don't hardcode an old key from official mirrors for Debian backports #847
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 is really this key, on any
modern Debian system:
/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
----------------------------------------------------------
pub rsa4096 2012-04-27 [SC] [expire : 2020-04-25]
A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553
uid [ inconnue] Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]>
It expires in about a year, and is shipped by default in Debian:
$ dpkg -S /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
debian-archive-keyring: /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
With the current configuration, it might attempt to download the key
from the network, which could then be hijacked by a MITM and break
the entire trust chain built by AptSecure.
If the key was used in the sources.list template to pin the
repository, that would be one thing (it's not). But then it would fail
every time that key gets rotated on the Debian server (that is: at
every major release).
So just remove the key: it serves no purpose than enable a possible
MITM attack and creates an additional maintenance burden.
(OpenPGP crypto-geeks will surely point out that the full fingerprint
is used in the specification, and that this is normally not considered
breakable the same way short key IDs are currently known to be easily
breakable. I would counter that a fingerprint is still a checksum of
the original keypair and could *eventually* be found to be vulnerable
to certain attacks. OpenPGP as an ecosystem would likely fall apart at
that point as self-signatures are also using fingerprints (if not long
key IDs) but I'm disgressing: we do not rely on those for Secure Apt
so let's just do the right thing.)
Note that the `Ubuntu` section might be similarly affected, but I do
not have an Ubuntu system to test this with right now.
Finally, it should be noted that running apt-key the way the
puppetlabs module does is completely unsafe. Keys should *NEVER* be
added to the global trust ring in /etc/apt/trusted.gpg.d. Instead,
they should be deployed in /usr/share/keyrings and mapped in the
`sources.list` with an entry like:
deb [signed-by=/usr/share/keyrings/example-archive-keyring.gpg] https://example.net/debian/ main
That conventions are also documented in the Debian wiki here:
https://wiki.debian.org/DebianRepository/UseThirdParty
|
ping? |
|
Hello @anarcat , Thank you for your contribution to improve this module. :) Looking good to me. Cheers! |
kenyon
added a commit
to kenyon/puppetlabs-apt
that referenced
this pull request
Sep 18, 2023
The default key for Debian was removed in puppetlabs#847, and I'm about to do the same for Ubuntu.
kenyon
added a commit
to kenyon/puppetlabs-apt
that referenced
this pull request
Sep 18, 2023
Same as puppetlabs#847 but for Ubuntu. The gpg keys used to sign the Ubuntu repos, including backports, come with standard Ubuntu installations, so this Puppet module doesn't need to add any key. Having this old key causes Puppet run failures for 20.04 and newer machines without Internet access.
kenyon
added a commit
to kenyon/puppetlabs-apt
that referenced
this pull request
Sep 18, 2023
The default key for Debian was removed in puppetlabs#847, and I'm about to do the same for Ubuntu.
kenyon
added a commit
to kenyon/puppetlabs-apt
that referenced
this pull request
Sep 18, 2023
Same as puppetlabs#847 but for Ubuntu. The gpg keys used to sign the Ubuntu repos, including backports, come with standard Ubuntu installations, so this Puppet module doesn't need to add any key. Having this old key causes Puppet run failures for 20.04 and newer machines without Internet access.
kenyon
added a commit
to kenyon/puppetlabs-apt
that referenced
this pull request
Nov 1, 2023
The default key for Debian was removed in puppetlabs#847, and I'm about to do the same for Ubuntu.
kenyon
added a commit
to kenyon/puppetlabs-apt
that referenced
this pull request
Nov 1, 2023
Same as puppetlabs#847 but for Ubuntu. The gpg keys used to sign the Ubuntu repos, including backports, come with standard Ubuntu installations, so this Puppet module doesn't need to add any key. Having this old key causes Puppet run failures for 20.04 and newer machines without Internet access.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 is really this key, on any
modern Debian system:
It expires in about a year, and is shipped by default in Debian:
With the current configuration, it might attempt to download the key
from the network, which could then be hijacked by a MITM and break
the entire trust chain built by AptSecure.
If the key was used in the sources.list template to pin the
repository, that would be one thing (it's not). But then it would fail
every time that key gets rotated on the Debian server (that is: at
every major release).
So just remove the key: it serves no purpose than enable a possible
MITM attack and creates an additional maintenance burden.
(OpenPGP crypto-geeks will surely point out that the full fingerprint
is used in the specification, and that this is normally not considered
breakable the same way short key IDs are currently known to be easily
breakable. I would counter that a fingerprint is still a checksum of
the original keypair and could eventually be found to be vulnerable
to certain attacks. OpenPGP as an ecosystem would likely fall apart at
that point as self-signatures are also using fingerprints (if not long
key IDs) but I'm disgressing: we do not rely on those for Secure Apt
so let's just do the right thing.)
Note that the
Ubuntusection might be similarly affected, but I donot have an Ubuntu system to test this with right now.
Finally, it should be noted that running apt-key the way the
puppetlabs module does is completely unsafe. Keys should NEVER be
added to the global trust ring in /etc/apt/trusted.gpg.d. Instead,
they should be deployed in /usr/share/keyrings and mapped in the
sources.listwith an entry like:That conventions are also documented in the Debian wiki here:
https://wiki.debian.org/DebianRepository/UseThirdParty
PS: I tried to file an issue for this in JIRA, but the password reset form is failing for me. It seems I have been away for too long or something: