Vulnerability: Images are built with a pre-initialised (and thus common) pacman keyring and signing key

I'm unsure if this is the appropriate place for security bug reports. I could not find any official direction for submitting security-related bugs.

Impact

Installations of the pre-built ARM images can be tricked into installing maliciously signed packages by a network attacker, leading to code execution as root.

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.0 High)

Details

Having recently started experimenting with a couple of Manjaro ARM images for the Pinephone, I noticed that the images which are distributed (e.g. on GitHub) all contain a pre-initialised pacman keyring - i.e., the /etc/pacman.d/gnupg directory.

This is problematic because everyone who installs one of these pre-built images will inherit the same local signing key (both private and public components). This is dangerous because the local signing key can be used to sign packages for installation - even those obtained from supposedly official mirrors.

I was able to confirm that a man-in-the-middle attacker (or a rogue mirror) can use this common signing key to serve modified databases and packages which would then pass pacman's signature checks and would thus be installed without any objection. As such, malware could be installed to a user's phone (or other ARM-based device) by a man-in-the-middle attacker.

(Note that technically, databases aren't signed, but packages must be signed by a trusted key. The database typically contains package signatures, and so it must be modified by an attacker also.)

Exploitability

• Use of plaintext HTTP mirrors (i.e. not HTTPS) are still common place and enabled by default, allowing database and package downloads to be subverted by a network adjacent attacker.
• It's my understanding that Manjaro can be configured to download updates automatically. (I'm not sure if it will install them automatically, but poisoning the database/package cache may be 50% of the way there.)
• Though I've only tested Phosh and Plasma-mobile images for the Pinephone, I believe the root cause to be with the common build process (i.e. manjaro-arm-tools). Therefore, many more images than I've tested are potentially affected.

Suggested Remediation

• Assuming the keyring is needed during the build process, /etc/pacman.d/gnupg should be purged afterwards before the image is finalised.
• Defer initialisation of the final pacman keyring (pacman-key --init) until the first proper boot. (Similar to how SSH server keys are currently handled.)
• Rebuild any affected images without a pre-initialised keyring as soon as possible.

As far as I know, pacman won't automatically initialise a keyring, so this may require the use of a first-time setup script. First-time setup scripts are already used for some images (such as those for the Pinephone).

I note that GitHub has a download counter for many of the images with compromised keys. A significant number of users are thus evidently using insecure keyrings already. Can this be addressed retroactively somehow?

References

Example images with pre-initialised keyrings:

• https://github.com/manjaro-pinephone/phosh/releases/tag/beta8
• https://github.com/manjaro-pinephone/plasma-mobile/releases/tag/202105060255