Package: apt Version: 1.4.8 Severity: important Tags: security I. Requested Change:
Alter apt-key add to print out the full GPG fingerprint(s) and metadata for each key imported. II. Motivation: This improves the chance that a critical mass of users would notice a compromise of commonly used apt package signing keys in the off chance that they include this fingerprint output in bug reports, logs, or active verification between peers. III. Background: I frequently encounter installation advice that follows a basic formula: 1. fetch package signing keys via curl via https, pipe them to apt-key add. 2. add a source to sources.list. 3. apt update && apt install $PACKAGE For example, here is the literal install advice for Signal Desktop from https://signal.org/download/ as of 2018-02-19: > curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add - > echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | > sudo tee -a /etc/apt/sources.list.d/signal-xenial.list > sudo apt update && sudo apt install signal-desktop When following this advice users are relying on curl's authentication via HTTPS for permanently modifying their local machine's package authentication trust profile. When I run the first step, all that `apt-key add -` outputs is "OK". I just now wanted to ask several peers who I know would be capable of looking up the fingerprint of the key I just fetched. This is possible by running: $ gpg --keyring /etc/apt/trusted.gpg --list-keys --fingerprint -and then figuring out which key is relevant. With the requested change, I would be saved one step making it more likely more users will do this in practice. IV. Drawbacks / Criticisms / Concerns: Some may argue that this change doesn't help for several reasons, which I respond to here: a. This doesn't solve the authentication issue. Users can't tell if they have the right fingerprint in the first place. The purpose of adding this feature is to improve detection of anomalies, such as suspicious changes in signing keys, not to solve the identifiation / authentication problem. Attacks can either be detected or undetected. A detected attack is much less useful because targets can react to protect themselves. b. Replacing package signing keys is too sophisticated of an attack to happen in real life. Other attacks are much more likely. A single successful attack against critically important software could impact a large population and also high-value targets within a population. The evaluation of whether or not a sophisticated attack is worth it depends on the value of compromising the target, the sophistication or cost of executing the attack, and the downside risks such as detection. It's naive to assume an attack is "too sophisticated to happen" without knowing the attacker's own cost/benefit profile. However, we know that detecting an attack adds a major downside risk for many attackers' goals, and therefore we can and should raise the cost to this large category of attackers. c. The chance that this helps detect a real attack are very low. (Alternatively: few users won't know how to use the fingerprint output appropriately.) So long as small subset verify the fingerprints it raises the chance of detecting a real attack. In fact, if only *two* users happen to check with eachother to notice a change in signing keys, that's sufficient even if tens of thousands of users use the same installation flow. Furthermore, users who don't understand how to use this information may still inadvertantly raise the chance of detecting an attack because they may paste logs, console snippets, reportbug outputs, etc... that inadvertantly log this information into the public sphere. d. Users can already do this kind of check as you described above by running gpg directly. Each time we reduce the number of steps or the complexity of looking at, sharing, or evaluating the necessary information to detect an attack, we raise the probability that the user population as a whole will detect an attack. This is a modest step to streamline that process and raise the cost of this avenue of attack. -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "false"; APT::Install-Suggests "false"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-4\.8\.12\+$"; APT::NeverAutoRemove:: "^linux-image-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-headers-4\.8\.12\+$"; APT::NeverAutoRemove:: "^linux-headers-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.8\.12\+$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.8\.12\+$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.8\.12\+$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.8\.12\+$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-4\.8\.12\+$"; APT::NeverAutoRemove:: "^gnumach-image-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^.*-modules-4\.8\.12\+$"; APT::NeverAutoRemove:: "^.*-modules-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-4\.8\.12\+$"; APT::NeverAutoRemove:: "^.*-kernel-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.8\.12\+$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.9\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-tools-4\.8\.12\+$"; APT::NeverAutoRemove:: "^linux-tools-4\.9\.0-2-amd64$"; APT::VersionedKernelPackages ""; APT::VersionedKernelPackages:: "linux-image"; APT::VersionedKernelPackages:: "linux-headers"; APT::VersionedKernelPackages:: "linux-image-extra"; APT::VersionedKernelPackages:: "linux-signed-image"; APT::VersionedKernelPackages:: "kfreebsd-image"; APT::VersionedKernelPackages:: "kfreebsd-headers"; APT::VersionedKernelPackages:: "gnumach-image"; APT::VersionedKernelPackages:: ".*-modules"; APT::VersionedKernelPackages:: ".*-kernel"; APT::VersionedKernelPackages:: "linux-backports-modules-.*"; APT::VersionedKernelPackages:: "linux-tools"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "contrib/metapackages"; APT::Never-MarkAuto-Sections:: "non-free/metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Move-Autobit-Sections ""; APT::Move-Autobit-Sections:: "oldlibs"; APT::Move-Autobit-Sections:: "contrib/oldlibs"; APT::Move-Autobit-Sections:: "non-free/oldlibs"; APT::Move-Autobit-Sections:: "restricted/oldlibs"; APT::Move-Autobit-Sections:: "universe/oldlibs"; APT::Move-Autobit-Sections:: "multiverse/oldlibs"; APT::Architectures ""; APT::Architectures:: "amd64"; APT::Compressor ""; APT::Compressor::. ""; APT::Compressor::.::Name "."; APT::Compressor::.::Extension ""; APT::Compressor::.::Binary ""; APT::Compressor::.::Cost "0"; APT::Compressor::lz4 ""; APT::Compressor::lz4::Name "lz4"; APT::Compressor::lz4::Extension ".lz4"; APT::Compressor::lz4::Binary "false"; APT::Compressor::lz4::Cost "50"; APT::Compressor::gzip ""; APT::Compressor::gzip::Name "gzip"; APT::Compressor::gzip::Extension ".gz"; APT::Compressor::gzip::Binary "gzip"; APT::Compressor::gzip::Cost "100"; APT::Compressor::gzip::CompressArg ""; APT::Compressor::gzip::CompressArg:: "-6n"; APT::Compressor::gzip::UncompressArg ""; APT::Compressor::gzip::UncompressArg:: "-d"; APT::Compressor::xz ""; APT::Compressor::xz::Name "xz"; APT::Compressor::xz::Extension ".xz"; APT::Compressor::xz::Binary "xz"; APT::Compressor::xz::Cost "200"; APT::Compressor::xz::CompressArg ""; APT::Compressor::xz::CompressArg:: "-6"; APT::Compressor::xz::UncompressArg ""; APT::Compressor::xz::UncompressArg:: "-d"; APT::Compressor::bzip2 ""; APT::Compressor::bzip2::Name "bzip2"; APT::Compressor::bzip2::Extension ".bz2"; APT::Compressor::bzip2::Binary "bzip2"; APT::Compressor::bzip2::Cost "300"; APT::Compressor::bzip2::CompressArg ""; APT::Compressor::bzip2::CompressArg:: "-6"; APT::Compressor::bzip2::UncompressArg ""; APT::Compressor::bzip2::UncompressArg:: "-d"; APT::Compressor::lzma ""; APT::Compressor::lzma::Name "lzma"; APT::Compressor::lzma::Extension ".lzma"; APT::Compressor::lzma::Binary "xz"; APT::Compressor::lzma::Cost "400"; APT::Compressor::lzma::CompressArg ""; APT::Compressor::lzma::CompressArg:: "--format=lzma"; APT::Compressor::lzma::CompressArg:: "-6"; APT::Compressor::lzma::UncompressArg ""; APT::Compressor::lzma::UncompressArg:: "--format=lzma"; APT::Compressor::lzma::UncompressArg:: "-d"; Dir "/"; Dir::State "var/lib/apt"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::mirrors "mirrors/"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Etc::apt-file-main "apt-file.conf"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::solvers ""; Dir::Bin::solvers:: "/usr/lib/apt/solvers"; Dir::Bin::planners ""; Dir::Bin::planners:: "/usr/lib/apt/planners"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Bin::gzip "/bin/gzip"; Dir::Bin::bzip2 "/bin/bzip2"; Dir::Bin::xz "/usr/bin/xz"; Dir::Bin::lz4 "/usr/bin/lz4"; Dir::Bin::lzma "/usr/bin/xz"; Dir::Media ""; Dir::Media::MountPath "/media/cdrom"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Log::Planner "eipp.log.xz"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.save$"; Dir::Ignore-Files-Silently:: "\.orig$"; Dir::Ignore-Files-Silently:: "\.distUpgrade$"; Acquire ""; Acquire::AllowInsecureRepositories "0"; Acquire::AllowWeakRepositories "0"; Acquire::AllowDowngradeToInsecureRepositories "0"; Acquire::cdrom ""; Acquire::cdrom::mount "/media/cdrom"; Acquire::IndexTargets ""; Acquire::IndexTargets::deb ""; Acquire::IndexTargets::deb::Packages ""; Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages"; Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages"; Acquire::IndexTargets::deb::Packages::ShortDescription "Packages"; Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages"; Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages"; Acquire::IndexTargets::deb::Packages::Optional "0"; Acquire::IndexTargets::deb::Translations ""; Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Contents-deb ""; Acquire::IndexTargets::deb::Contents-deb::MetaKey "$(COMPONENT)/Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::ShortDescription "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Contents (deb)"; Acquire::IndexTargets::deb::Contents-deb::flatMetaKey "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::flatDescription "$(RELEASE) Contents (deb)"; Acquire::IndexTargets::deb::Contents-deb::PDiffs "true"; Acquire::IndexTargets::deb::Contents-deb::KeepCompressed "true"; Acquire::IndexTargets::deb::Contents-udeb ""; Acquire::IndexTargets::deb::Contents-udeb::MetaKey "$(COMPONENT)/Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::ShortDescription "Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Contents (udeb)"; Acquire::IndexTargets::deb::Contents-udeb::flatMetaKey "Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::flatDescription "$(RELEASE) Contents (udeb)"; Acquire::IndexTargets::deb::Contents-udeb::KeepCompressed "true"; Acquire::IndexTargets::deb::Contents-udeb::PDiffs "true"; Acquire::IndexTargets::deb::Contents-udeb::DefaultEnabled "false"; Acquire::IndexTargets::deb-src ""; Acquire::IndexTargets::deb-src::Sources ""; Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources"; Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources"; Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources"; Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources"; Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources"; Acquire::IndexTargets::deb-src::Sources::Optional "0"; Acquire::IndexTargets::deb-src::Contents-dsc ""; Acquire::IndexTargets::deb-src::Contents-dsc::MetaKey "$(COMPONENT)/Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::ShortDescription "Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::Description "$(RELEASE)/$(COMPONENT) source Contents (dsc)"; Acquire::IndexTargets::deb-src::Contents-dsc::flatMetaKey "Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::flatDescription "$(RELEASE) Contents (dsc)"; Acquire::IndexTargets::deb-src::Contents-dsc::PDiffs "true"; Acquire::IndexTargets::deb-src::Contents-dsc::KeepCompressed "true"; Acquire::IndexTargets::deb-src::Contents-dsc::DefaultEnabled "false"; Acquire::Changelogs ""; Acquire::Changelogs::URI ""; Acquire::Changelogs::URI::Origin ""; Acquire::Changelogs::URI::Origin::Debian "http://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";; Acquire::Changelogs::URI::Origin::Tanglu "http://metadata.tanglu.org/changelogs/@CHANGEPATH@_changelog";; Acquire::Changelogs::URI::Origin::Ubuntu "http://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog";; Acquire::Changelogs::URI::Origin::Ultimedia "http://packages.ultimediaos.com/changelogs/pool/@CHANGEPATH@/changelog.txt";; Acquire::Changelogs::AlwaysOnline ""; Acquire::Changelogs::AlwaysOnline::Origin ""; Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1"; Acquire::Languages ""; Acquire::Languages:: "en"; Acquire::Languages:: "none"; Acquire::CompressionTypes ""; Acquire::CompressionTypes::xz "xz"; Acquire::CompressionTypes::bz2 "bzip2"; Acquire::CompressionTypes::lzma "lzma"; Acquire::CompressionTypes::gz "gzip"; Acquire::CompressionTypes::lz4 "lz4"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; Binary "apt-config"; Binary::apt ""; Binary::apt::APT ""; Binary::apt::APT::Color "1"; Binary::apt::APT::Cache ""; Binary::apt::APT::Cache::Show ""; Binary::apt::APT::Cache::Show::Version "2"; Binary::apt::APT::Cache::AllVersions "0"; Binary::apt::APT::Cache::ShowVirtuals "1"; Binary::apt::APT::Cache::Search ""; Binary::apt::APT::Cache::Search::Version "2"; Binary::apt::APT::Cache::ShowDependencyType "1"; Binary::apt::APT::Cache::ShowVersion "1"; Binary::apt::APT::Get ""; Binary::apt::APT::Get::Upgrade-Allow-New "1"; Binary::apt::APT::Cmd ""; Binary::apt::APT::Cmd::Show-Update-Stats "1"; Binary::apt::APT::Keep-Downloaded-Packages "0"; Binary::apt::DPkg ""; Binary::apt::DPkg::Progress-Fancy "1"; Binary::apt-get ""; Binary::apt-get::Acquire ""; Binary::apt-get::Acquire::AllowInsecureRepositories "1"; CommandLine ""; CommandLine::AsString "apt-config dump"; -- (no /etc/apt/preferences present) -- -- (no /etc/apt/preferences.d/* present) -- -- /etc/apt/sources.list -- # # deb cdrom:[Debian GNU/Linux stretch-DI-alpha7 _Stretch_ - Official Snapshot amd64 NETINST Binary-1 20160630-14:29]/ stretch contrib main non-free #deb cdrom:[Debian GNU/Linux stretch-DI-alpha7 _Stretch_ - Official Snapshot amd64 NETINST Binary-1 20160630-14:29]/ stretch contrib main non-free deb http://ftp.us.debian.org/debian/ stretch main non-free contrib deb-src http://ftp.us.debian.org/debian/ stretch main non-free contrib deb http://security.debian.org/debian-security stretch/updates main contrib non-free deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free -- System Information: Debian Release: stretch/sid APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.115 ii debian-archive-keyring 2014.3 ii gpgv 1.4.20-6 ii init-system-helpers 1.44 ii libapt-pkg5.0 1.3~rc4 ii libc6 2.24-10 ii libgcc1 1:6.3.0-12 ii libstdc++6 6.3.0-12 Versions of packages apt recommends: ii gnupg 2.1.18-8~deb9u1 Versions of packages apt suggests: pn apt-doc <none> pn aptitude | synaptic | wajig <none> ii dpkg-dev 1.18.10 pn powermgmt-base <none> pn python-apt <none> -- no debconf information
