Re: trusting repository keys (was: deb-multimedia repository)

2013-08-22 Thread Jochen Spieker 
Ralf Mardorf:
> On Wed, 2013-08-21 at 16:53 +0200, Jochen Spieker wrote:
>
>> Ralf Mardorf:
>> No. Just because a keyserver happens to serve some key that does not
>> mean the key is valid.
> 
> But if I upload a key it neither would have the same fingerprint, nor
> fit to the packages.

But how do you know the correct fingerprint? The one that is used to
sign the repository might be compromised, just like the rest of the
repository.

The scenario is as follows: just like the OP, you want to use
packages from deb-multimedia.org (or any other repository, including
official Debian repositories). You don't know very much about the entity
providing these packages, except from their name ("Christian Marillat",
"Debian").

You want to make sure that your apt talks to the correct repository and
not one of an attacker that is able to poison your DNS or acts as a
man-in-the-middle for your web traffic.

Secure apt can do this for you *if you import (only) the correct keys*
into apt's keyring. But in the beginning you don't even know which key
is the correct one! To be cryptographically secure, you need an
out-of-band method to find out whether the key used to sign the
repository you are seeing does in fact belong to the person/entity that
you trust. To do this, you can either try to meet with the signee in
person or use the Web of Trust.

> So I must upload a key and then hack the package to
> do something evil.

Yes, and Secure Apt is supposed to protect you from this kind of attack.

> Sure, if the multimedia guys do something evil, than
> no key will add security. The key only should ensure that the package is
> a package from multimedia.

Yes. But with the twist I already mentioned: apt does not tell you which
key was used to verify a specific package and you cannot limit the
authority of a key to a specific set of packages or repositories.

J.
-- 
If I won the lottery I would keep all the money and wallpaper my house
with it.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: trusting repository keys (was: deb-multimedia repository)

2013-08-21 Thread Ralf Mardorf 
On Wed, 2013-08-21 at 16:53 +0200, Jochen Spieker wrote:
> Ralf Mardorf:
> No. Just because a keyserver happens to serve some key that does not
> mean the key is valid.

But if I upload a key it neither would have the same fingerprint, nor
fit to the packages. So I must upload a key and then hack the package to
do something evil. Sure, if the multimedia guys do something evil, than
no key will add security. The key only should ensure that the package is
a package from multimedia.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1377111884.709.16.camel@archlinux

trusting repository keys (was: deb-multimedia repository)

2013-08-21 Thread Jochen Spieker 
Ralf Mardorf:
> On Wed, 2013-08-21 at 13:38 +0200, Jochen Spieker wrote:
>> Essentially, you have a chicken and egg problem.
> 
> Wrong!

No. Your advice is dangerous.

> Keys usually are available by a keyserver you could trust,

No. Just because a keyserver happens to serve some key that does not
mean the key is valid. I can upload a key for presid...@whitehouse.gov
anytime I want. (And apparently, 25 other people already had that bright
idea.)

The best way to overcome this situation is to have a PGP key of your own
which is tightly integrated into the Web of Trust. You can use that to
find a chain between your key and the repository's key. Here is the
chain from my (old) key to Christian Marillat's, which makes me fairly
certain that his key is valid:
http://webware.lysator.liu.se/jc/wotsap/wots/latest/paths/0xD58ADB39-0x1F41B907.png

Lacking such a key, you can still try to find references to the key used
to sign the repository on the web:


This is not cryptographically safe, but still better than blindly
accepting the keys from a keyring package. See also here:


I already wrote that some time ago somewhere else: if you add a key to
apt's keyring, you are essentially giving the owner of that key root
access to your system. You cannot even limit a key in apt's keyring to a
specific repository or to specific packages.

Imagine this: You have deb-multimedia.org in your sources.list and have
the corresponding key in your keyring. If Christian Marillat decides to
upload a malicious openssh-server:999:6.0p1-4 to his repository, apt-get
and aptitude will install it on your system without warning. If apt
already downloaded the package for you with its cron job, you won't even
notice that the package does not come from Debian proper.

J.
-- 
When standing at the top of beachy head I find the rocks below very
attractive.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature