[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?

Anthony Towns wrote:
> Not directly afaik. If you say "Archive Signing Key (Date <= 2006-05-01)"
> apt could parse that from gpgv's output and perform the check itself, or add
> a "The key used to sign these packages expired on 2006-05-01; if you obtained
> this media after that date, you may have a problem. Continue (y/n): " warning.
> I'm not sure off-hand what gpgv outputs in the case of an expired key; it might
> be feasible to do the above already.

Fri Feb 10 02:55:26 EST 2006

It does show as expired in the key list:

pub   1024D/4F368D5D 2005-01-31 [expired: 2006-01-31]
uid                  Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>

And of course the first line is parsable if we needed to.

root@dragon:/var/lib/apt/lists>gpgv --keyring /etc/apt/trusted.gpg ftp.debian.org_debian_dists_unstable_Release.gpg ftp.debian.org_debian_dists_unstable_Release 
gpgv: Signature made Mon Jan  9 16:06:49 2006 EST using DSA key ID 4F368D5D
gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>"
gpgv: Signature made Mon Jan  9 16:06:49 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>"

Nonzero exit; odd, it doesn't seem to notice that the key is expired at
all. But apt won't use gpgv like that, I suppose, but instead like this:

root@dragon:/var/lib/apt/lists>gpgv --status-fd 1 --keyring /etc/apt/trusted.gpg ftp.debian.org_debian_dists_unstable_Release.gpg ftp.debian.org_debian_dists_unstable_Release 2>/dev/null
[GNUPG:] KEYEXPIRED 1138684904
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID ZKhvtcKyBPTP/uIh7HV7YuPjbTQ 2006-01-09 1136840809
[GNUPG:] EXPKEYSIG F1D53D8C4F368D5D Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>
[GNUPG:] VALIDSIG 4C7A8E5E9454FE3FAE1E78ADF1D53D8C4F368D5D 2006-01-09 1136840809 0 3 0 17 2 00 4C7A8E5E9454FE3FAE1E78ADF1D53D8C4F368D5D
[GNUPG:] SIG_ID xXpzy5nnFmZ2vx2kRLfQ31tjC6Q 2006-01-09 1136840809
[GNUPG:] GOODSIG 010908312D230C5F Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>
[GNUPG:] VALIDSIG 084750FC01A6D388A643D869010908312D230C5F 2006-01-09 1136840809 0 3 0 17 2 00 084750FC01A6D388A643D869010908312D230C5F

d-i net-retreiver and debootstrap will currently accept the 2005 key
signature above as good even though it's an EXPKEYSIG, since gpgv still
says it's a VALIDSIG. I haven't checked apt.

But that was a Release file signed before the key expired. What
happens if it's signed using an expired key? Let's see:

(Note that I created a key, distributed it to root, then moved forward
till it expired and tried to sign with it, but gpg wouldn't let me so I
edited my personal version of the key to not be expired..)

Sat Feb 20 03:06:53 EST 2010
joey@dragon:~>gpg -u "test expire key" --sign passwd           

You need a passphrase to unlock the secret key for
user: "test expire key"
1024-bit DSA key, ID 53FE1BE8, created 2006-02-20

root@dragon:/home/joey>gpg --list-keys 53FE1BE8
pub   1024D/53FE1BE8 2006-02-20 [expired: 2007-02-20]
uid                  test expire key

root@dragon:/home/joey>gpgv --status-fd 1 --keyring /root/.gnupg/pubring.gpg passwd.gpg      
gpgv: Signature made Sat Feb 20 03:02:46 2010 EST using DSA key ID 53FE1BE8
[GNUPG:] KEYEXPIRED 1171959238
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID 6FJsP/WgGaXPws8dsBchG+nohOw 2010-02-20 1266652966
[GNUPG:] EXPKEYSIG 81DD5AF853FE1BE8 test expire key
gpgv: Good signature from "test expire key"
[GNUPG:] VALIDSIG 9F2124E6216B3E74302F173C81DD5AF853FE1BE8 2010-02-20 1266652966 0 3 0 17 2 00 9F2124E6216B3E74302F173C81DD5AF853FE1BE8

Huh, exactly the same. If my experiements are right, then we can just:

1. Make apt accept EXPKEYSIG VALIDSIG as indicating a valid signature,
   if it doesn't already.
2. Sign and rotate archive signing keys as we do now.
3. Create a dedicated key for the stable release and
   sign the stable release with it. This key can be set to expire too,
   though it could have very different management procedures than the
   normal signing keys, so expiry might not be an issue.
4. If we need to update the stable release past the key expiry, locally
   de-expire it and sign the release with it; apt will accept the result.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: