Bug#634197: automatically refresh keys from the GPG keyring
Package: apt
Version: 0.8.15.1
Severity: wishlist
I maintain a third party Debian archive at http://debian.koumbit.net/,
as I am sure hundreds of others are doing for their own software (not
yet in Debian or for local packages).
If I want to revoke or update (change expiration) the PGP key of this
archive, I need to tell people:
wget http://debian.koumbit.net/debian/key.asc | apt-key add -
... which introduces yet another window of vulnerability where
arbitrary key material can be injected by an attacker. (I won't go
over the more general problem of how to add this key in the first
place, mind you...)
This works fairly well for key expiration, as people notice the error
then people will have to figure it out and run the above command. It
"fails closed".
If that key would effectively be compromised, things are much worse:
people would never notice the revoked key as they would need to update
their keyring manually at first. It "fails open". Think of the
problems you would have to distribute a revocation certificate for the
auto-signing keys in the main debian archive now.
I'll let that sync in.
Now, those keys are (or can be) published on the keyservers. Why don't
we have a cronjob in APT that will automatically refresh the keys on
that keyring from the keyservers? It would take care of the key
rotation necessary to deal with a compromise of the signing keys, but
at least it would "fail closed".
I have found that the following command works pretty well for my needs:
apt-key adv --keyserver pool.sks-keyservers.net --refresh-keys
Offtopic, I also had great joy in telling people they can verify the
autosigning key of debian.koumbit.net on their own Debian machine with
this:
apt-key adv --keyring /usr/share/keyrings/debian-maintainers.gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg --check-sigs B7C0A70A
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to fr_CA.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii debian-archive-keyring 2010.08.28 GnuPG archive keys of the Debian a
ii gnupg 1.4.11-3 GNU privacy guard - a free PGP rep
ii libc6 2.13-7 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.1-1 GCC support library
ii libstdc++6 4.6.1-1 GNU Standard C++ Library v3
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc <none> (no description available)
ii aptitude 0.6.3-4 terminal-based package manager (te
ii bzip2 1.0.5-6 high-quality block-sorting file co
ii dpkg-dev 1.16.0.3 Debian package development tools
ii lzma 4.43-14 Compression method of 7z format in
ii python-apt 0.8.0 Python interface to libapt-pkg
ii synaptic 0.75.2 Graphical package manager
-- no debconf information
Reply to: