[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: repository signing keys update HOW?

Am Donnerstag, 29. März 2012 schrieb Per Carlson:
> Hi Paul
> 
> > And thanks for mentioning (debian-keyring at a minimum) The
> > descriptive phrase confirmed my guess that this was the one I needed
> > the contents of. I need an alternative method of getting the contents
> > since aptitude is in need of new keys to start working again.
> 
> The latest debian-archive-keyring can be found here:
> http://ftp.us.debian.org/debian/pool/main/d/debian-archive-keyring/debi
> an-archive-keyring_2010.08.28_all.deb
> 
> Pick it up with wget, check that the MD5/SHA1/SHA256 sum is
> correct[0], and finally install it with dpkg --install. After that
> aptitude should be happy again
> 
> [0]: From the stable Packages.gz file
> (http://ftp.us.debian.org/debian/dists/stable/main/binary-amd64/Package
> s.gz):

Hmmm, thats seems better to me than just trust the server, but otherwise, 
if the server was compromised the Packages.gz file could have been replaced 
as well.

One could download the package from two or three servers and then compare 
them. But that could fail is the master replica was compromised.

But then also a key server used with gpg --recv-keys could have been 
compromised.

Well one could also check fingerprints against:

http://ftp-master.debian.org/keys.html

While also checking the announcement mails linked from there.

I think it would be highly, highly unlikely if all that was compromised.

Well here is my variant which you could also compare too - although there 
is no guarentee that my variant is the uncomprimised one, it would raise 
confidence in authenticity if all those sources I mentioned match each 
other ;).

merkaba:~> LANG=C apt-key finger
/etc/apt/trusted.gpg
--------------------
pub   1024D/F42584E6 2008-04-06 [expires: 2012-05-15]
      Key fingerprint = 7F5A 4445 4C72 4A65 CBCD  4FB1 4D27 0D06 F425 84E6
uid                  Lenny Stable Release Key <debian-
release@lists.debian.org>

pub   4096R/55BE302B 2009-01-27 [expires: 2012-12-31]
      Key fingerprint = 150C 8614 919D 8446 E01E  83AF 9AA3 8DCD 55BE 302B
uid                  Debian Archive Automatic Signing Key (5.0/lenny) 
<ftpmaster@debian.org>

pub   2048R/6D849617 2009-01-24 [expires: 2013-01-23]
      Key fingerprint = F6CF DE30 6133 3CE2 A43F  DAF0 DFD9 9330 6D84 9617
uid                  Debian-Volatile Archive Automatic Signing Key 
(5.0/lenny)

pub   4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
      Key fingerprint = 0E4E DE2C 7F3E 1FC0 D033  800E 6448 1591 B983 21F9
uid                  Squeeze Stable Release Key <debian-
release@lists.debian.org>

pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]
      Key fingerprint = 9FED 2BCB DCD2 9CDF 7626  78CB AED4 B06F 4730 41FA
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) 
<ftpmaster@debian.org>

pub   4096R/E79C8BAB 2010-03-05
      Key fingerprint = D260 1480 31EB 4FD5 643E  B695 93DD 2AE2 E79C 8BAB
uid                  Debian pkg-kde repository signing key (http://pkg-
kde.alioth.debian.org/) <debian-qt-kde@lists.debian.org>

pub   1024D/1F41B907 1999-10-03
      Key fingerprint = 1D7F C53F 80F8 52C1 88F4  ED0B 07DC 563D 1F41 B907
uid                  Christian Marillat <marillat@debian.org>
uid                  Christian Marillat <marillat@free.fr>
sub   1536g/C28DCC42 1999-10-03
sub   1024D/5D3877A7 2002-08-26
[…]

Ciao,
-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7
Reply to: