[pacman-dev] New way to download signing keys prone to MITM attacks?

Daniel Micay danielmicay at gmail.com
Mon Feb 9 22:23:13 UTC 2015


On 09/02/15 05:09 PM, Manuel Reimer wrote:
> Hello,
> 
> today, I was asked for the first time whether I want to download a
> signing key. So far this was done using a "keyring" package, which,
> itself, was signed using a trusted key.
> 
> How do you prevent MITM attacks? For me this seems like anyone, who can
> perform a MITM attack, can trick me into installing virtually any
> package as long as he signs it with a key somewhere available on a
> public keyserver. Of course I would be asked whether I want to import
> that key but how do I know if the key is really valid and trusted? My
> guess is that most users will just say "yes" in this case.
> 
> For me this seems to be a big step backwards in terms of security.
> 
> Please correct me if I'm wrong.
> 
> Thanks in advance.
> 
> Manuel

Pacman uses a web of trust model. There are 5 trusted master keys and
other keys are only trusted if either 3 master keys have signed them or
the user has explicitly marked them as trusted. Never trust any keys
yourself and you will have no issues. There is no MITM attack vector.

You could also just update the keyring before the other packages and you
wont't ever end up seeing packages signed by a key that you don't have
yet in practice.

Signatures for sources in PKGBUILDs now force the PKGBUILD to contain an
array of the valid key fingerprints, so there's no need for manual
verification there either beyond the initial addition of the keys to the
source package.

If you want to add *third party* binary repositories in addition to the
official ones, then obtaining that third party's key securely is your
problem, as is placing your trust in them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20150209/47fba53d/attachment.asc>


More information about the pacman-dev mailing list