Debian Bug report logs - #389646
apt should try to import a key if a package was signed by a unknown key

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Rober Morales-Chaparro <rober.morales@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apt should try to import a key if a package was signed by a unknown key

Date: Tue, 26 Sep 2006 23:52:11 +0200

Package: apt
Version: 0.6.45
Severity: minor

    Instead of showing a warning message when apt does not know the key, apt
cat try to execute (with or without the user confirmation?):

#!/bin/bash
KEY=$1

gpg --keyserver subkeys.pgp.net --recv $KEY
gpg --export --armor $KEY | apt-key add -


    TIA!



-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Cache-Limit "92582912";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok installed'; then /usr/sbin/apt-listbugs apt || ( test $? -ne 10 || exit 10; echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.' 1>&2 ; read a < /dev/tty ); fi";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";

-- (no /etc/apt/preferences present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-1) (ignored: LC_ALL set to es_ES)

Versions of packages apt depends on:
ii  libc6                   2.3.6.ds1-4      GNU C Library: Shared libraries
ii  libgcc1                 1:4.2-20060923-1 GCC support library
ii  libstdc++6              4.1.1-5          The GNU Standard C++ Library v3

Versions of packages apt recommends:
ii  debian-archive-keyring        2006.01.18 GnuPG archive keys of the Debian a

-- no debconf information

Message #10 received at 389646@bugs.debian.org (full text, mbox, reply):

From: Otavio Salvador <otavio@debian.org>

To: Rober Morales-Chaparro <rober.morales@gmail.com>

Cc: 389646@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#389646: apt should try to import a key if a package was signed by a unknown key

Date: Tue, 26 Sep 2006 19:37:23 -0300

tag 389646 + wontfix
thanks

Rober Morales-Chaparro <rober.morales@gmail.com> writes:

> Package: apt
> Version: 0.6.45
> Severity: minor
>
>     Instead of showing a warning message when apt does not know the key, apt
> cat try to execute (with or without the user confirmation?):
>
> #!/bin/bash
> KEY=$1
>
> gpg --keyserver subkeys.pgp.net --recv $KEY
> gpg --export --armor $KEY | apt-key add -

It'll reduce the security of machine since won't make difference if
the key is or not know before you upgrade or install a package.

IMO that makes APT security feature useless hence, wontfix.

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@debian.org      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
---------------------------------------------
"Microsoft gives you Windows ... Linux gives
 you the whole house."

Message #17 received at 389646@bugs.debian.org (full text, mbox, reply):

From: Simon Richter <Simon.Richter@hogyros.de>

To: Otavio Salvador <otavio@debian.org>, 389646@bugs.debian.org

Cc: Rober Morales-Chaparro <rober.morales@gmail.com>

Subject: Re: Bug#389646: apt should try to import a key if a package was signed by a unknown key

Date: Wed, 27 Sep 2006 18:55:01 +0200

Otavio,

> It'll reduce the security of machine since won't make difference if
> the key is or not know before you upgrade or install a package.

Agreed; an idea might be to import the key to some "untrusted" keyring,
and allow the user to add it to the "trusted" list after giving some
stern lecture why you shouldn't trust anyone.

   Simon

Message #22 received at 389646@bugs.debian.org (full text, mbox, reply):

From: Rober Morales <rober.morales@gmail.com>

To: 389646@bugs.debian.org

Subject: Re: Bug#389646: apt should try to import a key if a package was signed by a unknown key

Date: Thu, 28 Sep 2006 01:42:22 +0200

> > It'll reduce the security of machine since won't make difference if
> > the key is or not know before you upgrade or install a package.
>
> Agreed; an idea might be to import the key to some "untrusted" keyring,
> and allow the user to add it to the "trusted" list after giving some
> stern lecture why you shouldn't trust anyone.
>

APT already continue with the install/upgrade if the user answer "Yes" to the 
warning question.

The new feature I want is to make possible the fact that apt can, /with/ the 
user confirmation, import the key the package is signed with:

WARNING: The key 0BDCEXXXXXXXXXXXX is not known: Install anyway? Yes/[No]:
Yes

WARNING: Do you want APT import the key to your keyring now? Yes/[No]:
Yes

TIA!



Regards,

Rober Morales-Chaparro

Message #27 received at 389646@bugs.debian.org (full text, mbox, reply):

From: Otavio Salvador <otavio@debian.org>

To: Rober Morales <rober.morales@gmail.com>

Cc: 389646@bugs.debian.org

Subject: Re: Bug#389646: apt should try to import a key if a package was signed by a unknown key

Date: Thu, 28 Sep 2006 02:49:46 -0300

Rober Morales <rober.morales@gmail.com> writes:

>> > It'll reduce the security of machine since won't make difference if
>> > the key is or not know before you upgrade or install a package.
>>
>> Agreed; an idea might be to import the key to some "untrusted" keyring,
>> and allow the user to add it to the "trusted" list after giving some
>> stern lecture why you shouldn't trust anyone.
>>
>
> APT already continue with the install/upgrade if the user answer "Yes" to the 
> warning question.
>
> The new feature I want is to make possible the fact that apt can, /with/ the 
> user confirmation, import the key the package is signed with:
>
> WARNING: The key 0BDCEXXXXXXXXXXXX is not known: Install anyway? Yes/[No]:
> Yes
>
> WARNING: Do you want APT import the key to your keyring now? Yes/[No]:
> Yes

I see your point but I still think that shouldn't be too easy to
someone to add a key on the trusted keyring otherwise most of people
will just start to do that too much.

Besides, as Simon said, would be good to warn the user why this is
dangerous and why he/she should avoid to use non-official
packages.

I personally see why you would like to have it but I don't think the
price that we might pay is enough... :(

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@debian.org      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
---------------------------------------------
"Microsoft gives you Windows ... Linux gives
 you the whole house."

Send a report that this bug log contains spam.