MantisBT - Site
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0003602Site[All Projects] Documentationpublic2019-02-07 13:502019-02-11 14:37
ReporterWubTheCaptain 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Summary0003602: debian.drdteam.org doesn't publish the key fingerprint to packages
Description
Quote from apt-key(8)
It is critical that keys added manually via apt-key are verified to belong to the owner of the repositories they claim to be for otherwise the apt-secure(8) infrastructure is completely undermined.


apt-secure(8) instructs to:

Quote from apt-secure(8)
Publish the key fingerprint, so that your users will know what key they need to import in order to authenticate the files in the archive. It is best to ship your key in its own keyring package like Debian does with debian-archive-keyring to be able to distribute updates and key transitions automatically later.
Steps To ReproduceVisit'http://debian.drdteam.org/ [^]' and see there's no fingerprint on that instruction page, only the key. (HTTPS scheme is available.)
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2019-02-07 13:50WubTheCaptainNew Issue
2019-02-07 13:53WubTheCaptainNote Added: 0020340
2019-02-07 13:56WubTheCaptainNote Added: 0020341
2019-02-07 14:05WubTheCaptainNote Edited: 0020340bug_revision_view_page.php?bugnote_id=20340#r12396
2019-02-10 07:54Blzut3Note Added: 0020358
2019-02-11 14:37WubTheCaptainNote Added: 0020362

Notes
(0020340)
WubTheCaptain   
2019-02-07 13:53   
(edited on: 2019-02-07 14:05)
We don't have information anywhere else either, such as in Doomseeker's README instructions. I'd like to add it there.

Right now there's OpenPGP chain of trust, but that key I downloaded from debian.drdteam.org is also not signed by other parties (such as me, Zalewa or Pol M).

$ gpg --fingerprint 0x392203ABAF88540B
pub   rsa2048/0x392203ABAF88540B 2012-05-08 [SC]
      Key fingerprint = 0D8F 900A B77B B504 F2C6  9E7A 3922 03AB AF88 540B
uid                   [ unknown] Braden Obrzut <admin@maniacsvault.net>
sub   rsa2048/0x5A3EE478F1967822 2012-05-08 [E]
      Key fingerprint = 08BF 77FB DD76 1544 E87B  6430 5A3E E478 F196 7822


I refreshed from'hkps://hkps.pool.sks-keyservers.net [^]' keyserver too, no change.
(0020341)
WubTheCaptain   
2019-02-07 13:56   
Also, no verification happens the downloaded key matches the "trusted" key. See related issue 0003601.
(0020358)
Blzut3   
2019-02-10 07:54   
Not sure why you mentioned names on the "other parties" thing since I believe if following strict protocol you should not sign a key without meeting in person?
(0020362)
WubTheCaptain   
2019-02-11 14:37   
You are right, Blzut3.

I think a good place to mention "Packages are signed with key XXXX XXXX ..." at'https://zandronum.com/download#instubuntu [^]' would still be a nice improvement, rather than no information at all. Those two domains are hosted on different hosts.