Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
On Thu, Sep 22, 2011 at 23:56, Chris Frey <cdfrey@foursquare.net> wrote:
> Georgi Guninski reported on Full Disclosure a potential bug in apt-key's
> use of gpg --list-sigs, when comparing keys to the master keyring in
> add_keys_with_verify_against_master_keyring(), revealing a potential
> MITM attack for adding keys.
While the bug itself is valid, it doesn't apply to stock debian as
it doesn't have ARCHIVE_KEYRING_URI set, so the result of
running 'apt-key net-update' on a debian box is:
ERROR: Your distribution is not supported in net-update as no uri for
the archive-keyring is set
The only distribution i know of who enables this feature (as it was developed
by them) is Ubuntu which has immediately reacted by commenting the
mentioned variable out until a proper fix exists [0].
Note through that derivatives of ubuntu might use 'their' apt with the
feature enabled (which is depending on their release model useless/strange
as their 'replacement' archive-keyring will properly not be signed by the
ubuntu-master-key…) so these might be effected, too.
Or in short:
$ grep '^[^#]*ARCHIVE_KEYRING_URI[ ]*=' /usr/bin/apt-key
ARCHIVE_KEYRING_URI=""
If you have the same output you are save.
(I leave it as an exercise for the reader to come up with more complicated
regexes to check for the value - for debian this one is already overkill…)
Best regards
David Kalnischkies
[0] https://bugs.launchpad.net/ubuntu/+source/apt/+bug/856489
Reply to: