From 7e6201fc0304bc1122bdef5884b741c42d097998 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 27 Sep 2011 09:41:18 +0200 Subject: fix apt-key net-update by erroring out if there are any duplicated keys in master-keyring and add-keyring (see lp #857472) and add regression test --- cmdline/apt-key | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index 4d2b7c49f..8a3f5ba54 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -50,6 +50,17 @@ add_keys_with_verify_against_master_keyring() { # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + # verify to ensure that there are no key id duplications that may be + # used to attack the system, see LP: #857472 + for add_key in $add_keys; do + for master_key in $master_keys; do + if [ "$add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$add_key' detected, operation aborted" + return 1 + fi + done + done + # add all keys signed with any of the master key(s) for add_key in $add_keys; do ADDED=0 for master_key in $master_keys; do -- cgit v1.2.3 From 00b19b328c738954169c165aa6f734ade6962fa5 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 4 Oct 2011 09:22:43 +0200 Subject: cmdline/apt-key: use --verify-sigs instead of --list-sigs --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index 8a3f5ba54..104ca656b 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -64,7 +64,7 @@ add_keys_with_verify_against_master_keyring() { for add_key in $add_keys; do ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + if $GPG_CMD --keyring $ADD_KEYRING --verify-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import ADDED=1 fi -- cgit v1.2.3 From f20750cb30baaf00ca1b87f2ae55e6a0eb900f2b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 4 Oct 2011 18:01:41 +0200 Subject: export/import keys one-by-one --- cmdline/apt-key | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index 104ca656b..617fed4f8 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -22,7 +22,7 @@ MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg ARCHIVE_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg REMOVED_KEYS=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg ARCHIVE_KEYRING_URI=http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg - +TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg requires_root() { if [ "$(id -u)" -ne 0 ]; then @@ -34,7 +34,7 @@ requires_root() { add_keys_with_verify_against_master_keyring() { ADD_KEYRING=$1 MASTER=$2 - + if [ ! -f "$ADD_KEYRING" ]; then echo "ERROR: '$ADD_KEYRING' not found" return @@ -50,22 +50,26 @@ add_keys_with_verify_against_master_keyring() { # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` - # verify to ensure that there are no key id duplications that may be - # used to attack the system, see LP: #857472 + + ADDED=0 for add_key in $add_keys; do + + # ensure there are no colisions LP: #857472 for master_key in $master_keys; do if [ "$add_key" = "$master_key" ]; then echo >&2 "Keyid collision for '$add_key' detected, operation aborted" return 1 fi done - done - # add all keys signed with any of the master key(s) - for add_key in $add_keys; do - ADDED=0 + + # export the add keyring one-by-one + rm -f $TMP_KEYRING + $GPG_CMD --keyring $ADD_KEYRING --export $add_key | $GPG_CMD --keyring $TMP_KEYRING --import --trust-model direct + + # check if signed with the master key and only add in this case for master_key in $master_keys; do - if $GPG_CMD --keyring $ADD_KEYRING --verify-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then - $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import + if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + $GPG --import $TMP_KEYRING ADDED=1 fi done @@ -73,14 +77,13 @@ add_keys_with_verify_against_master_keyring() { echo >&2 "Key '$add_key' not added. It is not signed with a master key" fi done + rm -f $TMP_KEYRING } # update the current archive signing keyring from a network URI # the archive-keyring keys needs to be signed with the master key # (otherwise it does not make sense from a security POV) net_update() { - # Disabled for now as code is insecure - exit 1 if [ -z "$ARCHIVE_KEYRING_URI" ]; then echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" -- cgit v1.2.3 From a57ced3e09b68fa3afda71605a51f87304ca7f5d Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 5 Oct 2011 18:33:44 +0200 Subject: cmdline/apt-key: move ADDED into the right place, thanks to Marc Deslauriers --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index 617fed4f8..cd7824df1 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -51,7 +51,6 @@ add_keys_with_verify_against_master_keyring() { add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` - ADDED=0 for add_key in $add_keys; do # ensure there are no colisions LP: #857472 @@ -67,6 +66,7 @@ add_keys_with_verify_against_master_keyring() { $GPG_CMD --keyring $ADD_KEYRING --export $add_key | $GPG_CMD --keyring $TMP_KEYRING --import --trust-model direct # check if signed with the master key and only add in this case + ADDED=0 for master_key in $master_keys; do if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then $GPG --import $TMP_KEYRING -- cgit v1.2.3 From 27c251b98640130c7d9a3dae6fd66a8a4a22b6d5 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 5 Oct 2011 20:52:42 +0200 Subject: cmdline/apt-key: use --output instead of the the pipe and import, thanks to mdeslaur and infinity for the code review --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index cd7824df1..c522d54fe 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -63,7 +63,7 @@ add_keys_with_verify_against_master_keyring() { # export the add keyring one-by-one rm -f $TMP_KEYRING - $GPG_CMD --keyring $ADD_KEYRING --export $add_key | $GPG_CMD --keyring $TMP_KEYRING --import --trust-model direct + $GPG_CMD --keyring $ADD_KEYRING --export $add_key --output $TMP_KEYRING # check if signed with the master key and only add in this case ADDED=0 -- cgit v1.2.3 From f180f39e94c189799b0a0668de801519a5a6108d Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 5 Oct 2011 21:42:34 +0200 Subject: cmdline/apt-key: fix --check-sigs to ensure that the signature can verify and also add master keyring to ensure that we can actually verify the signature --- cmdline/apt-key | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index c522d54fe..9c7804d5b 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -63,12 +63,11 @@ add_keys_with_verify_against_master_keyring() { # export the add keyring one-by-one rm -f $TMP_KEYRING - $GPG_CMD --keyring $ADD_KEYRING --export $add_key --output $TMP_KEYRING - + $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key # check if signed with the master key and only add in this case ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + if $GPG_CMD --keyring $MASTER_KEYRING --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then $GPG --import $TMP_KEYRING ADDED=1 fi -- cgit v1.2.3 From 04a8d1205d87c085ff6349d7e7824c5571282dba Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 5 Oct 2011 21:51:07 +0200 Subject: cmdline/apt-key: use MASTER instead of MASTER_KEYRING as the former is the argument of the function --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index 9c7804d5b..7bfe47fca 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -67,7 +67,7 @@ add_keys_with_verify_against_master_keyring() { # check if signed with the master key and only add in this case ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $MASTER_KEYRING --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then + if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then $GPG --import $TMP_KEYRING ADDED=1 fi -- cgit v1.2.3