On Tuesday, November 5, 2002, at 07:34 AM, Mikko Lipasti wrote:
Run a 'rpm --checksig package'. If it says something about missing keys,Yup... Mikko is right. Until urpmi allows for mapping keys to sources, I would not blindly download a key without verifying it first, that it is in fact a "real" or legitimate key.
then you don't have the public key of whoever signed the package. You
should do a 'gpg --keyserver www.mandrakesecure.net --recv-keys keyid'
where keyid is the missing key id (just the stuff right after # please).
If gpg doesn't complain, run 'rpm --checksig pagkage' again. Should be
ok this time.
Note that depending on your level of paranoia, simply trusting the
keyserver might not be enough. Try to check by other means that the key
is what it's supposed to be.
In theory (could someone from within MandrakeSoft confirm, refute or
provide a solution for this please?) one could create a gpg identity
with name and email addresses such that others would think was a
legitimate packager of MandrakeSoft, upload it to mandrakesecure.net
keyserver and then build trojaned (or whatever) packages, sign them with
the key and upload them to a public (compromised) server. Then the
victims would do a rpm --checksig on it, see that they miss the key and
then get it. RPM would be happy; the package was indeed signed with the
key.
The thing is, you see, that a valid gpg signature provides little
security if you don't check that the key really belongs to the person /
organization it claims to.
Here's the keyserver www interface address:
http://www.mandrakesecure.net/cks/
Most sites should have the key downloadable on their website, which you should do prior to downloading software.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
PGP.sig
Description: PGP signature
