Zandronum Chat on our Discord Server Get the latest version: 3.2.1
Source Code
My View | View Issues | Change Log | Roadmap | Site Issue Support Ranking | Rules | My Account
  

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003602Site[All Projects] Documentationpublic2019-02-07 13:502019-02-11 14:37
ReporterWubTheCaptain 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Summary0003602: debian.drdteam.org doesn't publish the key fingerprint to packages
Description
Quote from apt-key(8)
It is critical that keys added manually via apt-key are verified to belong to the owner of the repositories they claim to be for otherwise the apt-secure(8) infrastructure is completely undermined.


apt-secure(8) instructs to:

Quote from apt-secure(8)
Publish the key fingerprint, so that your users will know what key they need to import in order to authenticate the files in the archive. It is best to ship your key in its own keyring package like Debian does with debian-archive-keyring to be able to distribute updates and key transitions automatically later.
Steps To ReproduceVisit'http://debian.drdteam.org/ [^]' and see there's no fingerprint on that instruction page, only the key. (HTTPS scheme is available.)
Attached Files

- Relationships

-  Notes
User avatar (0020340)
WubTheCaptain (reporter)
2019-02-07 13:53
edited on: 2019-02-07 14:05

 We don't have information anywhere else either, such as in Doomseeker's README instructions. I'd like to add it there.

Right now there's OpenPGP chain of trust, but that key I downloaded from debian.drdteam.org is also not signed by other parties (such as me, Zalewa or Pol M).

$ gpg --fingerprint 0x392203ABAF88540B
pub   rsa2048/0x392203ABAF88540B 2012-05-08 [SC]
      Key fingerprint = 0D8F 900A B77B B504 F2C6  9E7A 3922 03AB AF88 540B
uid                   [ unknown] Braden Obrzut <admin@maniacsvault.net>
sub   rsa2048/0x5A3EE478F1967822 2012-05-08 [E]
      Key fingerprint = 08BF 77FB DD76 1544 E87B  6430 5A3E E478 F196 7822


I refreshed from'hkps://hkps.pool.sks-keyservers.net [^]' keyserver too, no change.
User avatar (0020341)
WubTheCaptain (reporter)
2019-02-07 13:56

 Also, no verification happens the downloaded key matches the "trusted" key. See related issue 0003601.
User avatar (0020358)
Blzut3 (administrator)
2019-02-10 07:54

 Not sure why you mentioned names on the "other parties" thing since I believe if following strict protocol you should not sign a key without meeting in person?
User avatar (0020362)
WubTheCaptain (reporter)
2019-02-11 14:37

 You are right, Blzut3.

I think a good place to mention "Packages are signed with key XXXX XXXX ..." at'https://zandronum.com/download#instubuntu [^]' would still be a nice improvement, rather than no information at all. Those two domains are hosted on different hosts.

Issue Community Support
Only registered users can voice their support. Click here to register, or here to log in.
Supporters: No one explicitly supports this issue yet.
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2019-02-07 13:50 WubTheCaptain New Issue
2019-02-07 13:53 WubTheCaptain Note Added: 0020340
2019-02-07 13:56 WubTheCaptain Note Added: 0020341
2019-02-07 14:05 WubTheCaptain Note Edited: 0020340 View Revisions
2019-02-10 07:54 Blzut3 Note Added: 0020358
2019-02-11 14:37 WubTheCaptain Note Added: 0020362




Questions or other issues? Contact Us.

Links

Copyright © 2000 - 2025 MantisBT Team
Powered by Mantis Bugtracker