[pacman-dev] [PATCH] pacman-key: Do not reinterpret keys from revoked keyrings
Given a revoked keyring containing only: BC1FBE4D2826A0B51E47ED62E2539214C6C11350 We should only disable this specific keyid. This change enforces that the contents of the -revoked keyring file are full fingerprints which can uniquely identify a key. Before: # pacman-key --populate archlinux ==> Appending keys from archlinux.gpg... ==> Locally signing trusted keys in keyring... -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2... -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8... -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887... -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0... -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7... ==> Importing owner trust values... ==> Disabling revoked keys in keyring... -> Disabling key 1390420191... -> Disabling key E2539214C6C11350... -> Disabling key 8544EA82113502DE... ==> Updating trust database... gpg: next trustdb check due at 2014-01-22 After: # pacman-key --populate archlinux ==> Appending keys from archlinux.gpg... ==> Locally signing trusted keys in keyring... -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2... -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8... -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887... -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0... -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7... ==> Importing owner trust values... ==> Disabling revoked keys in keyring... -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350... ==> Updating trust database... gpg: next trustdb check due at 2014-01-22 Partially addresses FS#35478. This does nothing to confirm whether or not the key was successfully disabled -- a ridiculously simple request which appears to be far too difficult for gpg to manage. Signed-off-by: Dave Reisner <dreisner@archlinux.org> --- Seriously, wtf gpg. The only indication that the key was successfully disabled appears to come from the output that we dump to /dev/null: gpg: WARNING: unsafe permissions on homedir `/etc/pacman.d/gnupg' pub 2048R/C6C11350 created: 2012-11-30 expires: never usage: SC trust: unknown validity: marginal *** This key has been disabled sub 2048R/113502DE created: 2012-11-30 expires: never usage: E [marginal] (1). Federico Cinelli <cinelli.federico@gmail.com> You can try to use the key as a recipient for an encrypted message, but this seems to only fail with INV_RECP, e.g.: $ gpg --homedir /etc/pacman.d/gnupg --batch -aer BC1FBE4D2826A0B51E47ED62E2539214C6C11350 --status-fd=1 <<<'' 2>/dev/null [GNUPG:] INV_RECP 0 BC1FBE4D2826A0B51E47ED62E2539214C6C11350 BUT... INV_RECP doesn't say anything about the reason the recipient is invalid. It might be invalid because it's disabled, and it might be invalid because it can't be found. So... blah. Suggestions welcome. Also, just a point of clarification -- I assume that we disable keys rather than revoke signatures out of concern that the key could be trustworthy based on signatures other than those of the master key owners? scripts/pacman-key.sh.in | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 92875ef..30fba10 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -310,19 +310,12 @@ populate_keyring() { done fi - # Read the revoked key IDs to an array. The conversion from whatever is - # inside the file to key ids is important, because key ids are the only - # guarantee of identification for the keys. local -A revoked_ids for keyring in "${KEYRINGIDS[@]}"; do - if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then - mapfile -t keys < "${KEYRING_IMPORT_DIR}/${keyring}-revoked" - while IFS=: read _ _ _ _ key_id _; do - if [[ -n $key_id ]]; then - # Mark this key to be disabled - revoked_ids[$key_id]="${keyring}" - fi - done < <("${GPG_PACMAN[@]}" --quiet --with-colons --list-keys "${keys[@]}" 2>/dev/null) + if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then + while read -r key_id; do + revoked_ids["$key_id"]=1 + done <"$KEYRING_IMPORT_DIR/$keyring-revoked" fi done -- 1.8.3
On 04/06/13 04:13, Dave Reisner wrote:
Given a revoked keyring containing only:
BC1FBE4D2826A0B51E47ED62E2539214C6C11350
We should only disable this specific keyid. This change enforces that the contents of the -revoked keyring file are full fingerprints which can uniquely identify a key.
Before:
# pacman-key --populate archlinux ==> Appending keys from archlinux.gpg... ==> Locally signing trusted keys in keyring... -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2... -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8... -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887... -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0... -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7... ==> Importing owner trust values... ==> Disabling revoked keys in keyring... -> Disabling key 1390420191... -> Disabling key E2539214C6C11350... -> Disabling key 8544EA82113502DE... ==> Updating trust database... gpg: next trustdb check due at 2014-01-22
After:
# pacman-key --populate archlinux ==> Appending keys from archlinux.gpg... ==> Locally signing trusted keys in keyring... -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2... -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8... -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887... -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0... -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7... ==> Importing owner trust values... ==> Disabling revoked keys in keyring... -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350... ==> Updating trust database... gpg: next trustdb check due at 2014-01-22
Partially addresses FS#35478. This does nothing to confirm whether or not the key was successfully disabled -- a ridiculously simple request which appears to be far too difficult for gpg to manage.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Me -> maint
--- Seriously, wtf gpg. The only indication that the key was successfully disabled appears to come from the output that we dump to /dev/null:
gpg: WARNING: unsafe permissions on homedir `/etc/pacman.d/gnupg'
pub 2048R/C6C11350 created: 2012-11-30 expires: never usage: SC trust: unknown validity: marginal *** This key has been disabled sub 2048R/113502DE created: 2012-11-30 expires: never usage: E [marginal] (1). Federico Cinelli <cinelli.federico@gmail.com>
You can try to use the key as a recipient for an encrypted message, but this seems to only fail with INV_RECP, e.g.:
$ gpg --homedir /etc/pacman.d/gnupg --batch -aer BC1FBE4D2826A0B51E47ED62E2539214C6C11350 --status-fd=1 <<<'' 2>/dev/null [GNUPG:] INV_RECP 0 BC1FBE4D2826A0B51E47ED62E2539214C6C11350
BUT... INV_RECP doesn't say anything about the reason the recipient is invalid. It might be invalid because it's disabled, and it might be invalid because it can't be found. So... blah. Suggestions welcome.
Also, just a point of clarification -- I assume that we disable keys rather than revoke signatures out of concern that the key could be trustworthy based on signatures other than those of the master key owners?
Partly. Also it is often quicker for a distro to release an updated keyring with a key disabled than it is to get the required master key holders to revoke it.
scripts/pacman-key.sh.in | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 92875ef..30fba10 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -310,19 +310,12 @@ populate_keyring() { done fi
- # Read the revoked key IDs to an array. The conversion from whatever is - # inside the file to key ids is important, because key ids are the only - # guarantee of identification for the keys. local -A revoked_ids for keyring in "${KEYRINGIDS[@]}"; do - if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then - mapfile -t keys < "${KEYRING_IMPORT_DIR}/${keyring}-revoked" - while IFS=: read _ _ _ _ key_id _; do - if [[ -n $key_id ]]; then - # Mark this key to be disabled - revoked_ids[$key_id]="${keyring}" - fi - done < <("${GPG_PACMAN[@]}" --quiet --with-colons --list-keys "${keys[@]}" 2>/dev/null) + if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then + while read -r key_id; do + revoked_ids["$key_id"]=1 + done <"$KEYRING_IMPORT_DIR/$keyring-revoked" fi done
participants (2)
-
Allan McRae
-
Dave Reisner