Bug#642480: reopened as cryptographic validation used in apt-key net-update is broken

To: 642480@bugs.debian.org
Cc: formorer@debian.org
Subject: Bug#642480: reopened as cryptographic validation used in apt-key net-update is broken
From: Alexander Neumann <alexander@debian.org>
Date: Fri, 23 Sep 2011 09:16:03 +0200
Message-id: <[🔎] 20110923071603.GC27425@hoffentlich.net>
Reply-to: Alexander Neumann <alexander@debian.org>, 642480@bugs.debian.org

Hi,

I've reopened this bug and set the severity to normal in order to keep track
on the code this bug pointed at.

The cryptographic verification code used in the function called by apt-key
net-update is utterly broken.  The situation is not improved by replacing
"list-sigs" to "check-sigs", because still the key id strings (which are
absurdly short and easy to forge) are used to "verify" that a key has been
signed by another key.  This is broken.

This bug may be closed either when the code in apt-key has been replaced so
that the signatures are checked or the code is removed completely.

Regards,
- Alex

Attachment: pgpuq9tDSlmCp.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#642480: reopened as cryptographic validation used in apt-key net-update is broken
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
Next by Date: Processed: reopen apt-key bug
Previous by thread: Bug#642480: apt-key uses gpg --list-sigs instead of --check-sigs
Next by thread: Bug#642480: reopened as cryptographic validation used in apt-key net-update is broken
Index(es):
- Date
- Thread