make apt-key net-update secure

Bug #1013681 reported by Jamie Strandboge on 2012-06-15
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apt (Debian)
apt (Ubuntu)
Michael Vogt

Related branches

visibility: private → public
Changed in apt (Ubuntu):
assignee: nobody → Michael Vogt (mvo)
importance: Undecided → High
status: New → Triaged
tags: added: rls-q-incoming
Changed in apt (Ubuntu):
assignee: Michael Vogt (mvo) → nobody
summary: - make net-update secure
+ make apt-key net-update secure
Michael Vogt (mvo) wrote :

Here is a alternative approach for the net-update:

Michael Vogt (mvo) wrote :

I would welcome feedback on the alternative approach. The idea is basicly to simply download a signed keyring file, gpg verify that against the master key and if its good, import it.

Marc Deslauriers (mdeslaur) wrote :

Subscribing Steve and Colin to get their feedback as well.

Steve Langasek (vorlon) wrote :

As I recall, we didn't go this route the first time around because we wanted to avoid changing the server-side interface. But if trying to check this securely is a case of being nibbled to death by cats, I think it makes sense to revisit this. So I have no objection to using a gpg-verified keyring object here.

Steve Langasek (vorlon) on 2012-06-24
tags: removed: rls-q-incoming
Colin Watson (cjwatson) wrote :

I'm fine with the signed-keyring-file approach too, although I haven't confirmed that there are no attacks possible on the code used to verify *that* signature.

Brian Murray (brian-murray) wrote :

From #ubuntu-meeting on 2012-09-12:

08:43 < mvo> cjwatson: it will require a server side change
08:43 < mvo> cjwatson: if you guys are happy with the new proposed schema we can
             upload (once the server side is updated)
08:43 < mvo> but I (much) agree we should not rush this :) it caused enough pain
             already :/
08:45 < cjwatson> Of course I can't help with the server side change at the moment
                  because we don't have our sudo access back yet on pepo
08:45 < cjwatson> You'll probably have to ask webops

Steve Langasek (vorlon) wrote :

We're not going to get to this before quantal release.

tags: added: rls-q-notfixing
tags: removed: rls-q-notfixing
Changed in apt (Ubuntu Quantal):
milestone: none → quantal-updates
Changed in apt (Debian):
status: Unknown → New
Colin Watson (cjwatson) wrote : exists now, so the client side should be unblocked.

Michael Vogt (mvo) wrote :

Thanks Colin, that is great news.

I updated the branch (and also merged the debian-sid changes) into - I need to test it a bit more and then I will upload.

Changed in apt (Ubuntu Quantal):
status: Triaged → Won't Fix
Mathew Hodson (mhodson) on 2017-02-04
no longer affects: apt (Ubuntu Quantal)
Changed in apt (Ubuntu):
milestone: quantal-updates → none
Mathew Hodson (mhodson) wrote :

Did this change ever make it in?

Changed in apt (Ubuntu):
assignee: nobody → Michael Vogt (mvo)
Julian Andres Klode (juliank) wrote :

No, it did not. We could rebase and merge it. We can also replace wget with /usr/lib/apt/apt-helper download-file to fix bug 325700 and bug 226780 while we're at it.

Dimitri John Ledkov (xnox) wrote :

Whilst poking all of this a while back, my thought was to use inline signed keyring snippet which is downloaded probably with the apt-helper, validated (well gpgv decrypt) and stored as /etc/apt/trusted.gpg.d/netupdate.gpg. Since we no longer need to touch /etc/apt/trusted.gpg keyring. This doesn't even need to live in apt-key netupdate, and could be just a timer unit. But i guess having this simple logic in apt-key script may make sense.

Note that netupdate has been disabled for a long while now, thus any reintroduction will need security team review before we enable.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.