Bug#618445: apt: Please downgrade "There is no public key available ..." to a notice

To: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>, 618445@bugs.debian.org
Subject: Bug#618445: apt: Please downgrade "There is no public key available ..." to a notice
From: Daniel Kahn Gillmor <dkg@debian.org>
Date: Tue, 19 Apr 2016 16:01:44 -0400
Message-id: <[🔎] 878u094bbr.fsf@alice.fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@debian.org>, 618445@bugs.debian.org
In-reply-to: <20110315080342.8686.23777.reportbug@octopus.hi.pengutronix.de>
References: <20110315080342.8686.23777.reportbug@octopus.hi.pengutronix.de>

On Tue 2011-03-15 04:03:42 -0400, Uwe Kleine-König wrote:
> I'm about to change the gpg key used to sign our apt and so signed the
> archive for now with two keys and will update the keyring package to
> contain the new key soon.
>
> The "problem" I'm faced with now is that if apt only knows one of the
> two keys used it prints a warning
>
> 	W: There is no public key available for the following key IDs:
> 	...

I agree that this warning is problematic.  For most users who haven't
thought about the issue, they'll take it as a problem that needs fixing,
even when their system can already validate the particular files that
they're trying to validate.  As a result, they might try to track down
and add an additional key to their apt keyring.

A system that depends on a signature from any one of N+1 keys is by
definition more vulnerable than a system that depends on a signature
from any one of N keys, so this warning is actively encouraging debian
system administrators to enlarge their attack surface.

Consider a rogue mirror that redistributes the debian archive, but can
add an additional OpenPGP signature in InRelease or Releases.gpg.

If the mirror operator wanted to, they could mint a new OpenPGP
certificate with a user ID like "Debian Archive Automatic Signing Key
(8.0/jessie) <ftpmaster@debian.org>", and add that signature's keys to
the InRelease file.

This would be a legitimate debian archive, with an extra signature
attached, but it would produce the above warnings.

Any local admin who tries to "fix" the warning by importing that key
will now be vulnerable to future attack by that mirror operator.

A sensible admin who regularly prunes their apt-key list (e.g. removing
the wheezy keys on systems that are well past wheezy) will find
themselves incurring additional warnings.

These warnings are actively bad for the security of debian systems, and
should be muted entirely as long as the package lists successfully
validate.  If some download doesn't validate at all, then this
information should be supplied, but as an error, not as a warning.

     --dkg

Reply to:

Prev by Date: Bug#820860: Apt sees versioned suggestions as recommends or soft depends
Next by Date: Bug#821870: deb822: Restore support for <multivalue>-{Add,Remove}
Previous by thread: Bug#600262: RandomizedDelaySec keeps adding time?
Next by thread: Bug#821870: deb822: Restore support for <multivalue>-{Add,Remove}
Index(es):
- Date
- Thread