AW: AW: AW: Users GnuPG aims for? (Re: Breaking MIME concatenation)
Roman.Fiedler at ait.ac.at
Fri May 18 07:31:36 CEST 2018
> Von: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net]
> On Thu 2018-05-17 15:37:55 +0000, Fiedler Roman wrote:
> > Von: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net]
> >> See sources.list(5) and
> >> https://wiki.debian.org/DebianRepository/UseThirdParty for more details.
> >> See also https://bugs.debian.org/877012 for suggestions about
> >> improvements to scoped cryptographic authorities for the default
> >> installation of debian repositories.
> > Thanks for the information. I thought, that the new model would be
> > using "/etc/apt/trusted.gpg.d", as recommended by an online version of
> > "apt-key".
> I recommend not relying directly on apt-key, whether online or offline :)
I see. If understood correctly, the trusted.gpg.d bypasses key management with apt-key completely, so not running into problems with apt-key deprecation.
> > But of course the per-repository pinning of keys could make key
> > management easier as there is a n:1 link between repositories and
> > keys, thus it is easier to avoid stale keys in the common key storage
> > file.
> yes. furthermore, per-repository pinning of keys avoids the possibility
> of one repository owner signing a Release file for a different
I thought about that also, but shouldn't 99%+ of systems perform no pinning whatsoever of packages to repositories? In that case, the "wrong" repository could publish just a slightly increased package version number of a package from another repository. Unattended updates will apply it anyway and also for users it would be hard noticing it: at least my "apt-get" version does not show any information about the repository a package would be downloaded from before confirming the installation. Thus the user would have to check each single package manually by invoking "apt-cache policy [pkg-name]" or use "apt-get download [packagelist]", check the logs and install packages with "dpkg".
Unless my system is misconfigured or other assumptions do not hold true, that would imply, that the only security benefit from key pinning is only about maintenance, making detection/pruning of stale keys easier.
More information about the Gnupg-users