LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-08-2012, 10:43 AM   #1
0x53h
LQ Newbie
 
Registered: May 2012
Posts: 23

Rep: Reputation: Disabled
How to verify a package if the GPG key has been revoked


I'm trying to download a source package but upon verification I get a warning that the certificate used to sign the package has been revoked by its owner because it had been compromised.

Does anyone have suggestions on how to ask for it to be resigned, or how best to proceed?
 
Old 06-09-2012, 04:00 AM   #2
jv2112
Member
 
Registered: Jan 2009
Location: New England
Distribution: Arch Linux
Posts: 719

Rep: Reputation: 105Reputation: 105
Find a new repo to download from.
 
Old 06-09-2012, 06:10 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
IMO it would be a mistake to just shrug off the incident and D/L the source from another repo as suggested. Package signing is important because it links the source with the author, signifies s/he signed off on the release and allows source integrity verification. From having a signing key revoked you can infer the owner was aware of the compromise but it doesn't tell us anything else meaningful. How and when did the private key get compromised? Was the pass phrase captured as well? Did the compromise have any effect on the source? Was it a flaw in the key (like ancient GnuPG ElGamal keys)? Or a cryptographic attack? Was package signing automated in a way it shouldn't have been? Was it a user level breach? Or was the machine compromised? And finally, package signing being all about trust: what guarantee do you have the new signing key can be trusted?..


Quote:
Originally Posted by 0x53h View Post
the certificate used to sign the package has been revoked by its owner because it had been compromised.
The author has to examine the source, verify all changes and issue new packages and signatures. But if enough publicly accessible source history exists you can download and audit the source for changes yourself (think GIT commit hashes).
 
Old 06-11-2012, 12:27 PM   #4
0x53h
LQ Newbie
 
Registered: May 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
Thanks for the reply, guys. The only additional details were that the autosigning or build server were compromised (I forget), and so the key had been compromised as well. The source was last updated in 2004. I'm not at the level of feeling confident trying to pickup the source trail and audit all changes myself. However, this has been resolved as I found a comparable package to use. I'm not real sure what I would have done otherwise.

Thanks for all your help!
 
Old 06-11-2012, 12:48 PM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,291
Blog Entries: 4

Rep: Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318Reputation: 3318
Obviously, the very-active decision made by someone to revoke a key is a very clear indication that you need to obtain a version of the package which has been signed by a key that was not revoked. Even if, as it may turn out, the source-code is identical. Revocation is, of course, an operation that is applied to a key, not to one particular object that was signed using that key. Hence, it may well be that "this particular package" is perfectly fine ... but the whole point of cryptographic package-signing and key revocation lists is to remove doubt.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
gpg --verify multiple files Phorize Slackware 8 06-22-2011 07:25 AM
Is there a way to retrieve GPG key without actually installing a deb package? mikropolip Ubuntu 7 12-06-2009 09:04 AM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 09:37 AM
Openssl - verify wheather certificate is revoked djgerbavore Linux - Security 1 11-21-2005 07:20 AM
Can't verify package gpg signatures on Mandrake 10 ayn Mandriva 0 06-09-2004 07:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration