Re: trusting repository keys (was: deb-multimedia repository)

To: debian-user@lists.debian.org
Subject: Re: trusting repository keys (was: deb-multimedia repository)
From: Jochen Spieker <ml@well-adjusted.de>
Date: Thu, 22 Aug 2013 13:59:57 +0200
Message-id: <[🔎] 20130822115956.GH19648@well-adjusted.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 1377111884.709.16.camel@archlinux>
References: <[🔎] 521492D8.4060203@mi.parisdescartes.fr> <[🔎] 20130821113819.GF19648@well-adjusted.de> <[🔎] 1377085425.1192.65.camel@archlinux> <[🔎] 20130821145316.GG19648@well-adjusted.de> <[🔎] 1377111884.709.16.camel@archlinux>

Ralf Mardorf:
> On Wed, 2013-08-21 at 16:53 +0200, Jochen Spieker wrote:
>
>> Ralf Mardorf:
>> No. Just because a keyserver happens to serve some key that does not
>> mean the key is valid.
> 
> But if I upload a key it neither would have the same fingerprint, nor
> fit to the packages.

But how do you know the correct fingerprint? The one that is used to
sign the repository might be compromised, just like the rest of the
repository.

The scenario is as follows: just like the OP, you want to use
packages from deb-multimedia.org (or any other repository, including
official Debian repositories). You don't know very much about the entity
providing these packages, except from their name ("Christian Marillat",
"Debian").

You want to make sure that your apt talks to the correct repository and
not one of an attacker that is able to poison your DNS or acts as a
man-in-the-middle for your web traffic.

Secure apt can do this for you *if you import (only) the correct keys*
into apt's keyring. But in the beginning you don't even know which key
is the correct one! To be cryptographically secure, you need an
out-of-band method to find out whether the key used to sign the
repository you are seeing does in fact belong to the person/entity that
you trust. To do this, you can either try to meet with the signee in
person or use the Web of Trust.

> So I must upload a key and then hack the package to
> do something evil.

Yes, and Secure Apt is supposed to protect you from this kind of attack.

> Sure, if the multimedia guys do something evil, than
> no key will add security. The key only should ensure that the package is
> a package from multimedia.

Yes. But with the twist I already mentioned: apt does not tell you which
key was used to verify a specific package and you cannot limit the
authority of a key to a specific set of packages or repositories.

J.
-- 
If I won the lottery I would keep all the money and wallpaper my house
with it.
[Agree]   [Disagree]
                 <http://www.slowlydownward.com/NODATA/data_enter2.html>

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- deb-multimedia repository
  - From: François Patte <francois.patte@mi.parisdescartes.fr>
- Re: deb-multimedia repository
  - From: Jochen Spieker <ml@well-adjusted.de>
- Re: deb-multimedia repository
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- trusting repository keys (was: deb-multimedia repository)
  - From: Jochen Spieker <ml@well-adjusted.de>
- Re: trusting repository keys (was: deb-multimedia repository)
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>

Prev by Date: Re: What if I choose install text-based mode than X?
Next by Date: changing git language
Previous by thread: Re: trusting repository keys (was: deb-multimedia repository)
Next by thread: Re: deb-multimedia repository
Index(es):
- Date
- Thread