AW: AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)

Fiedler Roman Roman.Fiedler at ait.ac.at
Thu May 17 17:37:55 CEST 2018


> Von: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net]
> 
> On Thu 2018-05-17 08:45:18 +0000, Fiedler Roman wrote:
> > As gnupg starts getting more and more problematic regarding some
> > functions (see the discussions on command line/unattended use), Ubuntu
> > Bionic AND Debian Buster dropped it from their debootstrap
> 
> I don't know about Ubuntu Bionic, but for Debian Buster this is simply
> false.
> 
> Buster relies on gpgv (which is part of the GnuPG suite) for validating
> archive signatures.

That seems just a misunderstanding, as my initial message mentioning the changes was imprecise from my side, the follow-up https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060422.html should have made it clear, that we are both talking about the same thing.

"""Yes, but all those features do not apply to apt-key or are of little relevance. Hence gpg seems to have been included just for minimal use (just adding/removing keys, everything is trusted as performed by root user anyway). I do not know the reasons behind them dropping gpg, but I guess the just needed a failesafe, minimalistic tool for that purpose and now they dropped gpg and run only with gpgv to my knowledge."""

> > and replaced the apt-key management parts with own solutions.
> 
> apt-key has been deprecated for a while now.  I don't think i've seen a
> secure use of apt-key that i can really encourage anywhere.
> 
> If you want to do sane cryptographic controls on repositories, you
> should (a) place the key for a given repo somewhere sensible in the
> filesystem (e.g. /usr/share/keyrings/REPONAME-keyring.gpg), and (b) add
> a Signed-By: line to your .sources file (or a signed-by option to the
> line in your .list file).
> 
> See sources.list(5) and
> https://wiki.debian.org/DebianRepository/UseThirdParty for more details.
> 
> See also https://bugs.debian.org/877012 for suggestions about
> improvements to scoped cryptographic authorities for the default
> installation of debian repositories.

Thanks for the information. I thought, that the new model would be using "/etc/apt/trusted.gpg.d", as recommended by an online version of "apt-key".

But of course the per-repository pinning of keys could make key management easier as there is a n:1 link between repositories and keys, thus it is easier to avoid stale keys in the common key storage file.

> ...


More information about the Gnupg-users mailing list