-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix insecure downloading of raspberrypi.org signing key #64
Comments
You are absolutely right here and I'm inclined to go with your first proposed solution. |
I've been thinking about this for a little while, and here's what I think is the best solution:
This approach has the following benefits:
To clarify, here's a code sample for echo "Fetching and verifying GPG keys..."
mkdir -p gnupg
chmod 0700 gnupg
wget https://archive.raspbian.org/raspbian.public.key
gpg --homedir gnupg --import raspbian.public.key
if ! gpg --homedir gnupg -k 0xA0DA38D0D76E8B5D638872819165938D90FDDD2E &> /dev/null ; then
echo "ERROR: Bad GPG key fingerprint for raspbian.org"
exit 1
fi
wget http://archive.raspberrypi.org/debian/raspberrypi.gpg.key
gpg --homedir gnupg --import raspberrypi.gpg.key
if ! gpg --homedir gnupg -k 0xCF8A1AF502A2AA2D763BAE7E82B129927FA3303E &> /dev/null ; then
echo "ERROR: Bad GPG key fingerprint for raspberrypi.org"
exit 1
fi If this sounds good to you, I can merge pull requests #62 and #63, add a little more code to implement this approach, and then send one big pull request with all of the changes. Even with this approach, it would be good for the key fingerprints to be more widely publicized so that users could more easily verify those in |
msg from plugwash (signed with his key which is in the debian keyring): I confirm the key being used to sign the Raspbian repository as for 2014-06-17 is pub 2048R/90FDDD2E 2012-04-01 iQIcBAEBCAAGBQJToL6hAAoJEAxI6ip6j/17F2UP/AuWP2+2lbphMoAzxbTgd6Hp |
I've now also started a thread on the raspberrypi.org forums in hope of improving the situation: |
And yes, this does sound very good to me. If you could use several commits for it, that would be awesome. |
I'm inclined to (also) go with
That way it is easy to fix Issue #65 (see #65 (comment)). |
Pull request #66 implements the first suggestion:
An alternative is to modify the priorities in
For information, see sections 6.2.5 and 6.2.6 of this page or the man page for
You can check your current priorities by running |
Do you know how to do that? I've been trying all day to find a way to install a package (libraspberrypi-bin to provide vcgencmd) from the raspbian archive and not the raspberrypi.org archive. I am kind of weary of providing an |
I may/might go for disabling the raspberrypi.org repos at some point, but that would be in a version 1.1.x series and I have no plans for that now.
(not sure if prio 800 is effectively different from 990, but it would make it easier to give repos a prio above and below it) |
The key used to sign the raspberrypi.org archive is now published securely on https://www.raspberrypi.org/raspberrypi.gpg.key -----BEGIN PGP SIGNED MESSAGE----- I confirm the key being used to sign the raspberrypi.org repository is iQEcBAEBAgAGBQJVSO8TAAoJEKQcgohUhKUlTT0H/3lc1X/p3DwgbSrdIiVNLawX |
As ShiftPlusOne confirmed the key details via a signed message, posted on http://pastebin.com/8UaWvHRZ and copied 'locally' here: debian-pi#64 (comment) I now consider the downloading of the raspberrypi.org signing key secure. This fixes issue debian-pi#64.
For safe-keeping I've now posted both confirmations on paste.debian.net |
This issue is now fixed with the release of v1.0.7 of the Raspbian unattended netinstaller. |
I already posted the signed messages in issue debian-pi#64, but they should be part of the git repo. Fashionably late, but better late then never. The signing key for raspbian.org was provided by 'plugwash'. The signing key for raspberrypi.org was provided by 'shiftplusone'. The KeyIDs are used in update.sh for verifying downloaded packages. Signed-off-by: Diederik de Haas <github@cknow.org>
#62 provides verified installation for http://archive.raspbian.org packages, but the installer script also installs the http://archive.raspberrypi.org repository. In order to do so, it downloads the http://archive.raspberrypi.org signing key insecurely with
wget
and adds it to the trusted Apt keyring without any authenticity checks. This download is vulnerable to attack. The best solutions that I can think of are:The text was updated successfully, but these errors were encountered: