Hi, I've reopened this bug and set the severity to normal in order to keep track on the code this bug pointed at. The cryptographic verification code used in the function called by apt-key net-update is utterly broken. The situation is not improved by replacing "list-sigs" to "check-sigs", because still the key id strings (which are absurdly short and easy to forge) are used to "verify" that a key has been signed by another key. This is broken. This bug may be closed either when the code in apt-key has been replaced so that the signatures are checked or the code is removed completely. Regards, - Alex
Attachment:
pgpuq9tDSlmCp.pgp
Description: PGP signature