[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Mon, Dec 01, 2003 at 05:00:53PM +0000, Scott James Remnant wrote:
> No Cc was necessary, I am subscribed to debian-devel.

Please set your Mail-Followup-To accordingly, then.
> > If every .deb must be signed by a developer, and we assume that no
> > developer leaves secret keys on public machines, then signed .debs does
> > save the day.
> > 
> How?

See the next paragraph.

> > Even if the attacker could place a new keyring file in the archive,
> > people verifying signatures on signed .debs would not install it, since
> > it would not have the signature of a developer.
> > 
> What defines "the signature of a developer"?  That their key is in the
> keyring, so if a hax0r decided to comprise our keyring and add a key to
> it, there'd be no way to tell that it wasn't a developer's key.

You missed the point of the paragraph you quoted.

If I run a machine that checks all incoming packages with debsigs, and
refuses to install those that don't bear a valid signature, it will
refuse to install the new compromised debian-keyring package since it
will not be signed by a key on the existing keyring.

Therefore, my own gpg will never see the attacker's key and will refuse
to install packages bearing its signature.

Reply to: