[Rpm-maint] [rpm-software-management/rpm] Ignore subkeys that cannot sign (PR #1938)
Justus Winter
notifications at github.com
Mon Feb 28 17:03:20 UTC 2022
> How do you envision any of these subkey scenarios to be exploited, on a broad level?
> Again, considering that these keys would be explicitly imported by the admin.
Those keys are imported by admins all the time. For example, I grabbed this one from a system I have access to:
```
% sq inspect RPM-GPG-KEY-remi2022
RPM-GPG-KEY-remi2022: OpenPGP Certificate.
Fingerprint: B1ABF71E14C9D74897E198A8B19527F1478F8947
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
Creation time: 2021-01-04 14:44:21 UTC
Key flags: certification, signing
Subkey: 52105B25ECC1A09A88A0816D8AF2F648D18AE7D2
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
Creation time: 2021-01-04 14:44:21 UTC
Key flags: transport encryption, data-at-rest encryption
UserID: Remi's RPM repository (https://rpms.remirepo.net/) <remi at remirepo.net>
```
Now, this alone is not an attack, but attacks happen when multiple things go wrong. And in this example, two things already went wrong:
1. First, the curator of that repository created a certificate with an encryption-capable subkey (surely due to insufficient tooling).
2. Second, RPM is willing to verify signatures made by this subkey.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1938#issuecomment-1054466757
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1938/c1054466757 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220228/3c559b1a/attachment.html>
More information about the Rpm-maint
mailing list