-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image signing key needs to be refreshed on keyservers #1114
Comments
I've pushed the key.
Convenient maybe, but how is a keyserver more secure than curl? |
The big difference with the keyserver approach is that you're fetching the key by ID rather than by URL. Although anyone can upload any public key file to the keyservers, they won't be able to upload one with the same ID unless they have the private key. An attacker could create a new private key, sign images with it and overwrite the key file on the web site. A script or a user that downloads the file from the web page would then see the malicious images as verified. However, if the script fetches the key by ID, it will get the original key and the malicious images would not be verified. Conceptually, with a keyserver the key is still being fetched by URL but the key's ID is part of the URL, and the keyserver is ensuring that the ID and the URL match. It would be possible to gain that security with When the key ID is embedded into a script, it's a form of pre-stored verification just like downloading and importing the key file ahead of time would be. However, it's more future-proof than embedding the entire key into the script because it allows for new subkeys to be added without changing the script. (It's also a lot more readable.) |
Thanks for pushing the key! |
Closing as pushed |
Description
The signing key
E25D9AED0593B34A
was recently updated to include a new subkey (E9426D8B67E35DF476BD048185F7C8868837E271
) since the old one expires soon. Images are now being signed with the new subkey. The copy of the key published on the website includes the new subkey but the one available through keyservers (egkeyserver.ubuntu.com
) does not.Impact
Being able to download the key from keyservers in scripts (eg the one described in #21) is more secure and more convenient than fetching it from the web site using
curl
. In fact, fetching a key using curl and then using it to verify an image is no more secure than not verifying the image at all. The only time it makes sense to download with curl is when the key is imported onto a long-lived system (eg a developer machine) and used for multiple future verifications.Environment and steps to reproduce
gpg --keyserver keyserver.ubuntu.com --recv-key E25D9AED0593B34A
gpg -v --with-subkey-fingerprint --list-keys E25D9AED0593B34A |& grep E9426D8B67E35DF476BD048185F7C8868837E271
Expected behavior
E9426D8B67E35DF476BD048185F7C8868837E271
is outputThe text was updated successfully, but these errors were encountered: