[pacman-dev] New way to download signing keys prone to MITM attacks?
Daniel Micay
danielmicay at gmail.com
Mon Feb 9 22:36:39 UTC 2015
On 09/02/15 05:31 PM, Manuel Reimer wrote:
> On 02/09/2015 11:23 PM, Daniel Micay wrote:
>> Pacman uses a web of trust model. There are 5 trusted master keys and
>> other keys are only trusted if either 3 master keys have signed them or
>> the user has explicitly marked them as trusted. Never trust any keys
>> yourself and you will have no issues. There is no MITM attack vector.
>
> Today, I had the following situation:
>
> :: Synchronizing package databases...
> core is up to date
> extra is up to date
> community is up to date
> :: Starting full system upgrade...
> resolving dependencies...
> looking for conflicting packages...
>
> Packages (11) binutils-2.25-2 gcc-4.9.2-3 gcc-libs-4.9.2-3
> glibc-2.21-1 inkscape-0.91-3 libiodbc-3.52.9-2
> linux-api-headers-3.18.5-1 linux-firmware-20150206.17657c3-1
> net-snmp-5.7.3-1 patch-2.7.4-1 virtualbox-4.3.20-5
>
> Total Installed Size: 431.48 MiB
> Net Upgrade Size: 5.52 MiB
>
> :: Proceed with installation? [Y/n] y
> checking keyring...
> downloading required keys...
> :: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE,
> "Christian Hesse (Arch Linux Package Signing) <arch at eworm.de>", created:
> 2011-08-12? [Y/n] n
> error: required key missing from keyring
> error: failed to commit transaction (unexpected error)
> Errors occurred, no packages were upgraded.
>
>
>
> No "keyring package" update pending but pacman still asks me to
> import/trust a key? I guess something is going wrong here?
>
> I had the exactly same output on a second computer running Arch Linux.
It's not asking you to trust a key. It's asking you to import one.
See what I wrote about the web of trust model. There is no MITM attack
vector.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20150209/f3411ae2/attachment.asc>
More information about the pacman-dev
mailing list