Bug#900236: tlmgr manpage: 32-bit OpenPGP key IDs

To: submit@bugs.debian.org
Subject: Bug#900236: tlmgr manpage: 32-bit OpenPGP key IDs
From: Jakub Wilk <jwilk@jwilk.net>
Date: Sun, 27 May 2018 23:13:34 +0200
Message-id: <[🔎] 20180527211334.lh7ozdyxhnavxeor@jwilk.net>
Reply-to: Jakub Wilk <jwilk@jwilk.net>, 900236@bugs.debian.org

Package: texlive-base
Version: 2018.20180505-1

The tlmgr(1) manual page reads:

The signature is created by the TeX Live Distribution GPG key0x06BAB6BC, which in turn is signed by Karl Berry’s key 0x30D155AD andNorbert Preining’s key 0x6CACA448.

Please don't use 32-bit OpenPGP key IDs. It's computationally trivial togenerate a new key with chosen short ID. Please use 64-bit key IDs, or,even better, full fingerprints.

In fact, if you request the 0x30D155AD key from a keyserver, you willget _two_ keys; one of them is presumable a sham key originating from<https://evil32.com/>.

OTOH, there's no 0x6CACA448 key on keyservers. An attacker could uploadtheir own key with such ID without rising much suspicion.


--
Jakub Wilk

Reply to:

Follow-Ups:
- Bug#900236: tlmgr manpage: 32-bit OpenPGP key IDs
  - From: Norbert Preining <preining@logic.at>

Prev by Date: Bug#900185: tex-common: Vcs URL in debian/control is broken
Next by Date: Bug#900245: gftodvi.1: Some formatting fixes
Previous by thread: Bug#900185: tex-common: Vcs URL in debian/control is broken
Next by thread: Bug#900236: tlmgr manpage: 32-bit OpenPGP key IDs
Index(es):
- Date
- Thread