[Bug 5775] New: update signing key is not cross-signed

[bugzilla-daemon]

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5775

           Summary: update signing key is not cross-signed
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sa-update
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: [EMAIL PROTECTED]


from an "sa-update --debug" run with trunk:

[5142] dbg: gpg: calling gpg
[5142] dbg: gpg: gpg: Signature made Tue Jan 8 02:50:47 2008 CST using RSA key
ID 24F434CE
[5142] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[5142] dbg: gpg: gpg: please see
http://www.gnupg.org/faq/subkey-cross-certify.html for more information
[5142] dbg: gpg: [GNUPG:] SIG_ID 3yStwCUIl80BUlPErS2/cOLxQgw 2008-01-08 
1199782247
[5142] dbg: gpg: [GNUPG:] GOODSIG 6C55397824F434CE updates.spamassassin.org
Signing Key <[EMAIL PROTECTED]>
[5142] dbg: gpg: gpg: Good signature from "updates.spamassassin.org Signing Key
<[EMAIL PROTECTED]>"
[5142] dbg: gpg: [GNUPG:] VALIDSIG 0C2B1D7175B852C64B3CDC716C55397824F434CE
2008-01-08 1199782247 0 3 0 1 2 00 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
[5142] dbg: gpg: [GNUPG:] TRUST_UNDEFINED
[5142] dbg: gpg: gpg: WARNING: This key is not certified with a trusted 
signature!
[5142] dbg: gpg: gpg: There is no indication that the signature belongs to the
owner.
[5142] dbg: gpg: Primary key fingerprint: 5E54 1DC9 59CB 8BAC 7C78 DFDC 4056
A61A 5244 EC45
[5142] dbg: gpg: Subkey fingerprint: 0C2B 1D71 75B8 52C6 4B3C DC71 6C55 3978
24F4 34CE
[5142] dbg: gpg: found signature made by key
0C2B1D7175B852C64B3CDC716C55397824F434CE
[5142] dbg: gpg: key id 0C2B1D7175B852C64B3CDC716C55397824F434CE is release 
trusted

http://www.gnupg.org/faq/subkey-cross-certify.html says:

There is a subtle weakness in the OpenPGP design for signing subkeys. Recall
that subkeys are signed by the primary key to show they belong to the primary
key. However, the signing subkey does not sign the primary to show that it is
owned by the primary. This allows an attacker to take a signing subkey and
attach it to their own key.

as it notes, we're using a signing subkey to do our signing:

bash-3.00$ gpg --homedir /home/updatesd/key --list-keys -v
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: using PGP trust model
/home/updatesd/key/pubring.gpg
------------------------------
pub   4096R/5244EC45 2005-12-20
uid                  updates.spamassassin.org Signing Key <[EMAIL PROTECTED]>
sub   4096R/24F434CE 2005-12-20


the FAQ notes:

GnuPG has code for adding this cross-certification to signing subkeys that were
issued before this change to the OpenPGP design. Just run "gpg --edit-key
(yourkey)" and then enter "cross-certify". You'll need to type your passphrase,
and GnuPG will add the cross-certification.

however the zone has gpg 1.4.2 and this is new in 1.4.3, so it'll reuqire
an upgrade.

the command, btw, will be something like this:

  sudo -H -u updatesd gpg --homedir /home/updatesd/key --edit-key 5244EC45
  cross-certify
  quit



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.