Package: debian-archive-keyring Severity: wishlist
Please add current "Debian CD signing key", and make policy of including keys that are used for signing official Debian CDs. Authenticity of Debian CD signing keys should be verified by Release team before including in debian-archive-keyring package. I set this issue as "wishlist" because it is rather a feature request than error, however I consider this more important than standard "wishlist item". Rationale: Currently people who don't have good enough trust path to "Debian CD signing key", cant easily verify authenticity of new Debian CDs. Because apt verifies authenticity of packages before installation, and its assumed that keys in package debian-archive-keyring are handled carefully by the Release Team, therefore it should be a secure chain of trust for those who already have a trusted enough older Debian installation. Many users are not able to establish trust chain to Debian CD signing key trough the web of trust, and this is not trivial Similar issues have been raised before: http://lists.debian.org/debian-security/2011/01/msg00002.html http://lists.debian.org/debian-user/2011/03/msg01179.html http://lists.debian.org/debian-user/2011/03/msg01531.html http://lists.debian.org/debian-security/2011/01/msg00118.html http://forums.debian.net/viewtopic.php?f=17&t=62272 http://lists.debian.org/debian-user/2011/03/msg00434.html Some of them are trying to solve problem of initial trust path to Debian, which is not what suggested change is meant to fix. This bug report is about those who already overcome chicken-egg problem (which means that they have trusted enough computer with older Debian). However this change will also provide similar trust path from Ubuntu to Debian, because Ubuntu also contains debian-archive-keyring package. It may be worth mentioning that Ubuntu has similar solution. The Ubuntu CD signing key is included in the ubuntu-archive-keyring package. This package is Ubuntu's equivalent of debian-archive-keyring (it also contains keys for Apt). Trust chain is only as strong as the weakest link. Eliminating unneeded nodes decreases chances of compromising trust chain. Therefore its better to get the key in question directly from trusted medium, than to rely on a chain of signatures. There are also some issues with GnuPG that complicate relying on the web of trust: 1.It seems that there is no way of disabling too weak hash algorithms for web of trust calculations. This kind of attack seams reasonable, especially that large part of signed material (public key) is a random number, which makes it easier to forge valid key with identical hash as the original one, allowing reattachment of signatures from original key to the forged one. While for now it may not be a big issue (which is not necessary true *) , it doesn't allow user to set his own policy regarding level of confidence in web of trust certifications. *http://csrc.nist.gov/groups/ST/hash/statement.html, http://www.debian-administration.org/users/dkg/weblog/48 2. Manual checking of signatures on Debian CD Signing Key is also not a good option. The"--check-sigs" command do not check if keys that issued signatures are not revoked. This is known to GnuPG developers and is marked as "wontfix" (https://bugs.g10code.com/gnupg/issue910). Therefore manual checking of signatures on a key using the --check-sigs command requires that user also manually check if each key that signed the one in question, is not revoked. This command also do not hide revoked signatures. Asimmetric algo is displayed if the option --with-colons is used, which is not a good format for humans to read. Hash algo propably could be displayed if "--list-option show-sig-subpackets" option is also used, however this output is even worse for human readers, and using another tool like kspsig is also not convenient (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594907). Those issues are additional burden for user and make this process time consuming and error-prone. If proposed changes will be applied, the procedure to verify authenticity of files containing cryptographic hashes of debian CD images will be easier, and weaknesses mentioned above will be avoided. I have written two different verification procedures for Debian CDs. Those may be of use for some people and it may be good to put them at http://www.debian.org/CD/verify after the "Debian CD signing key" is added to this package. Those procedures are only examples, and there are other possible variations. I'm assuming that the files with cryptographic hashes, signature files, and iso images are located in the current directory, and that debian-archive-keyring package is already installed/upgraded. It is also a good idea to do the verification on a separate user account with empty keyring, to avoid the possibility of having malicious cd signing key existing in the local keyring. The malicious key could be accidentally downloaded from manipulated keyserver, and may be unnoticed by the user who don't read gpg output carefully. I once encountered that gpg fetched totally unrelated key in addition to the one requested by me. It also could be downloaded automaticaly and if the "auto-key-retrieve" is enabled. With GnuPG you should be very cautious... Debian CD verification procedure: 1.Generating keypair. (...) 2.Importing keys to local keyring from debian-archive-keyring. $ gpg --import /usr/share/keyrings/debian-archive-keyring.gpg 3.Locally signing the Debian CD signing key, to mark it as the authentic one. $ gpg --lsign-key id 4.Refreshing local keyring, to check if Debian CD signing key is not revoked $ gpg --refresh-keys 5.Verifying authenticity of file containing cryptographic hashes of debian CDs. $ gpg --verify SHA256SUMS.sign 6.Verifying cd images. $ sha256sum -c SHA256SUMS Alternative method: 1.Initializing Gnupg (it will create gpg.conf and other files). Setting the "direct" trust model. $ gpg --list-keys $ echo "trust-model direct" >> ~/.gnupg/gpg.conf 2.Importing keys to local keyring from debian-archive-keyring. $ gpg --import /usr/share/keyrings/debian-archive-keyring.gpg 3.Marking the "Debian CD signing key" as valid, $ gpg --edit-key id command> trust Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y Command> q 4. Refreshing local keyring, to check if Debian CD signing key is not revoked $ gpg --refresh-keys 5.Verifying authenticity of file containing cryptographic hashes of debian cds. $ gpg --verify SHA256SUMS.sign 6.Verifying cd images $ sha256sum -c SHA256SUMS -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
