Ideas how to update archive keys

To: deity@lists.debian.org
Subject: Ideas how to update archive keys
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Sun, 20 Feb 2005 12:29:39 +0100
Message-id: <[🔎] 87oeefh3ks.fsf@informatik.uni-tuebingen.de>

Hi,

I while ago Martin Schulz posted to debian-devel about apt-0.6 needing
some help, one of the points being archive key management. Excuse my
top-post, I couldn't find an obvious thread here to follow up on.


So lets talk about archive keys.

First I want to say that not only apt needs those archive keys. At
least reprepro and debmirror also need it.

Secondly I have two ideas to manage key updates. Read on.


The easiest way to handle the archive key would be to include it
inside the deb. The drawback of this method is that apt must be
updated whenever the key is changed for any reason. Since the key is
used to authenticate updates this would require apt to be updated
before the archive key is chnaged (which is obviously a problem).

One way around the problem is to allow for an alternate means to
verify a package: signed debs. My first idea would be to allow apt-get
to install deb packages from an untrusted source (key expired) if the
deb in itself can be trusted. The apt deb and depends of it would have
to be signed by at least one key that is still valid (e.g. a still
valid DDs key from the stable keyring). That would provide the means
to savely update at least apt which would update the archive key and
consequently restore the trust system.

Alternatively instead of apt a keyring.deb package could be used with
the same allowance. That would require only one deb to be signed thus.



Another approach, which i favour, is to have the archive key managed
outside of debs (as well as a deb for the inital install or offline
updates).

The simplest way would be to pull the key from the debian archive (e.g
Release.key being an ascii export of it) and verify that it is signed
by a minimum of X already known keys (from the stable keyring). The
problem there is that someone can play man in the middle and replay an
old, compromised key together with a hacked mirror. So this alone
isn't good enough.

The signatures from DDs will ensure the authenticity of the key fine
so that can be kept. To prevent a replay of an old key the timestamps
on the signatures can be checked against the existing local key. A new
key is only accepted if it has X valid signatures that are newer than
the existing local key (i.e. it is an update and not a replay).

Downloading the new archive key could be done by "apt-get update",
through "apt-get key-update" or a seperate binary.



How verbose or interactive that should be (for both methods) remains
to be discussed. Both methods can also update revocations when they
get the new key so a stolen key can be revoced at the same time as the
new key gets installed.

As said I favour the second idea since that does not require updating
packages to update the key and it is simple to reuse for reprepro and
debmirror key handling (which might not run on a debian system).

Well, those are my ideas. Show me the flaws.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Ideas how to update archive keys
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Bug#296103: APT 0.6 sometimes fails with gpgv
Next by Date: Re: Blockers of apt 0.6, not related to signature verification
Previous by thread: Bug#296103: APT 0.6 sometimes fails with gpgv
Next by thread: Re: Ideas how to update archive keys
Index(es):
- Date
- Thread