make apt-key net-update secure

Bug #1013681 reported by Jamie Strandboge
274
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apt (Debian)
New
Unknown
apt (Ubuntu)
Triaged
High
Michael Vogt
visibility: private → public
Changed in apt (Ubuntu):
assignee: nobody → Michael Vogt (mvo)
importance: Undecided → High
status: New → Triaged
tags: added: rls-q-incoming
Changed in apt (Ubuntu):
assignee: Michael Vogt (mvo) → nobody
summary: - make net-update secure
+ make apt-key net-update secure
Revision history for this message
Michael Vogt (mvo) wrote :

Here is a alternative approach for the net-update:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/comments/2

Revision history for this message
Michael Vogt (mvo) wrote :

I would welcome feedback on the alternative approach. The idea is basicly to simply download a signed keyring file, gpg verify that against the master key and if its good, import it.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Subscribing Steve and Colin to get their feedback as well.

Revision history for this message
Steve Langasek (vorlon) wrote :

As I recall, we didn't go this route the first time around because we wanted to avoid changing the server-side interface. But if trying to check this securely is a case of being nibbled to death by cats, I think it makes sense to revisit this. So I have no objection to using a gpg-verified keyring object here.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Steve Langasek (vorlon)
tags: removed: rls-q-incoming
Revision history for this message
Colin Watson (cjwatson) wrote :

I'm fine with the signed-keyring-file approach too, although I haven't confirmed that there are no attacks possible on the code used to verify *that* signature.

Revision history for this message
Brian Murray (brian-murray) wrote :

From #ubuntu-meeting on 2012-09-12:

08:43 < mvo> cjwatson: it will require a server side change
08:43 < mvo> cjwatson: if you guys are happy with the new proposed schema we can
             upload (once the server side is updated)
08:43 < mvo> but I (much) agree we should not rush this :) it caused enough pain
             already :/
08:45 < cjwatson> Of course I can't help with the server side change at the moment
                  because we don't have our sudo access back yet on pepo
08:45 < cjwatson> You'll probably have to ask webops

Revision history for this message
Steve Langasek (vorlon) wrote :

We're not going to get to this before quantal release.

tags: added: rls-q-notfixing
tags: removed: rls-q-notfixing
Changed in apt (Ubuntu Quantal):
milestone: none → quantal-updates
Changed in apt (Debian):
status: Unknown → New
Revision history for this message
Colin Watson (cjwatson) wrote :

http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg.sig exists now, so the client side should be unblocked.

Revision history for this message
Michael Vogt (mvo) wrote :

Thanks Colin, that is great news.

I updated the branch (and also merged the debian-sid changes) into https://github.com/mvo5/apt/tree/ubuntu/lp1013681 - I need to test it a bit more and then I will upload.

Changed in apt (Ubuntu Quantal):
status: Triaged → Won't Fix
Mathew Hodson (mhodson)
no longer affects: apt (Ubuntu Quantal)
Changed in apt (Ubuntu):
milestone: quantal-updates → none
Revision history for this message
Mathew Hodson (mhodson) wrote :

Did this change ever make it in?

Changed in apt (Ubuntu):
assignee: nobody → Michael Vogt (mvo)
Revision history for this message
Julian Andres Klode (juliank) wrote :

No, it did not. We could rebase and merge it. We can also replace wget with /usr/lib/apt/apt-helper download-file to fix bug 325700 and bug 226780 while we're at it.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Whilst poking all of this a while back, my thought was to use inline signed keyring snippet which is downloaded probably with the apt-helper, validated (well gpgv decrypt) and stored as /etc/apt/trusted.gpg.d/netupdate.gpg. Since we no longer need to touch /etc/apt/trusted.gpg keyring. This doesn't even need to live in apt-key netupdate, and could be just a timer unit. But i guess having this simple logic in apt-key script may make sense.

Note that netupdate has been disabled for a long while now, thus any reintroduction will need security team review before we enable.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.