On Wed, Nov 1, 2017 at 3:31 PM Przemek Klosowski <przemek.klosow...@nist.gov> wrote: > > On 11/01/2017 03:14 PM, Kevin Fenzi wrote: > > The only attack vector I can see is tricking someone into installing a > > package from an EOL release with a known vulnerablity, but if you can do > > that you likely can get them to just download it and install it or > > Is it possible to compromise an old key, and use it to sign new malware > that looks like it is from a recent distribution? I understand that it's > unlikely because private keys are protected equally well regardless > whether they are old or new, but maybe there's some way that makes older > keys more vulnerable?
Given the way sigul stores the private keys no. No one actually has access to the password for the private key if you could manage to extract the key. The biggest threat would be someone managing to recreate an old key. Even then, the biggest risk is long lived machines, as new installs never import the old keys by default. That does not mean someone couldn't just import all the old keys into their system. Prior to Fedora moving to Sigul there was a shared key and passphrase for signing the rpms, sigula manages all acecss to the keys today Dennis -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
