At 20:39 10-12-2008, LuKreme wrote:
And the source of that number is, evidently, a complete mystery.
That's my point. I've seen lots of instructions like this:
# wget http://somesite.tld/somepath/GPG.KEY
# sudo sa-update --import GPG.KEY
# sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld
where the '0E28B3DC' has just magically appeared as if created from
the ether.
Once you have imported the key, you can use gpg --list-keys to find the key ID.
Do you see that there is a crucial step missing there? Where did that
Yes.
gpgkey value come from? If it wasn't provided in these instructions
(like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but
hadn't yet discovered the page that had the magic hex code), how do
you find it? Can you generate it. Is is simply a hash of the gpg
keyfile, or something else?
The key ID is the low order 64 bits of the fingerprint.
It's a bit of "hey, now just fill in this number we hopefully have
given you. Don't worry about what it means, or how it works, or where
it came from. Just copy&paste and you'll be fine."
Strangely enough, that does not fill me with the highest degree of
confidence. Not much more so that --nogpg.
That's not the right way to do it if we are concerned about trust
relationships. As you said, unless you have confidence in what is
published on the webpage, it's like running sa-update with the
--nogpg parameter.
gpgkey. I've added the key to the keychain as a trusted key, that is
enough to make it secure. How is this 8 digit hex code making
anything any more secure?
By adding the key to the keychain, you are trusting it. The security
part is that you can verify whether the signer generated the
updates. Even if the host is compromised, you are "safe" as long as
the private key is secure and the signer still has your trust.
Regards,
-sm
