Control: severity -1 wishlist On Mon, Feb 19, 2018 at 12:29:46PM -0800, Nathan Wilcox wrote: > Package: apt > Version: 1.4.8 > Severity: important > Tags: security > > I. Requested Change: > > Alter apt-key add to print out the full GPG fingerprint(s) and > metadata for each key imported. > > > II. Motivation: > > This improves the chance that a critical mass of users would notice a > compromise of commonly used apt package signing keys in the off chance > that they include this fingerprint output in bug reports, logs, or > active verification between peers.
apt-key add is deprecated for over a year now. I don't think a critical mass of users cares about that. It's also the wrong approach: Piping untrusted data to a root process and then checking that the root thing did its work correctly makes no sense from a security perspective. > > > III. Background: > > I frequently encounter installation advice that follows a basic formula: > > 1. fetch package signing keys via curl via https, pipe them to apt-key add. > 2. add a source to sources.list. > 3. apt update && apt install $PACKAGE We deprecated that approach a while ago and it might fail on systems that do not have gnupg installed, so upstreams really should not use it. I very much prefer the Chrome approach of sticking a key and a sources.list into a package and providing that package over https for initial installation. Other ideas are welcome. > > For example, here is the literal install advice for Signal Desktop from > https://signal.org/download/ as of 2018-02-19: > > > curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add - > > echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" > > | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list > > sudo apt update && sudo apt install signal-desktop > > When following this advice users are relying on curl's authentication > via HTTPS for permanently modifying their local machine's package > authentication trust profile. When I run the first step, all that > `apt-key add -` outputs is "OK". That's somewhat awful. > > I just now wanted to ask several peers who I know would be capable of > looking up the fingerprint of the key I just fetched. This is possible > by running: > > $ gpg --keyring /etc/apt/trusted.gpg --list-keys --fingerprint > > -and then figuring out which key is relevant. > > With the requested change, I would be saved one step making it more > likely more users will do this in practice. I think we should definitely do that. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en

