Charm Helpers

Unable to securely add repositories

Bug #1341527 reported by Stuart Bishop
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
Fix Released
High
Stuart Bishop

Bug Description

charmhelpers.fetch.add_source() allows you to provide a GPG key id, but this is pointless as there is no way to securely retrieve a GPG key from a remote keyserver. If an attacker is in a position to intercept requests to an archive, they are also in a position to provide a fake keyserver.

My understanding is that you must have the actual GPG key (rather than the keyid) to securely add a repository. add_source() needs to be extended to accept full keys in addition to key ids to allow charms and operators to do so.

Related branches

lp:~stub/charm-helpers/fix-configure_sources
David Britton (community): Approve
Diff: 118 lines (+64/-21)
2 files modified
charmhelpers/fetch/__init__.py (+17/-3)
tests/fetch/test_fetch.py (+47/-18)
Stuart Bishop (stub)
Changed in charm-helpers:
status: New → In Progress
assignee: nobody → Stuart Bishop (stub)
Stuart Bishop (stub)
Changed in charm-helpers:
importance: Undecided → High
Stuart Bishop (stub)
Changed in charm-helpers:
status: In Progress → Fix Committed
Jorge Niedbalski (niedbalski)
summary: - Unable to secuely add repositories
+ Unable to securely add repositories
Changed in charm-helpers:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.