[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#642480: reopened as cryptographic validation used in apt-key net-update is broken


I've reopened this bug and set the severity to normal in order to keep track
on the code this bug pointed at.

The cryptographic verification code used in the function called by apt-key
net-update is utterly broken.  The situation is not improved by replacing
"list-sigs" to "check-sigs", because still the key id strings (which are
absurdly short and easy to forge) are used to "verify" that a key has been
signed by another key.  This is broken.

This bug may be closed either when the code in apt-key has been replaced so
that the signatures are checked or the code is removed completely.

- Alex

Attachment: pgpBnGtp_xzNf.pgp
Description: PGP signature

Reply to: