You are not logged in.

#1 2013-05-31 02:27:09

tck42
Member
From: Evanston, IL
Registered: 2013-01-22
Posts: 4

[SOLVED] Question re: latest commit to archlinux-keyring

Commit 1e125e6ae4dbe3726e3bac94e1d17987efe90fa4 to archlinux-keyring has description

Revoke the key C6C11350 of Federico Cinelli

and in the file packager-revoked-keyids it says

BC1FBE4D2826A0B51E47ED62E2539214C6C11350 cinelli User is no longer in possession of his key

I didn't see anything in security / announce about this (or anywhere else on the board, or rss) so I assume it's no big deal, but I figure I'll ask anyways: is there any need to be concerned? Is this a "key was deleted" or a "key was compromised" (I cannot tell which for certain from the wording above)?

Thanks!

Last edited by tck42 (2013-06-01 08:29:43)

Offline

#2 2013-06-01 02:45:31

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [SOLVED] Question re: latest commit to archlinux-keyring

This key is still in my keyring. Moreover, it is still on the keyservers:

$ sudo pacman-key --refresh-keys C6C11350

gpg: refreshing 1 key from hkp://pgp.mit.edu
gpg: requesting key C6C11350 from hkp server pgp.mit.edu
gpg: key C6C11350: "Federico Cinelli <cinelli.federico@gmail.com>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   6  signed:  64  trust: 1-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2  valid:  63  signed:   3  trust: 63-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2014-01-22

I tried refreshing all keys but it timed out. There is one new signature? Confused...


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2013-06-01 07:38:39

tck42
Member
From: Evanston, IL
Registered: 2013-01-22
Posts: 4

Re: [SOLVED] Question re: latest commit to archlinux-keyring

My gpg knowledge is weak, and I know even less about the keyserver stuff but I think the revocation that's done as part of the referenced commit is separate from gpg revocation (just from reading pacman-key); basically the revocation list is at /usr/share/pacman/keyrings/archlinux-revoked, and it's read upon running pacman-key --populate archlinux. They list all KeyIDs associated with each ID in that file and then just disable it outright. I think you can verify by doing

pacman-key --list-keys -- --with-colons C6C11350 |grep '^pub' |awk -F: '{print $12}'

and checking for a "D" in the output (meaning disabled). I get "scESCD".

I guess if you don't get a "D" in that list you should rerun

sudo pacman-key --populate archlinux

and check again. So it looks like the update did disable the key, but I still wouldn't mind a confirmation that there was no exposure; that key got added on 4/6, only to removed less than 2 months later...

The only other thing that I found interesting is that there _do_ seem to be gpg revocations attached to the key:

$ pacman-key --list-keys -- --with-sig-list  C6C11350
gpg: NOTE: trustdb not writable
pub   2048R/C6C11350 2012-11-30
uid                  Federico Cinelli <cinelli.federico@gmail.com>
sig 3        C6C11350 2012-11-30  Federico Cinelli <cinelli.federico@gmail.com>
sig          4C7EA887 2013-03-11  Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sig          824B18E8 2013-03-11  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sig          6AC6A4C2 2013-04-06  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          FFF979E7 2013-03-11  Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
rev          4C7EA887 2013-05-25  Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
rev          6AC6A4C2 2013-05-25  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sub   2048R/113502DE 2012-11-30
sig          C6C11350 2012-11-30  Federico Cinelli <cinelli.federico@gmail.com>

Note the two lines starting with "rev". I'm not sure how that changes how the key can / can't be used (since I guess that's only 2 / 4 revoked). I guess I have some long overdue reading to do...

cfr - if you (or anyone else reading this) are more familiar with gpg can confirm or correct any of the above that would be great...

Offline

#4 2013-06-01 08:04:18

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: [SOLVED] Question re: latest commit to archlinux-keyring

The Trusted User had his laptop stolen that contained the key. He claims it was encrypted though. So we went ahead and revoked that key right away just to be sure.

The revokation is achieved first by adding it to the -revoked file which will disable the key. In addition to this the master key signatures were revoked as well so this key will no longer be accepted by pacman (even if the -revoked list fails or is not used).

Offline

#5 2013-06-01 08:28:31

tck42
Member
From: Evanston, IL
Registered: 2013-01-22
Posts: 4

Re: [SOLVED] Question re: latest commit to archlinux-keyring

Ah - understood. Thanks very much for the details, I will sleep much easier tonight. smile

Offline

#6 2013-06-01 21:08:31

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [SOLVED] Question re: latest commit to archlinux-keyring

Thanks also.

@tck42,
What does -- --with-colons do? Normally -- marks the end of options but then I'm confused. Certainly --with-colons doesn't seem to be a pacman-key option according to the help/manual page.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#7 2013-06-08 19:35:24

tck42
Member
From: Evanston, IL
Registered: 2013-01-22
Posts: 4

Re: [SOLVED] Question re: latest commit to archlinux-keyring

@cfr - You're correct; -- tells pacman-key to stop processing options. However, since for the arguments we're passing pacman-key is just wrapping gpg (basically just gpg but against the pacman key db), the "--with-colons" gets passed to gpg along with the other arguments (instead of being processed by pacman-key). --with-colons from gpg's man page:

       --with-colons
              Print key listings delimited by colons.  Note  that  the  output
              will  be  encoded  in  UTF-8 regardless of any --display-charset
              setting. This format is useful when GnuPG is called from scripts
              and  other  programs as it is easily machine parsed. The details
              of this format are documented in the file  ‘doc/DETAILS’,  which
              is included in the GnuPG source distribution.

That's the only way I found that would show the "disabled" flag.

Offline

#8 2013-06-08 21:01:42

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [SOLVED] Question re: latest commit to archlinux-keyring

Thanks very much for the explanation. I didn't realise things worked that way. Very good to know.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Board footer

Powered by FluxBB