Bug#890841: apt-key add does not report key fingerprint or key metadata.

To: Nathan Wilcox <nejucomo+debian-reportbug@gmail.com>, 890841@bugs.debian.org
Subject: Bug#890841: apt-key add does not report key fingerprint or key metadata.
From: Julian Andres Klode <jak@debian.org>
Date: Mon, 19 Feb 2018 22:07:48 +0100
Message-id: <[🔎] 20180219220048.GA6256@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 890841@bugs.debian.org
In-reply-to: <[🔎] 151907218651.3387.7203869339929396947.reportbug@fierce>
References: <[🔎] 151907218651.3387.7203869339929396947.reportbug@fierce> <[🔎] 151907218651.3387.7203869339929396947.reportbug@fierce>

Control: severity -1 wishlist

On Mon, Feb 19, 2018 at 12:29:46PM -0800, Nathan Wilcox wrote:
> Package: apt
> Version: 1.4.8
> Severity: important
> Tags: security
> 
> I. Requested Change:
> 
> Alter apt-key add to print out the full GPG fingerprint(s) and 
> metadata for each key imported.
> 
> 
> II. Motivation:
> 
> This improves the chance that a critical mass of users would notice a 
> compromise of commonly used apt package signing keys in the off chance 
> that they include this fingerprint output in bug reports, logs, or 
> active verification between peers.

apt-key add is deprecated for over a year now. I don't think a critical
mass of users cares about that. It's also the wrong approach: Piping
untrusted data to a root process and then checking that the root thing
did its work correctly makes no sense from a security perspective.

> 
> 
> III. Background:
> 
> I frequently encounter installation advice that follows a basic formula:
> 
> 1. fetch package signing keys via curl via https, pipe them to apt-key add.
> 2. add a source to sources.list.
> 3. apt update && apt install $PACKAGE

We deprecated that approach a while ago and it might fail on systems that
do not have gnupg installed, so upstreams really should not use it.

I very much prefer the Chrome approach of sticking a key and a sources.list
into a package and providing that package over https for initial installation.

Other ideas are welcome.

> 
> For example, here is the literal install advice for Signal Desktop from 
> https://signal.org/download/ as of 2018-02-19:
> 
> > curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add -
> > echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
> > sudo apt update && sudo apt install signal-desktop
> 
> When following this advice users are relying on curl's authentication 
> via HTTPS for permanently modifying their local machine's package 
> authentication trust profile. When I run the first step, all that 
> `apt-key add -` outputs is "OK".

That's somewhat awful.

> 
> I just now wanted to ask several peers who I know would be capable of 
> looking up the fingerprint of the key I just fetched. This is possible 
> by running:
> 
> $ gpg --keyring /etc/apt/trusted.gpg --list-keys --fingerprint
> 
> -and then figuring out which key is relevant.
> 
> With the requested change, I would be saved one step making it more 
> likely more users will do this in practice.

I think we should definitely do that.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply to:

References:
- Bug#890841: apt-key add does not report key fingerprint or key metadata.
  - From: Nathan Wilcox <nejucomo+debian-reportbug@gmail.com>

Prev by Date: Processed: Re: Bug#890841: apt-key add does not report key fingerprint or key metadata.
Next by Date: Bug#890876: python-apt: Provide API for versioned provides
Previous by thread: Processed: Re: Bug#890841: apt-key add does not report key fingerprint or key metadata.
Next by thread: Bug#890876: python-apt: Provide API for versioned provides
Index(es):
- Date
- Thread