gpg key shadowing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Debian) |
Fix Released
|
Unknown
|
|||
apt (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
Hardy |
Fix Released
|
High
|
Jamie Strandboge | ||
Lucid |
Fix Released
|
High
|
Jamie Strandboge | ||
Natty |
Fix Released
|
High
|
Jamie Strandboge | ||
Oneiric |
Fix Released
|
High
|
Jamie Strandboge | ||
Precise |
Fix Released
|
High
|
Jamie Strandboge | ||
Quantal |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
Georgi Guninski reported on http://
"While wasting my time with apt-key noticed strange behaviour with
colliding subkeys.
Out of paranoia ubuntu disallows importing certain trusted keyids.
This is trivial to circumvent by making a collision with subkey.
Attached is a key with subkey keyid colliding with
Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>.
By emulating apt-key netupdate, noticed that the order of the keyrings
is important. If the master keyring is first, the colliding key with
correct signature fails validation (probably because the other key is used).
If the colliding keyring is first, everything is ok (modulo reporting wrong
signer).
Probably this may lead to gpg abuse.
colliding first:
$gpg --ignore-
--keyring /usr/share/
/tmp/sec1
---------
pub 1024R/76A4410F 2012-06-13
uid f...31 (f) <f () f>
sig!3 76A4410F 2012-06-13 f...31 (f) <f () f>
sig! 3F272F5B 2012-06-13 f...31 (f) <f () f>
sig! 3F272F5B 2012-06-13 f...31 (f) <f () f>
sub 1024R/2376C859 2012-06-13
sig! 76A4410F 2012-06-13 f...31 (f) <f () f>
sub 2180R/3F272F5B 2012-06-13
sig! 76A4410F 2012-06-13 f...31 (f) <f () f>
/usr/share/
-------
pub 4096R/3F272F5B 2007-11-09
uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>
sig!3 3F272F5B 2007-11-09 f...31 (f) <f () f> #wrong
1 signature not checked due to a missing key
master first:
$gpg --ignore-
/usr/share/
/usr/share/
-------
pub 4096R/3F272F5B 2007-11-09
uid Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>
sig!3 3F272F5B 2007-11-09 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com>
/tmp/sec1
---------
pub 1024R/76A4410F 2012-06-13
uid f...31 (f) <f () f>
sig!3 76A4410F 2012-06-13 [User ID not found]
sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a
subkey of f () f
sig- 3F272F5B 2012-06-13 Ubuntu Archive Master Signing Key <ftpmaster () ubuntu com> # wrong, signer is a
subkey of f () f
sub 1024R/2376C859 2012-06-13
sig! 76A4410F 2012-06-13 [User ID not found]
sub 2180R/3F272F5B 2012-06-13
sig! 76A4410F 2012-06-13 [User ID not found]
2 bad signatures
1 signature not checked due to a missing key"
Changed in apt (Ubuntu): | |
importance: | Undecided → High |
Changed in apt (Ubuntu Lucid): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apt (Ubuntu Natty): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apt (Ubuntu Oneiric): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apt (Ubuntu Precise): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apt (Ubuntu Quantal): | |
status: | New → In Progress |
assignee: | Michael Vogt (mvo) → Jamie Strandboge (jdstrand) |
Changed in apt (Ubuntu Hardy): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
description: | updated |
description: | updated |
visibility: | private → public |
Changed in apt (Debian): | |
status: | Unknown → New |
Changed in apt (Debian): | |
status: | New → Fix Released |
Ok, Michael, Marc and I looked at this a bit. If copy sec1.bin to /var/www/ ubuntu- archive- keyring. gpg then update ARCHIVE_KEYRING_URI to have ARCHIVE_ KEYRING_ URI=http:// localhost/ ubuntu- archive- keyring. gpg, the key does not get updated on lucid/amd64. If I change the order as the report suggests, it is imported. Ie, I use this:
if $GPG_CMD --keyring $TMP_KEYRING --keyring $MASTER --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then
instead of:
if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then
At this point it needs to be verified that gpg will never internally reverse the order on all architectures. If it ever does, then this is a problem. If not, this attack would require an additional step (to update apt-key's code to reverse the order).