Bug#634197: automatically refresh keys from the GPG keyring

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#634197: automatically refresh keys from the GPG keyring
From: Antoine Beaupré <anarcat@koumbit.org>
Date: Sun, 17 Jul 2011 12:06:37 -0400
Message-id: <[🔎] 20110717160637.17670.48637.reportbug@marcos.anarcat.ath.cx>
Reply-to: Antoine Beaupré <anarcat@koumbit.org>, 634197@bugs.debian.org

Package: apt
Version: 0.8.15.1
Severity: wishlist

I maintain a third party Debian archive at http://debian.koumbit.net/,
as I am sure hundreds of others are doing for their own software (not
yet in Debian or for local packages).

If I want to revoke or update (change expiration) the PGP key of this
archive, I need to tell people:

wget http://debian.koumbit.net/debian/key.asc | apt-key add -

... which introduces yet another window of vulnerability where
arbitrary key material can be injected by an attacker. (I won't go
over the more general problem of how to add this key in the first
place, mind you...)

This works fairly well for key expiration, as people notice the error
then people will have to figure it out and run the above command. It
"fails closed".

If that key would effectively be compromised, things are much worse:
people would never notice the revoked key as they would need to update
their keyring manually at first. It "fails open". Think of the
problems you would have to distribute a revocation certificate for the
auto-signing keys in the main debian archive now.

I'll let that sync in.

Now, those keys are (or can be) published on the keyservers. Why don't
we have a cronjob in APT that will automatically refresh the keys on
that keyring from the keyservers? It would take care of the key
rotation necessary to deal with a compromise of the signing keys, but
at least it would "fail closed".

I have found that the following command works pretty well for my needs:

apt-key adv --keyserver pool.sks-keyservers.net --refresh-keys

Offtopic, I also had great joy in telling people they can verify the
autosigning key of debian.koumbit.net on their own Debian machine with
this:

apt-key adv --keyring /usr/share/keyrings/debian-maintainers.gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg --check-sigs B7C0A70A

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to fr_CA.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2010.08.28       GnuPG archive keys of the Debian a
ii  gnupg                   1.4.11-3         GNU privacy guard - a free PGP rep
ii  libc6                   2.13-7           Embedded GNU C Library: Shared lib
ii  libgcc1                 1:4.6.1-1        GCC support library
ii  libstdc++6              4.6.1-1          GNU Standard C++ Library v3
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc                       <none>     (no description available)
ii  aptitude                      0.6.3-4    terminal-based package manager (te
ii  bzip2                         1.0.5-6    high-quality block-sorting file co
ii  dpkg-dev                      1.16.0.3   Debian package development tools
ii  lzma                          4.43-14    Compression method of 7z format in
ii  python-apt                    0.8.0      Python interface to libapt-pkg
ii  synaptic                      0.75.2     Graphical package manager

-- no debconf information

Reply to:

Prev by Date: Processed: retitle 632221 to Add cross-build-dependency satisfaction to apt
Next by Date: apt-get behavior during upgrade
Previous by thread: Processed: retitle 632221 to Add cross-build-dependency satisfaction to apt
Next by thread: apt-get behavior during upgrade
Index(es):
- Date
- Thread