way that would be the same for all Debian and Ubuntu versions. The wiki has been updated accordingly.
https://bugs.winehq.org/show_bug.cgi?id=53356
Rosanne DiMesio dimesio@earthlink.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|SECURITY RISK installing |SECURITY RISK installing |WineHQ and missing STABLE |WineHQ |build on Ubuntu 22.04 | Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED
--- Comment #14 from Rosanne DiMesio dimesio@earthlink.net --- Thanks, jkfloris!
The rule in bugzilla is one problem per bug, so I'm using this one for the wiki and marking fixed. Stable packages for 22.04 are a separate issue, and would be a packaging bug, not a website one.
https://bugs.winehq.org/show_bug.cgi?id=53356
Rosanne DiMesio dimesio@earthlink.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #15 from Rosanne DiMesio dimesio@earthlink.net --- Closing fixed.
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #16 from Ulf Zibis Ulf.Zibis@gmx.de --- Hi,
as I see now, it is not mandatory to host the key in /usr/share/keyrings/. It also could be in /etc/apt/trusted.gpg.d/, but then it must have the extension ".gpg" and then the "Signed-by" part in "winehq-jammy.sources" becomes obsolete. So renaming the key file to "winehq.gpg" would de-complicate things.
https://bugs.winehq.org/show_bug.cgi?id=53356
Ulf Zibis Ulf.Zibis@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|CLOSED |UNCONFIRMED
--- Comment #17 from Ulf Zibis Ulf.Zibis@gmx.de --- See above comment.
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #18 from jkfloris@dds.nl --- This is less secure. As explained in Debian Bug 851774 [1]:
[quote] I think that extra repositories should *not* have their keys added to /etc/apt/trusted.gpg.d/*.gpg ("the fragment directory") by default, since that authorizes the extra key to make valid signatures for the main archive.
If the extra repo has its own key, it should be authorized to make signatures only for the extra repo, and nothing else (similarly, the official debian archive keys *shouldn't* be authorized to make signatures for the extra repo).
So if we're talking about adding extra repositories for a debian stretch installer, as i said over on #853858:
for Debian 9 ("stretch") and later, you should place these keys (in binary form) someplace within /usr/local/share/keyrings/ and add a "Signed-By:" option to the relevant apt sources (see sources.list(5)). [/quote]
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?att=0;bug=851774;msg=31
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #19 from Ulf Zibis Ulf.Zibis@gmx.de --- (In reply to jkfloris from comment #18)
This is less secure. As explained in Debian Bug 851774 [1]:
Thanks for your explication. Yes, you are right.
I came to my proposal, because a college told me, that when a foreign key is in /etc/apt/trusted.gpg.d/ instead /etc/apt/trusted.gpg, there is no such warning:
W: https://linux.teamviewer.com/deb/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
https://bugs.winehq.org/show_bug.cgi?id=53356
Ulf Zibis Ulf.Zibis@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #20 from Ulf Zibis Ulf.Zibis@gmx.de --- See comment above ...
https://bugs.winehq.org/show_bug.cgi?id=53356
Ulf Zibis Ulf.Zibis@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|RESOLVED |UNCONFIRMED
--- Comment #21 from Ulf Zibis Ulf.Zibis@gmx.de --- I again think, the install instruction is not 100 % correct. As the WineHQ key is not managed by a package, but manually by admin, the correct location should be /etc/apt/keyrings/ rather than /usr/share/keyrings/ . See this reference here: https://wiki.debian.org/DebianRepository/UseThirdParty ... and note: "In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. It SHOULD be created with permissions 0755 if it is needed and does not already exist."
I.e., this niche project does it correct: It is also a nice example, how to provide a 1-line-command installation.
An example for a packaged managed keyring is: http://packages.linuxmint.com/pool/main/l/linuxmint-keyring/linuxmint-keyrin...
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #22 from Ulf Zibis Ulf.Zibis@gmx.de --- (In reply to Ulf Zibis from comment #21)
I.e., this niche project does it correct: It is also a nice example, how to provide a 1-line-command installation.
Correction, here it is: http://www.jpilot.org/download/
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #23 from jkfloris@dds.nl --- The changes are in place. https://gitlab.winehq.org/winehq/tools/-/commit/a04dba287be44fd00a8ed57cef6c...
Now we have to wait for the change to be processed by the server. After that, the Wiki can be updated.
I think this bug can now be closed. For the incorrect path there is bug 53554 https://bugs.winehq.org/show_bug.cgi?id=53554
https://bugs.winehq.org/show_bug.cgi?id=53356
Ulf Zibis Ulf.Zibis@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends on| |53554
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #24 from Ulf Zibis Ulf.Zibis@gmx.de --- (In reply to jkfloris from comment #23)
I think this bug can now be closed. For the incorrect path there is bug 53554 https://bugs.winehq.org/show_bug.cgi?id=53554
Wouldn't it be possible to provide a a 1-line-command installation like here: http://www.jpilot.org/download/
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #25 from Austin English austinenglish@gmail.com --- (In reply to Ulf Zibis from comment #24)
(In reply to jkfloris from comment #23)
I think this bug can now be closed. For the incorrect path there is bug 53554 https://bugs.winehq.org/show_bug.cgi?id=53554
Wouldn't it be possible to provide a a 1-line-command installation like here: http://www.jpilot.org/download/
It's theoretically possible, but I'd argue that curling random scripts and piping them to bash without reviewing them is a huge security risk.
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #26 from Ulf Zibis Ulf.Zibis@gmx.de --- (In reply to Austin English from comment #25)
It's theoretically possible, but I'd argue that curling random scripts and piping them to bash without reviewing them is a huge security risk.
Well, but one also must trust the WineHQ package itself. I personally would trust WineHQ develpers, that such script would be save.
https://bugs.winehq.org/show_bug.cgi?id=53356
Ken Sharp imwellcushtymelike@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #27 from Ken Sharp imwellcushtymelike@gmail.com --- Marking fixed. The instructions on the Wiki create files owned by root.
https://bugs.winehq.org/show_bug.cgi?id=53356 Bug 53356 depends on bug 53554, which changed state.
Bug 53554 Summary: Compliance with Deb822: package archive keyring location https://bugs.winehq.org/show_bug.cgi?id=53554
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED
https://bugs.winehq.org/show_bug.cgi?id=53356
Ken Sharp imwellcushtymelike@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #28 from Ken Sharp imwellcushtymelike@gmail.com --- Closing