[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid
Reality check: that means that all source packages received via 'apt-get source' are not trusted by Ubuntu clean installation ? Is there a safe way to get full public key (not short unsafe keyid) for a source package then? Thanks ** Summary changed: - 'linux' source package signature is not valid + any source package signature is not valid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1649097 Title: any source package signature is not valid Status in apt package in Ubuntu: New Bug description: In short: The GPG key 105BE7F7, with that 'linux' source package is signed, revoked on 08/16/16 (4 months ago!) How to reproduce: $ apt-get source linux-image-$(uname -r) ... Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic' ... Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB] ... gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc ... ### if you add this key: $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7 $ apt-key list ... pub 4096R/105BE7F7 2011-09-06 uid Brad Figgsub 4096R/F336E4D5 2011-09-06 pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16] uid Brad Figg ### THE KEY IS REVOKED 4 MONTHS AGO! ### Additional info: $ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 ### My unmodified /etc/apt/sources.list in attachment. ### Note, /etc/apt/sources.list.d/ directory is empty. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid
Julian, do you have any ideas how this could be handled better? I'm short on ideas here. The gpgv output seems useful but it's also potentially misleading. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1649097 Title: 'linux' source package signature is not valid Status in apt package in Ubuntu: New Bug description: In short: The GPG key 105BE7F7, with that 'linux' source package is signed, revoked on 08/16/16 (4 months ago!) How to reproduce: $ apt-get source linux-image-$(uname -r) ... Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic' ... Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB] ... gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc ... ### if you add this key: $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7 $ apt-key list ... pub 4096R/105BE7F7 2011-09-06 uid Brad Figgsub 4096R/F336E4D5 2011-09-06 pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16] uid Brad Figg ### THE KEY IS REVOKED 4 MONTHS AGO! ### Additional info: $ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 ### My unmodified /etc/apt/sources.list in attachment. ### Note, /etc/apt/sources.list.d/ directory is empty. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid
Thanks for the bug report. This isn't as dire as it looks: APT's security model is based on signed InRelease files that have sha256sums of all archive contents. In this case, the InRelease file will have a sha256sum for one of the Sources files, and that file will have a sha256sum for the linux source package files: Checksums-Sha256: 5c1141401c8f3468b2d5f71906aea181a8f7c9e195c4cc3252a085962bbf4f4d 9611 linux_4.4.0-53.74.dsc 730e75919b5d30a9bc934ccb300eaedfdf44994ca9ee1d07a46901c46c221357 132860730 linux_4.4.0.orig.tar.gz 5ad7a47f2bcb66858f26fb539e39e07724c676a8eca84239c850fa87c2900b0e 12162206 linux_4.4.0-53.74.diff.gz If these sha256sums don't match what was downloaded, apt itself would throw an error. All these files are in /var/lib/apt/lists/ . The .dsc file is signed by whoever uploads the package for building to our buildfarm. Developers' keys change all the time. It's still useful to have the .dsc file to see what the builders saw, regardless if the signature on the file is from an expired key or not. Now, where things get really interesting: You've used a 32 bit keyid to download the key from the keyservers. 32 bit keyids are not safe to use in this manner because it's relatively simple to generate keys with colliding 32 bit keyids. This was done for all keys in the 'strongly connected set' a few years ago, including Brad's key. When someone uploaded all these keys to the SKS keyservers, it was insanely confusing. So, the group that generated all the colliding keys generated revocation certificates for all the keys and uploaded them all, to kill them. So, your command to download the key by 32 bit keyid downloaded _two_ keys -- Brad's real key, "11D6 ADA3 D9E8 3D93 ACBD 837F 0C7B 589B 105B E7F7", is not revoked: $ gpg --check-sigs "11D6 ADA3 D9E8 3D93 ACBD 837F 0C7B 589B 105B E7F7" pub 4096R/0C7B589B105BE7F7 2011-09-06 uid Brad Figgsig! 052F367018D5C3D8 2012-01-09 John Johansen sig! 5759F35001AA4A64 2011-12-10 Steve Langasek sig! 3D76C845FA1447CA 2011-09-06 Tim Gardner (4K key) sig! 8972F4DFDC6DC026 2011-12-09 Kees Cook sig! 2F099E8D005E81F4 2011-12-09 Steve Beattie sig-30C7B589B105BE7F7 2011-09-06 Brad Figg sig!30C7B589B105BE7F7 2011-09-06 Brad Figg sub 4096R/E79D7BDFF336E4D5 2011-09-06 sig! 0C7B589B105BE7F7 2011-09-06 Brad Figg 1 bad signature 14 signatures not checked due to missing keys My output may look different from yours because I added this to my ~/.gnupg/gpg.conf file: keyid-format long For more information, see https://evil32.com/ Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1649097 Title: 'linux' source package signature is not valid Status in apt package in Ubuntu: New Bug description: In short: The GPG key 105BE7F7, with that 'linux' source package is signed, revoked on 08/16/16 (4 months ago!) How to reproduce: $ apt-get source linux-image-$(uname -r) ... Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic' ... Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB] ... gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc ... ### if you add this key: $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7 $ apt-key list ... pub 4096R/105BE7F7 2011-09-06 uid Brad Figg sub 4096R/F336E4D5 2011-09-06 pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16] uid Brad Figg ### THE KEY IS REVOKED 4 MONTHS AGO! ### Additional info: $ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 ### My unmodified /etc/apt/sources.list in attachment. ### Note, /etc/apt/sources.list.d/ directory is empty. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid
** Information type changed from Private Security to Public Security ** Package changed: ubuntu => apt (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1649097 Title: 'linux' source package signature is not valid Status in apt package in Ubuntu: New Bug description: In short: The GPG key 105BE7F7, with that 'linux' source package is signed, revoked on 08/16/16 (4 months ago!) How to reproduce: $ apt-get source linux-image-$(uname -r) ... Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic' ... Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB] ... gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc ... ### if you add this key: $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7 $ apt-key list ... pub 4096R/105BE7F7 2011-09-06 uid Brad Figgsub 4096R/F336E4D5 2011-09-06 pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16] uid Brad Figg ### THE KEY IS REVOKED 4 MONTHS AGO! ### Additional info: $ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 ### My unmodified /etc/apt/sources.list in attachment. ### Note, /etc/apt/sources.list.d/ directory is empty. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp