http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5775
------- Additional Comments From [EMAIL PROTECTED] 2008-01-09 16:37 ------- (In reply to comment #3) > > So if an attacker can't fake the signature, then who cares? > > Maybe the threat is something like this, given that "The end result is that > the > signature can be verified by both the actual signer's key and the attacker's > key": Alice signs her release of MalAssassin, which is going to be downloaded > and verified by Bob. Eve uses this vulnerability to cause Alice's signatures > of > MalAssassin to verify against Eve's key, then convinces Bob that her key is a > new one to be used for MalAssassin downloads. Bob uses Eve's key, has no > problem > verifying legitimate downloads of MalAssassin, and thus is fooled into using > Eve's key to verify a malware download of MalAssassin that Eve has signed. If Eve convinces Bob to trust a different key, then it doesn't matter what we do. In our situation, Bob still trusts Alice's key for signing, and Eve can't sign malware using the key, so Bob can still trust that what he downloads is signed by Alice. The fact that the key is associated w/ Eve's other keys/identifying information instead of Alice's doesn't matter to us. > And here is a stronger reason to cross-sign our key: Otherwise newer versions > of > GPG will produce the scary warning message quoted in this bug's Description > when > sa-update is run. Aha. While the initial comment implies that validation still works, and there's just a warning ... It appears that (which is what comment 1 also says) apparently the newer GPGs won't validate the signature at all... I just tried a 3.1 update w/ my newly installed gpg 1.4.8: [26406] dbg: gpg: calling gpg [26406] dbg: gpg: gpg: Signature made Thu 18 Oct 2007 02:54:04 AM EDT using RSA key ID 24F434CE [26406] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [26406] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [26406] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1192690444 1 [26406] dbg: gpg: gpg: Can't check signature: general error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed [26406] dbg: generic: cleaning up temporary directory/files [26406] dbg: diag: updates complete, exiting with code 4 So yes, I'm +1 to cross-signing, and we need to do this asap since the channels are potentially broken right now... <sigh> There should be a way to do this w/out upgrading gpg, I'll take a look in a minute. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
