[Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)
Huzaifa Sidhpurwala
notifications at github.com
Sun Jul 4 03:01:37 UTC 2021
> An additional thing, once a key is revoked by a distro (for whatever reason), they usually sign new rpms with the new key. However it does not mean that the older rpms signed by the old key are no longer secure to use. Unless of-course the old key has been compromised by the attacker and they sign malicious rpms with that.
>
I mean the rpms signed before the key was revoked.
> So if revokation makes all the installed rpms, seem to be signed with the wrong key, than that could be a problem.
>
> Therefore there is some amount of onus on the administrator/user as well.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-873505143
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210703/cb15ad9b/attachment.html>
More information about the Rpm-maint
mailing list