[pacman-dev] New way to download signing keys prone to MITM attacks?
Hello, today, I was asked for the first time whether I want to download a signing key. So far this was done using a "keyring" package, which, itself, was signed using a trusted key. How do you prevent MITM attacks? For me this seems like anyone, who can perform a MITM attack, can trick me into installing virtually any package as long as he signs it with a key somewhere available on a public keyserver. Of course I would be asked whether I want to import that key but how do I know if the key is really valid and trusted? My guess is that most users will just say "yes" in this case. For me this seems to be a big step backwards in terms of security. Please correct me if I'm wrong. Thanks in advance. Manuel
On 09/02/15 05:09 PM, Manuel Reimer wrote:
Hello,
today, I was asked for the first time whether I want to download a signing key. So far this was done using a "keyring" package, which, itself, was signed using a trusted key.
How do you prevent MITM attacks? For me this seems like anyone, who can perform a MITM attack, can trick me into installing virtually any package as long as he signs it with a key somewhere available on a public keyserver. Of course I would be asked whether I want to import that key but how do I know if the key is really valid and trusted? My guess is that most users will just say "yes" in this case.
For me this seems to be a big step backwards in terms of security.
Please correct me if I'm wrong.
Thanks in advance.
Manuel
Pacman uses a web of trust model. There are 5 trusted master keys and other keys are only trusted if either 3 master keys have signed them or the user has explicitly marked them as trusted. Never trust any keys yourself and you will have no issues. There is no MITM attack vector. You could also just update the keyring before the other packages and you wont't ever end up seeing packages signed by a key that you don't have yet in practice. Signatures for sources in PKGBUILDs now force the PKGBUILD to contain an array of the valid key fingerprints, so there's no need for manual verification there either beyond the initial addition of the keys to the source package. If you want to add *third party* binary repositories in addition to the official ones, then obtaining that third party's key securely is your problem, as is placing your trust in them.
On 02/09/2015 11:23 PM, Daniel Micay wrote:
Pacman uses a web of trust model. There are 5 trusted master keys and other keys are only trusted if either 3 master keys have signed them or the user has explicitly marked them as trusted. Never trust any keys yourself and you will have no issues. There is no MITM attack vector.
Today, I had the following situation: :: Synchronizing package databases... core is up to date extra is up to date community is up to date :: Starting full system upgrade... resolving dependencies... looking for conflicting packages... Packages (11) binutils-2.25-2 gcc-4.9.2-3 gcc-libs-4.9.2-3 glibc-2.21-1 inkscape-0.91-3 libiodbc-3.52.9-2 linux-api-headers-3.18.5-1 linux-firmware-20150206.17657c3-1 net-snmp-5.7.3-1 patch-2.7.4-1 virtualbox-4.3.20-5 Total Installed Size: 431.48 MiB Net Upgrade Size: 5.52 MiB :: Proceed with installation? [Y/n] y checking keyring... downloading required keys... :: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE, "Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>", created: 2011-08-12? [Y/n] n error: required key missing from keyring error: failed to commit transaction (unexpected error) Errors occurred, no packages were upgraded. No "keyring package" update pending but pacman still asks me to import/trust a key? I guess something is going wrong here? I had the exactly same output on a second computer running Arch Linux.
On 09/02/15 05:31 PM, Manuel Reimer wrote:
On 02/09/2015 11:23 PM, Daniel Micay wrote:
Pacman uses a web of trust model. There are 5 trusted master keys and other keys are only trusted if either 3 master keys have signed them or the user has explicitly marked them as trusted. Never trust any keys yourself and you will have no issues. There is no MITM attack vector.
Today, I had the following situation:
:: Synchronizing package databases... core is up to date extra is up to date community is up to date :: Starting full system upgrade... resolving dependencies... looking for conflicting packages...
Packages (11) binutils-2.25-2 gcc-4.9.2-3 gcc-libs-4.9.2-3 glibc-2.21-1 inkscape-0.91-3 libiodbc-3.52.9-2 linux-api-headers-3.18.5-1 linux-firmware-20150206.17657c3-1 net-snmp-5.7.3-1 patch-2.7.4-1 virtualbox-4.3.20-5
Total Installed Size: 431.48 MiB Net Upgrade Size: 5.52 MiB
:: Proceed with installation? [Y/n] y checking keyring... downloading required keys... :: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE, "Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>", created: 2011-08-12? [Y/n] n error: required key missing from keyring error: failed to commit transaction (unexpected error) Errors occurred, no packages were upgraded.
No "keyring package" update pending but pacman still asks me to import/trust a key? I guess something is going wrong here?
I had the exactly same output on a second computer running Arch Linux.
It's not asking you to trust a key. It's asking you to import one. See what I wrote about the web of trust model. There is no MITM attack vector.
On 09/02/15 05:31 PM, Manuel Reimer wrote:
On 02/09/2015 11:23 PM, Daniel Micay wrote:
Pacman uses a web of trust model. There are 5 trusted master keys and other keys are only trusted if either 3 master keys have signed them or the user has explicitly marked them as trusted. Never trust any keys yourself and you will have no issues. There is no MITM attack vector.
Today, I had the following situation:
:: Synchronizing package databases... core is up to date extra is up to date community is up to date :: Starting full system upgrade... resolving dependencies... looking for conflicting packages...
Packages (11) binutils-2.25-2 gcc-4.9.2-3 gcc-libs-4.9.2-3 glibc-2.21-1 inkscape-0.91-3 libiodbc-3.52.9-2 linux-api-headers-3.18.5-1 linux-firmware-20150206.17657c3-1 net-snmp-5.7.3-1 patch-2.7.4-1 virtualbox-4.3.20-5
Total Installed Size: 431.48 MiB Net Upgrade Size: 5.52 MiB
:: Proceed with installation? [Y/n] y checking keyring... downloading required keys... :: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE, "Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>", created: 2011-08-12? [Y/n] n error: required key missing from keyring error: failed to commit transaction (unexpected error) Errors occurred, no packages were upgraded.
No "keyring package" update pending but pacman still asks me to import/trust a key? I guess something is going wrong here?
I had the exactly same output on a second computer running Arch Linux.
The official developer and TU keys are signed by the master keys, so you do not need to use pacman-key to sign them yourself. Whenever pacman encounters a key it does not recognize, it will promt to download it from a keyserver configured in /etc/pacman.d/gnupg/gpg.conf (or by using
It's all covered here: https://wiki.archlinux.org/index.php/Pacman-key#Adding_developer_keys the --keyserver option on the command line). Wikipedia maintains a list of keyservers.
participants (2)
-
Daniel Micay
-
Manuel Reimer