Bug#699661: debian-keyring: please ship a removed-keys keyring
On Sat, 2 Feb 2013 23:51:42 -0500 Michael Gilbert wrote: > package: debian-keyring > version: 2012.11.15 > severity: important > > Signature verification currently fails on source packages that were > signed by keys that are no longer present in the active keyrings. > This can easily lead to the incorrect conclusion that those packages > are not to be trusted or possibly malicious. Many packages tend to > remain in the archive far longer than the key used to sign them, so I > think it would make a lot of sense to ship the removed-keys to be ably > to easily verify them into the indefinite future. I wonder if instead the bug report is with dak, that it should strip signatures from .dsc files (like it strips them from .changes) and instead replace signature with the verified/trusted gpg output at the time (good signature from $UID $KEID $HASH $Algo). Such that .dsc fetched from the archive years later, is only verified via archive key signature of a future time, rather than relying on the .dsc signature to remain trusted. It would also make published .dsc smaller. Basically the same reasoning as to why .deb files are not signed directly. Because one is supposed to have received an already authenticated and verified .dsc after running `apt source`. Regards, Dimitri.
Bug#699661: debian-keyring: please ship a removed-keys keyring
Date: Sun, 2 Jun 2013 13:47:04 -0400 >From: Michael Gilbert >- >Body: On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: >> package: debian-keyring >> version: 2012.11.15 >> severity: important >> >> Signature verification currently fails on source packages that were >> signed by keys that are no longer present in the active keyrings. >> This can easily lead to the incorrect conclusion that those packages >> are not to be trusted or possibly malicious. Many packages tend to >> remain in the archive far longer than the key used to sign them, so I >> think it would make a lot of sense to ship the removed-keys to be ably >> to easily verify them into the indefinite future. > >If we put a key into removed-keys then it indicates we no longer trust >it; that could be because we've been told it's revoked, or because we've >lost contact with the owner, because it's been compromised or because >the owner has transitioned to a stronger key. Shipping removed-keys for >the purposes of verification is not appropriate. > >J. > >-- >] http://www.earth.li/~noodles/ [] "F**k a duck." -- Walt Disney [ >] PGP/GPG Key @ the.earth.li [] [ >] via keyserver, web or email. [] [ >] RSA: 4096/2DA8B985 [] [
Bug#699661: debian-keyring: please ship a removed-keys keyring
Date: Sat, 2 Feb 2013 23:51:42 -0500 >From: Michael Gilbert >-
>Body: ur-type{attachments
Bug#699661: debian-keyring: please ship a removed-keys keyring
On Sat, Jun 1, 2013 at 6:48 PM, Jonathan McDowell wrote: tags 699661 wontfix thanks On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote: Note that signature date is part of the information contained in the gpg signature block. Rethinking this, I suppose that could be faked with a compromised key. So, really the trust path would also require checking that that package originated from debian, i.e. that the dsc matches the information known to a release file that's been signed by one of the debian archive keys. Anyway, done carefully, it could work. I think anyone who knows how to be careful enough to ensure they've followed the trust path correctly can either find the old debian-keyring package from archive.debian.org, rsync the removed-keys.gpg file from keyring.debian.org or checkout the bzr tree and get the key from there. Marking wontfix; the removed-keys keyring is easily available to those that need it and I don't think shipping it in the debian-keyring package is helping most of the userbase. Well, it would help a certain subset of the userbase that prefers to fetch stuff via the package management system, making it more convenient for those extracting signed sources with now expired keys. It will of course require a bit more information (expiration dates) to actually make that keyring truly useful. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699661: debian-keyring: please ship a removed-keys keyring
tags 699661 wontfix thanks On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote: Note that signature date is part of the information contained in the gpg signature block. Rethinking this, I suppose that could be faked with a compromised key. So, really the trust path would also require checking that that package originated from debian, i.e. that the dsc matches the information known to a release file that's been signed by one of the debian archive keys. Anyway, done carefully, it could work. I think anyone who knows how to be careful enough to ensure they've followed the trust path correctly can either find the old debian-keyring package from archive.debian.org, rsync the removed-keys.gpg file from keyring.debian.org or checkout the bzr tree and get the key from there. Marking wontfix; the removed-keys keyring is easily available to those that need it and I don't think shipping it in the debian-keyring package is helping most of the userbase. J. -- ] http://www.earth.li/~noodles/ [] 101 things you can't have too much [ ] PGP/GPG Key @ the.earth.li [] of : 53 - Space. [ ] via keyserver, web or email. [] [ ] RSA: 4096/2DA8B985[] [ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699661: debian-keyring: please ship a removed-keys keyring
On Wed, Feb 13, 2013 at 8:18 PM, Jonathan McDowell wrote: On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: package: debian-keyring version: 2012.11.15 severity: important Signature verification currently fails on source packages that were signed by keys that are no longer present in the active keyrings. This can easily lead to the incorrect conclusion that those packages are not to be trusted or possibly malicious. Many packages tend to remain in the archive far longer than the key used to sign them, so I think it would make a lot of sense to ship the removed-keys to be ably to easily verify them into the indefinite future. If we put a key into removed-keys then it indicates we no longer trust it; that could be because we've been told it's revoked, or because we've lost contact with the owner, because it's been compromised or because the owner has transitioned to a stronger key. Shipping removed-keys for the purposes of verification is not appropriate. Note that even if those keys are considered untrustworthy for any signatures past their removal date, that wasn't the case prior to their removal. That differentiation is key, and can be addressed by also publishing information on removal dates. Then the tools that do package authentication can do a little more work to check the signature was made prior to the keys removal date and reject those that are newer than that date. Note that signature date is part of the information contained in the gpg signature block. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699661: debian-keyring: please ship a removed-keys keyring
Note that signature date is part of the information contained in the gpg signature block. Rethinking this, I suppose that could be faked with a compromised key. So, really the trust path would also require checking that that package originated from debian, i.e. that the dsc matches the information known to a release file that's been signed by one of the debian archive keys. Anyway, done carefully, it could work. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699661: debian-keyring: please ship a removed-keys keyring
On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: package: debian-keyring version: 2012.11.15 severity: important Signature verification currently fails on source packages that were signed by keys that are no longer present in the active keyrings. This can easily lead to the incorrect conclusion that those packages are not to be trusted or possibly malicious. Many packages tend to remain in the archive far longer than the key used to sign them, so I think it would make a lot of sense to ship the removed-keys to be ably to easily verify them into the indefinite future. If we put a key into removed-keys then it indicates we no longer trust it; that could be because we've been told it's revoked, or because we've lost contact with the owner, because it's been compromised or because the owner has transitioned to a stronger key. Shipping removed-keys for the purposes of verification is not appropriate. J. -- ] http://www.earth.li/~noodles/ []F**k a duck. -- Walt Disney[ ] PGP/GPG Key @ the.earth.li [] [ ] via keyserver, web or email. [] [ ] RSA: 4096/2DA8B985[] [ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699661: debian-keyring: please ship a removed-keys keyring
package: debian-keyring version: 2012.11.15 severity: important Signature verification currently fails on source packages that were signed by keys that are no longer present in the active keyrings. This can easily lead to the incorrect conclusion that those packages are not to be trusted or possibly malicious. Many packages tend to remain in the archive far longer than the key used to sign them, so I think it would make a lot of sense to ship the removed-keys to be ably to easily verify them into the indefinite future. As an example, I was looking at boost and saw: $ apt-get source boost1.49 Reading package lists... Done Building dependency tree Reading state information... Done NOTICE: 'boost1.49' packaging is maintained in the 'Svn' version control system at: svn://svn.debian.org/svn/pkg-boost/boost/trunk Need to get 48.6 MB of source archives. Get:1 http://ftp.debian.org/debian/ sid/main boost1.49 1.49.0-3.1 (dsc) [4,696 B] Get:2 http://ftp.debian.org/debian/ sid/main boost1.49 1.49.0-3.1 (tar) [48.5 MB] Get:3 http://ftp.debian.org/debian/ sid/main boost1.49 1.49.0-3.1 (diff) [105 kB] Fetched 48.6 MB in 1min 5s (746 kB/s) gpgv: Signature made Sat 23 Jun 2012 05:14:11 AM EDT using DSA key ID 9B7C328D gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./boost1.49_1.49.0-3.1.dsc Which made me think that somehow I received invalid files, but the reality is much more benign. That package is validly signed by Luk Claes' old key, but since that key is now in the removed-keys and thus not shipped, the source package unfortunately looks inauthentic without a lot more work. Thanks, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
