Re: repository signing keys update HOW?
Am Donnerstag, 29. März 2012 schrieb Per Carlson:
> Hi Paul
>
> > And thanks for mentioning (debian-keyring at a minimum) The
> > descriptive phrase confirmed my guess that this was the one I needed
> > the contents of. I need an alternative method of getting the contents
> > since aptitude is in need of new keys to start working again.
>
> The latest debian-archive-keyring can be found here:
> http://ftp.us.debian.org/debian/pool/main/d/debian-archive-keyring/debi
> an-archive-keyring_2010.08.28_all.deb
>
> Pick it up with wget, check that the MD5/SHA1/SHA256 sum is
> correct[0], and finally install it with dpkg --install. After that
> aptitude should be happy again
>
> [0]: From the stable Packages.gz file
> (http://ftp.us.debian.org/debian/dists/stable/main/binary-amd64/Package
> s.gz):
Hmmm, thats seems better to me than just trust the server, but otherwise,
if the server was compromised the Packages.gz file could have been replaced
as well.
One could download the package from two or three servers and then compare
them. But that could fail is the master replica was compromised.
But then also a key server used with gpg --recv-keys could have been
compromised.
Well one could also check fingerprints against:
http://ftp-master.debian.org/keys.html
While also checking the announcement mails linked from there.
I think it would be highly, highly unlikely if all that was compromised.
Well here is my variant which you could also compare too - although there
is no guarentee that my variant is the uncomprimised one, it would raise
confidence in authenticity if all those sources I mentioned match each
other ;).
merkaba:~> LANG=C apt-key finger
/etc/apt/trusted.gpg
--------------------
pub 1024D/F42584E6 2008-04-06 [expires: 2012-05-15]
Key fingerprint = 7F5A 4445 4C72 4A65 CBCD 4FB1 4D27 0D06 F425 84E6
uid Lenny Stable Release Key <debian-
release@lists.debian.org>
pub 4096R/55BE302B 2009-01-27 [expires: 2012-12-31]
Key fingerprint = 150C 8614 919D 8446 E01E 83AF 9AA3 8DCD 55BE 302B
uid Debian Archive Automatic Signing Key (5.0/lenny)
<ftpmaster@debian.org>
pub 2048R/6D849617 2009-01-24 [expires: 2013-01-23]
Key fingerprint = F6CF DE30 6133 3CE2 A43F DAF0 DFD9 9330 6D84 9617
uid Debian-Volatile Archive Automatic Signing Key
(5.0/lenny)
pub 4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9
uid Squeeze Stable Release Key <debian-
release@lists.debian.org>
pub 4096R/473041FA 2010-08-27 [expires: 2018-03-05]
Key fingerprint = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
uid Debian Archive Automatic Signing Key (6.0/squeeze)
<ftpmaster@debian.org>
pub 4096R/E79C8BAB 2010-03-05
Key fingerprint = D260 1480 31EB 4FD5 643E B695 93DD 2AE2 E79C 8BAB
uid Debian pkg-kde repository signing key (http://pkg-
kde.alioth.debian.org/) <debian-qt-kde@lists.debian.org>
pub 1024D/1F41B907 1999-10-03
Key fingerprint = 1D7F C53F 80F8 52C1 88F4 ED0B 07DC 563D 1F41 B907
uid Christian Marillat <marillat@debian.org>
uid Christian Marillat <marillat@free.fr>
sub 1536g/C28DCC42 1999-10-03
sub 1024D/5D3877A7 2002-08-26
[…]
Ciao,
--
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7
Reply to: