Bug#890841: apt-key add does not report key fingerprint or key metadata.
Control: severity -1 wishlist
On Mon, Feb 19, 2018 at 12:29:46PM -0800, Nathan Wilcox wrote:
> Package: apt
> Version: 1.4.8
> Severity: important
> Tags: security
>
> I. Requested Change:
>
> Alter apt-key add to print out the full GPG fingerprint(s) and
> metadata for each key imported.
>
>
> II. Motivation:
>
> This improves the chance that a critical mass of users would notice a
> compromise of commonly used apt package signing keys in the off chance
> that they include this fingerprint output in bug reports, logs, or
> active verification between peers.
apt-key add is deprecated for over a year now. I don't think a critical
mass of users cares about that. It's also the wrong approach: Piping
untrusted data to a root process and then checking that the root thing
did its work correctly makes no sense from a security perspective.
>
>
> III. Background:
>
> I frequently encounter installation advice that follows a basic formula:
>
> 1. fetch package signing keys via curl via https, pipe them to apt-key add.
> 2. add a source to sources.list.
> 3. apt update && apt install $PACKAGE
We deprecated that approach a while ago and it might fail on systems that
do not have gnupg installed, so upstreams really should not use it.
I very much prefer the Chrome approach of sticking a key and a sources.list
into a package and providing that package over https for initial installation.
Other ideas are welcome.
>
> For example, here is the literal install advice for Signal Desktop from
> https://signal.org/download/ as of 2018-02-19:
>
> > curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add -
> > echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list
> > sudo apt update && sudo apt install signal-desktop
>
> When following this advice users are relying on curl's authentication
> via HTTPS for permanently modifying their local machine's package
> authentication trust profile. When I run the first step, all that
> `apt-key add -` outputs is "OK".
That's somewhat awful.
>
> I just now wanted to ask several peers who I know would be capable of
> looking up the fingerprint of the key I just fetched. This is possible
> by running:
>
> $ gpg --keyring /etc/apt/trusted.gpg --list-keys --fingerprint
>
> -and then figuring out which key is relevant.
>
> With the requested change, I would be saved one step making it more
> likely more users will do this in practice.
I think we should definitely do that.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: