[Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)

Zoltan Kelemen notifications at github.com
Mon Jul 5 09:12:09 UTC 2021


> Perhaps the best solution is to ensure (by appropriate use of HSMs) that the key cannot be leaked.

Yes, that comes a long way to mitigating the problem and is hopefully already used by the major distributions.

But the risk is not completely eliminated, since the usage of the HSM itself may have become compromised. An attacker may have gained access to a system with HSM access and issued malicious signatures. If this should happen, a key replacement is most probably warranted.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-873946795
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210705/1955ecde/attachment-0001.html>


More information about the Rpm-maint mailing list