Bug#634197: automatically refresh keys from the GPG keyring

To: Antoine Beaupré <anarcat@koumbit.org>
Cc: 634197@bugs.debian.org
Subject: Bug#634197: automatically refresh keys from the GPG keyring
From: David Kalnischkies <david@kalnischkies.de>
Date: Tue, 11 Aug 2015 19:14:52 +0200
Message-id: <[🔎] 20150811171452.GC30624@crossbow>
Reply-to: David Kalnischkies <david@kalnischkies.de>, 634197@bugs.debian.org
In-reply-to: <87a8txublj.fsf@marcos.anarc.at>
References: <20110717160637.17670.48637.reportbug@marcos.anarcat.ath.cx> <20150811083331.GA6804@crossbow> <87a8txublj.fsf@marcos.anarc.at>

On Tue, Aug 11, 2015 at 10:46:32AM -0400, Antoine Beaupré wrote:
> On 2015-08-11 04:33:31, David Kalnischkies wrote:
> > Hi,
> >
> > On Sun, Jul 17, 2011 at 12:06:37PM -0400, Antoine Beaupré wrote:
> >> Now, those keys are (or can be) published on the keyservers. Why don't
> >> we have a cronjob in APT that will automatically refresh the keys on
> >> that keyring from the keyservers? It would take care of the key
> >> rotation necessary to deal with a compromise of the signing keys, but
> >> at least it would "fail closed".
> >> 
> >> I have found that the following command works pretty well for my needs:
> >> 
> >> apt-key adv --keyserver pool.sks-keyservers.net --refresh-keys
> >
> > The reason is that this isn't a secure way of getting updates for keys
> > if you don't happen to have a web-of-trust to ensure they are the keys
> > you wanted and apt hasn't.
> >
> > I had this in the back of my mind for quite a while and wanted to close
> > this earlier, but never had a conviencing source to back me up…
> > Until now as I asked gnupg{,2} maintainers and they confirmed it:
> >
> > | I hereby declare that a blind --refresh-keys from a keyserver to an
> > | apt-trusted keyring leaves the system vulnerable to arbitrary key
> > | injection in that keyring.  The attacker can be the keyserver operator,
> > | or they can be on the network path between the machine and the
> > | keyserver.
> >  -- Daniel Kahn Gillmor
> > Source: https://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/2015-August/002802.html
> >
> > So, closing as "not-a-possible-solution".
> >
> >
> > This doesn't solve the problem itself of course, but there isn't a real
> > solution for it off hand as our only secure way of talking to the
> > outside world is via this key, so if the key is no longer viable,
> > we have lost and manual intervention is needed.
> 
> My thinking here wasn't to blindly refresh the keys from the keyring,
> but to leverage the trustdb to allow only a certain set of keys to be
> trusted for authenticating packages...

I don't understand. Your suggestion in the bugreport was to run
--refresh-keys on the keyring(s) apt-key uses for authenitcation.

The problem is that this isn't possible in a secure way as Daniel
confirmed as an attacker than inject "arbitrary key[s]" into the
refreshed keyrings, so an attacker can add keys you trust for
authentication. That pretty much defeats the point…

Best regards

An a bit confused David Kalnischkies

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Bug#736763: bugs.debian.org: apache2 not removed after purging smokeping
Next by Date: Bug#659387: [PATCH] "apt-get -o RootDir=/foo install ..." fails if /foo/foo doesn't exists
Previous by thread: Bug#785061: marked as done ([INTL:tr] Turkish translation update for apt)
Next by thread: Bug#659387: [PATCH] "apt-get -o RootDir=/foo install ..." fails if /foo/foo doesn't exists
Index(es):
- Date
- Thread