[arch-general] pacman security when importing new keys?
Hello, today, pacman asked me to import a new signature key. So far this was done "automatically" using a keys-package, which, itself, was signed with a trusted key. How is the new mechanism secured? Is the new way, to bring keys to users, prone to MITM attacks? Thanks in advance. Manuel
Hi Manuel, thanks for posting this thread. I also wondered about the key from eworm. Sure he is a trusted user but accepting keys made me a little bit nervous. Is there a way to verify my pacman keys? Dennis Am 09.02.2015 um 22:00 schrieb Manuel Reimer:
Hello,
today, pacman asked me to import a new signature key. So far this was done "automatically" using a keys-package, which, itself, was signed with a trusted key.
How is the new mechanism secured? Is the new way, to bring keys to users, prone to MITM attacks?
Thanks in advance.
Manuel
On Tue, Feb 10, 2015 at 12:59 PM, Dennis Lange <dennis@lumalab.net> wrote:
Hi Manuel,
thanks for posting this thread. I also wondered about the key from eworm. Sure he is a trusted user but accepting keys made me a little bit nervous. Is there a way to verify my pacman keys?
Dennis
I guess you can verify fingerprints from the list at https://www.archlinux.org/master-keys/ -- mike c
On 10/02/15 08:15 AM, Mike Cloaked wrote:
On Tue, Feb 10, 2015 at 12:59 PM, Dennis Lange <dennis@lumalab.net> wrote:
Hi Manuel,
thanks for posting this thread. I also wondered about the key from eworm. Sure he is a trusted user but accepting keys made me a little bit nervous. Is there a way to verify my pacman keys?
Dennis
I guess you can verify fingerprints from the list at
No, you don't have to anything like that. There is never a need to manually verify the keys of developers and trusted users because they are part of the web of trust model. There are 5 trusted master keys and they are part of the installation from the get go. A key is trusted if it is signed by at least 3 master keys - you only ever need to mark keys for third party repositories as trusted.
On 10/02/15 07:59 AM, Dennis Lange wrote:
Hi Manuel,
thanks for posting this thread. I also wondered about the key from eworm. Sure he is a trusted user but accepting keys made me a little bit nervous. Is there a way to verify my pacman keys?
Dennis
It already verifies the keys by default... you have to go out of your way to manually mark a key as trusted. Importing a key != marking a key as trusted. It is only trusted if 3+ of the five master keys signed it or if you explicitly mark it with pacman-key.
Ah ok, importing a key != trusted key. Only to get things sorted. Why I need to accept the import of a key manually? Am 10.02.2015 um 14:32 schrieb Daniel Micay:
It already verifies the keys by default... you have to go out of your way to manually mark a key as trusted. Importing a key != marking a key as trusted. It is only trusted if 3+ of the five master keys signed it or if you explicitly mark it with pacman-key.
On 10/02/15 09:33 AM, Dennis Lange wrote:
Ah ok, importing a key != trusted key. Only to get things sorted. Why I need to accept the import of a key manually?
They're a new Trusted User and a new archlinux-keyring release with their key hasn't been released. The trust comes from the fact that it has been signed by 3+ master keys though - you should not be marking trust yourself unless you actually want to mark some third party packagers as trusted.
Am 10.02.2015 um 21:43 schrieb Daniel Micay:
On 10/02/15 09:33 AM, Dennis Lange wrote:
Ah ok, importing a key != trusted key. Only to get things sorted. Why I need to accept the import of a key manually?
They're a new Trusted User and a new archlinux-keyring release with their key hasn't been released. The trust comes from the fact that it has been signed by 3+ master keys though - you should not be marking trust yourself unless you actually want to mark some third party packagers as trusted.
Thanks for your explanation! Next time I have not to worry to do something wrong.
1 little observation - i had a network blackout (traveling) just as was asking me to ok the import. pacman exited. When i reconnected and tried again - i did not get a Y/n prompt to import - i just get error. The only way I found to proceed with any update after that was to change the key server to hkp://pgp.mit.edu:11371 as documented on website. Then it asked once again to import and all proceeded. Just FYI in case anyone else gets flaky behaviour. Be interesting to know for those that said 'n' to the import - if they got asked a second time or not. Thx. gene
On 02/12/2015 03:46 AM, Genes Lists wrote:
Just FYI in case anyone else gets flaky behaviour. Be interesting to know for those that said 'n' to the import - if they got asked a second time or not.
Yes, you get asked a second time. Manuel
participants (5)
-
Daniel Micay
-
Dennis Lange
-
Genes Lists
-
Manuel Reimer
-
Mike Cloaked