[pacman-dev] New way to download signing keys prone to MITM attacks?
Daniel Micay
danielmicay at gmail.com
Mon Feb 9 22:38:49 UTC 2015
On 09/02/15 05:31 PM, Manuel Reimer wrote:
> On 02/09/2015 11:23 PM, Daniel Micay wrote:
>> Pacman uses a web of trust model. There are 5 trusted master keys and
>> other keys are only trusted if either 3 master keys have signed them or
>> the user has explicitly marked them as trusted. Never trust any keys
>> yourself and you will have no issues. There is no MITM attack vector.
>
> Today, I had the following situation:
>
>
>
> :: Synchronizing package databases...
> core is up to date
> extra is up to date
> community is up to date
> :: Starting full system upgrade...
> resolving dependencies...
> looking for conflicting packages...
>
> Packages (11) binutils-2.25-2 gcc-4.9.2-3 gcc-libs-4.9.2-3
> glibc-2.21-1 inkscape-0.91-3 libiodbc-3.52.9-2
> linux-api-headers-3.18.5-1 linux-firmware-20150206.17657c3-1
> net-snmp-5.7.3-1 patch-2.7.4-1 virtualbox-4.3.20-5
>
> Total Installed Size: 431.48 MiB
> Net Upgrade Size: 5.52 MiB
>
> :: Proceed with installation? [Y/n] y
> checking keyring...
> downloading required keys...
> :: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE,
> "Christian Hesse (Arch Linux Package Signing) <arch at eworm.de>", created:
> 2011-08-12? [Y/n] n
> error: required key missing from keyring
> error: failed to commit transaction (unexpected error)
> Errors occurred, no packages were upgraded.
>
>
>
> No "keyring package" update pending but pacman still asks me to
> import/trust a key? I guess something is going wrong here?
>
> I had the exactly same output on a second computer running Arch Linux.
It's all covered here:
https://wiki.archlinux.org/index.php/Pacman-key#Adding_developer_keys
> The official developer and TU keys are signed by the master keys, so
you do not need to use pacman-key to sign them yourself. Whenever pacman
encounters a key it does not recognize, it will promt to download it
from a keyserver configured in /etc/pacman.d/gnupg/gpg.conf (or by using
the --keyserver option on the command line). Wikipedia maintains a list
of keyservers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20150209/96cf2a32/attachment.asc>
More information about the pacman-dev
mailing list