[pacman-dev] New way to download signing keys prone to MITM attacks?

Daniel Micay danielmicay at gmail.com
Mon Feb 9 22:36:39 UTC 2015


On 09/02/15 05:31 PM, Manuel Reimer wrote:
> On 02/09/2015 11:23 PM, Daniel Micay wrote:
>> Pacman uses a web of trust model. There are 5 trusted master keys and
>> other keys are only trusted if either 3 master keys have signed them or
>> the user has explicitly marked them as trusted. Never trust any keys
>> yourself and you will have no issues. There is no MITM attack vector.
> 
> Today, I had the following situation:
> 
> :: Synchronizing package databases...
>  core is up to date
>  extra is up to date
>  community is up to date
> :: Starting full system upgrade...
> resolving dependencies...
> looking for conflicting packages...
> 
> Packages (11) binutils-2.25-2  gcc-4.9.2-3  gcc-libs-4.9.2-3
> glibc-2.21-1  inkscape-0.91-3  libiodbc-3.52.9-2
> linux-api-headers-3.18.5-1  linux-firmware-20150206.17657c3-1
> net-snmp-5.7.3-1  patch-2.7.4-1  virtualbox-4.3.20-5
> 
> Total Installed Size:  431.48 MiB
> Net Upgrade Size:        5.52 MiB
> 
> :: Proceed with installation? [Y/n] y
> checking keyring...
> downloading required keys...
> :: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE,
> "Christian Hesse (Arch Linux Package Signing) <arch at eworm.de>", created:
> 2011-08-12? [Y/n] n
> error: required key missing from keyring
> error: failed to commit transaction (unexpected error)
> Errors occurred, no packages were upgraded.
> 
> 
> 
> No "keyring package" update pending but pacman still asks me to
> import/trust a key? I guess something is going wrong here?
> 
> I had the exactly same output on a second computer running Arch Linux.

It's not asking you to trust a key. It's asking you to import one.

See what I wrote about the web of trust model. There is no MITM attack
vector.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20150209/f3411ae2/attachment.asc>


More information about the pacman-dev mailing list