(Disclaimer: It was me who implemented Signed-By, also most of the current monster apt-key is, trusted.gpg.d, … I might be a *tiny bit* biased than it comes to apt and these topics as a result.) On Thu, Jul 01, 2021 at 02:40:31PM +0000, Jeremy Stanley wrote: > maybe add some further explanation to it indicating the real-world > threats this recommendation mitigates. Security policy should be Lets not throw the baby out with the bathwater, shall we? Signed-By (with a filename) has enormous benefits from an implementation stand-point as if you dare to open the shell script apt-key, you will notice that quite a bit of its 800+ lines deals with massaging files into one keyring gpgv will understand and hopefully support forever (gpg has a limit of 40 keyrings per invocation, which was eventually triggered by people and their prolific use of third party repos and at some point upstream said they would drop that down to one keyring; never put into action though and seems not to happen) – and that isn't magically disappearing just because we deprecated apt-key, that is just reducing the public interface of this nightmare which still serves as our internal wrapper to shield us against eldritch horrors within… Many users add countless repos over time, but hardly ever remove them. They eventually fail or are commented out, but the keys once added usual stay there until the end of times. So e.g. old RSA1024 keys for repos you no longer have enabled participate in verification – sad if said key was compromised in the mean time and is now used to MITM a repo you still have enabled like Debian security. (most 40 limit-hitters had like 3 repos enabled if I remember right) There are also "fun" things you can do if the repository has sufficient similar metadata – at some point you could e.g. reply to a request for the Debian security repo with the metadata for the main Debian repo (or any repo really which happened to use the same layout) and nothing will tell the user that something is wrong. The repository data of the two will change with bullseye so that this wont work anymore (That works "even better" in older releases as the metadata did not need to match at all, but that change got me a lot of backlash as somehow people wanted to have their repo suite change at basically random – also known as release day – still). Other scenarios exist, which are all individually not very strong, but Julians point is that this shouldn't be regarded as THE security feature which it really isn't. I mean, what problem is sudo actually solving compared to a root account and still, there are people who believe that adding sudo makes not only sandwiches great. Pointing that out doesn't mean its entirely pointless security theater either though. So, long story …: If you use "apt-key add" you are doing it wrong. If you use "apt-key adv --recv-key" or similar you are doing it triple wrong. And your deity [because deity@ doesn't] may have mercy with your poor soul if you happen to do "apt-key adv --refresh-keys" in a cronjob (yes, I have seen that in the wild and in case you didn't know, both are MAJOR security holes if you are not on a recentish gpg2 and even then…). … short: Its fine to drop files into trusted.gpg.d, but you earn brownie points with me for not doing it and using signed-by as that is a tiny bit more secure. I did implement it mostly in preparation for other changes, not because I believed everyone has to instantly switch to it. There are ideas to pull the key itself into the .sources file, to match keys to sources based on metadata automatically and/or to use none-gpg-based signatures and what not, but its a bit early (or a bit late, depending on how you look at it from a release standpoint) to really think and discuss it, even if HN and reddit seem to have a blast discussing the doodles on our proverbial toilet wall for days now. Oh and btw, back than I implemented trusted.gpg.d more than a decade ago it was actually the plan to eventually replace apt-key with it. That worked oh so well that it instead exploded in complexity (but at least I managed to remove the gnupg requirement, so that is a plus…). "I shall commit myself to achieve the goal, before this second decade is out, of landing a patch series to shoot apt-key safely to the moon, never to return to the main branch again, […] because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win". Lets see how that will go. Cavendish surprised most experts, too. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature