You are not logged in.

#1 2019-06-29 16:30:12

essence-of-foo
Member
Registered: 2008-07-12
Posts: 67

SKS keyserver is under attack. Certificates might get poisoned

https://gist.github.com/rjhansen/67ab92 … 8d6955275f

How should we as Arch users react to this situation? My /etc/pacman.d/gnupg/gpg.conf uses `keyserver hkp://pool.sks-keyservers.net` which now could potentially brick my GPG installation. Do we need a separate keyserver that only trusted users can push onto?

Offline

#2 2019-06-29 21:10:48

bart_vv
Member
From: Poland
Registered: 2011-04-12
Posts: 51

Re: SKS keyserver is under attack. Certificates might get poisoned

This looks bad. Are other distros also using GPG for package signing? What are they considering as a solution?

Offline

#3 2019-06-29 21:51:03

progandy
Member
Registered: 2012-05-17
Posts: 3,587

Re: SKS keyserver is under attack. Certificates might get poisoned

Arch Linux does not use the keyservers to update the pacman keyring. That is done with the archlinux-keyring package. Just make sure you don't execute the "refresh-keys" or "recv-keys" commands of "pacman-key".

Edit: If you build your own (AUR) packages, don't use automatic key retrieval or at least do it with a special build user so you don't brick the gpg keyring of your normal user account. Look for the keys manually on pool.sks-keyservers.net, and only import them if they are not bloated with spam. (neverending text after -----BEGIN PGP PUBLIC KEY BLOCK----- )

Last edited by progandy (2019-06-29 21:58:09)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#4 2019-07-02 00:57:52

rodneyp290
Member
Registered: 2019-07-02
Posts: 1

Re: SKS keyserver is under attack. Certificates might get poisoned

There is a mitigation section in the article:
https://gist.github.com/rjhansen/67ab92 … itigations

Users who are confident editing their GnuPG configuration files should follow the following process:
1. Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
2. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.

Can anyone confirm if this is suitable for Arch?

Offline

#5 2019-07-02 02:04:10

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 28,135
Website

Re: SKS keyserver is under attack. Certificates might get poisoned

rodneyp290 wrote:

There is a mitigation section in the article:
...
Can anyone confirm if this is suitable for Arch?

This is for your user keychain, not Arch's; but yes, you could do this.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#6 2019-07-02 14:28:55

loqs
Member
Registered: 2014-03-06
Posts: 9,104

Re: SKS keyserver is under attack. Certificates might get poisoned

@rodneyp290 I have not been able to add a key I do not already have from the keyserver hkps://keys.openpgp.org but it may be suitable for refresh-keys.

Offline

#7 2019-07-02 14:39:09

progandy
Member
Registered: 2012-05-17
Posts: 3,587

Re: SKS keyserver is under attack. Certificates might get poisoned

loqs wrote:

@rodneyp290 I have not been able to add a key I do not already have from the keyserver hkps://keys.openpgp.org but it may be suitable for refresh-keys.

This new keyserver only publishes keys without any identifying information like user ids to comply with the GDPR. Currently gnupg doesn't work with such keys. Only after you explicitly allow publishing will it be added, keys where that was done should work I think.

https://keys.openpgp.org/about/faq#older-gnupg

Last edited by progandy (2019-07-02 14:43:20)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#8 2019-07-10 16:32:40

loqs
Member
Registered: 2014-03-06
Posts: 9,104

Re: SKS keyserver is under attack. Certificates might get poisoned

https://lists.gnupg.org/pipermail/gnupg … 00439.html

gnupg 2.2.17 includes client side mitigation's but I believe the change of default to self-sigs-only breaks Web of Trust which may impact the archlinux-keyring when fetching a missing key.
Edit:
Possible solutions for the archlinux-keyring:

  • Private keyserver such as used by Debian

  • WKD

Last edited by loqs (2019-07-10 20:47:45)

Offline

Board footer

Powered by FluxBB