Re: Revival of the signed debs discussion
On Mon, Dec 01, 2003 at 05:00:53PM +0000, Scott James Remnant wrote:
> No Cc was necessary, I am subscribed to debian-devel.
Please set your Mail-Followup-To accordingly, then.
> > If every .deb must be signed by a developer, and we assume that no
> > developer leaves secret keys on public machines, then signed .debs does
> > save the day.
See the next paragraph.
> > Even if the attacker could place a new keyring file in the archive,
> > people verifying signatures on signed .debs would not install it, since
> > it would not have the signature of a developer.
> What defines "the signature of a developer"? That their key is in the
> keyring, so if a hax0r decided to comprise our keyring and add a key to
> it, there'd be no way to tell that it wasn't a developer's key.
You missed the point of the paragraph you quoted.
If I run a machine that checks all incoming packages with debsigs, and
refuses to install those that don't bear a valid signature, it will
refuse to install the new compromised debian-keyring package since it
will not be signed by a key on the existing keyring.
Therefore, my own gpg will never see the attacker's key and will refuse
to install packages bearing its signature.