Re: backports
[ I will remove all email addresses from the output of the gpg commands
which I use/quote below. ]
On Wed, Jun 27, 2007 at 17:27:15 +0100, Chris Lale wrote:
[...]
> How to you check the output of "gpg --check-sigs"? I Googled a bit and it seems
> that an exclamation mark ("!") indicates a successful check. Is that true?
Yes, but you also have to check which key ID is listed for the
signature.
> eg
> $ gpg --check-sigs --keyring /usr/share/keyrings/debian-backports-keyring.gpg
This command only shows you that the backports archive key (16BA136C)
has the usual self signature (note the same key ID):
> /usr/share/keyrings/debian-backports-keyring.gpg
> ------------------------------------------------
> pub 1024D/16BA136C 2005-08-21
> uid Backports.org Archive Key
> sig!3 16BA136C 2005-08-21 Backports.org Archive Key
> sig!3 16BA136C 2005-08-21 Backports.org Archive Key
> sub 2048g/5B82CECE 2005-08-21
> sig! 16BA136C 2005-08-21 Backports.org Archive Key
You have to tell gpg which key's signatures it should check. If you
really want to know what is going on then you should first look at the
list of signatures for the backports key:
$ gpg --keyring /usr/share/keyrings/debian-backports-keyring.gpg --list-sig 16BA136C
pub 1024D/16BA136C 2005-08-21
uid Backports.org Archive Key
sig 7E7B8AC9 2005-11-20 [User ID not found]
sig 657BF03D 2006-05-27 [User ID not found]
sig 3 16BA136C 2005-08-21 Backports.org Archive Key
sig 3 16BA136C 2005-08-21 Backports.org Archive Key
sub 2048g/5B82CECE 2005-08-21
sig 16BA136C 2005-08-21 Backports.org Archive Key
You see that the key has been signed with two other keys, 7E7B8AC9 and
657BF03D. These keys are not included in debian-backports-keyring.gpg
and they are also not on my user's default keyring, therefore gpg cannot
provide any information besides the key IDs. If you replace "--list-sig"
with "--check-sig" in the above command you will get "2 signatures not
checked due to missing keys". However, if you tell gpg to include the
keyring from the debian-keyring package, you can verify that one of the
signatures was made by a Debian developer:
$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-backports-keyring.gpg --check-sig 16BA136C
pub 1024D/16BA136C 2005-08-21
uid Backports.org Archive Key
sig! 7E7B8AC9 2005-11-20 Joerg Jaspert
sig!3 16BA136C 2005-08-21 Backports.org Archive Key
sig!3 16BA136C 2005-08-21 Backports.org Archive Key
sub 2048g/5B82CECE 2005-08-21
sig! 16BA136C 2005-08-21 Backports.org Archive Key
1 signature not checked due to a missing key
The second signature (657BF03D) is meaningless to you, unless you can
establish trust in this person by some other means. You can of course
find this second key on a keyserver, but anyone can upload keys to the
keyservers.
Note that the "--list-sig" command also makes sure that there is no
bogus 7E7B8AC9 key on my user's default keyring since the key is not
known until I point gpg to the Debian keyring.
> I wanted to find a generic method of importing and checking keys for a number of
> unofficial deb sites. It is difficult to find the key ids on some of the
> websites.
Apt(itude) lists the key IDs when it complains about missing keys.
> One thing they all had in common was having a keyring package. I tried
> backports.org, debian-multimedia.org and debian-unofficial.org. So, here is my
> generic method:
>
> 1. Add the appropriate line to /etc/apt/sources.list.
>
> 2. Update with apt-get or aptitude.
>
> 3. Install the appropriate keyring package (eg debian-multimedia-keyring). The
> keyrings all end up in /etc/share/keyrings/${package-name}.gpg
You are again running an unverified installation script as root. How do
you know that your other keyrings, the gpg binary itself and the rest of
your system are still trustworthy after that?
> 4. Check the signatures IMMEDIATELY eg
> $ gpg --check-sigs --keyring /usr/share/keyrings/debian-multimedia-keyring.gpg
>
> 5. If the check fails,
>
> a.purge the keyring package and check that the keyring subdirectory has been
> removed from /etc/share/keyrings/.
>
> b. You can still install packages from the suspect repository, but there will be
> a warning. To be safe, remove the repository line from /etc/apt/sources.list.
Here is a procedure for paranoid people, starting after your step 2; all
these commands should be run as an unprivileged user. (The key is
extracted manually and added to the unprivileged user's keyring; then it
can be checked without risk.)
aptitude download debian-backports-keyring
mkdir tempdir
dpkg-deb -X debian-backports-keyring_2007.06.10_all.deb tempdir/
mv tempdir/usr/share/keyrings/debian-backports-keyring.gpg .
rm -rf tempdir/
gpg --import debian-backports-keyring.gpg
gpg --list-sig 16BA136C
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sig 16BA136C
If the key has a valid signature of a Debian developer then you can
export it and add it to apt's key ring. (See my earlier mail.) After
that you can install the desired backports packages, including the
backports keyring package for convenience in case of future key updates.
BTW, the debian-multimedia archive is a special case since Christian
Marillat does not use a dedicated archive key; he signs the release
files with his normal public key. This key is already included in the
debian-keyring package, so you can simply (and safely) export the key
from this keyring and feed it to apt:
gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg -a --export 1F41B907 | sudo apt-key add -
--
Regards, | http://users.icfo.es/Florian.Kulzer
Florian |
Reply to: