You are not logged in.
Commit 1e125e6ae4dbe3726e3bac94e1d17987efe90fa4 to archlinux-keyring has description
Revoke the key C6C11350 of Federico Cinelli
and in the file packager-revoked-keyids it says
BC1FBE4D2826A0B51E47ED62E2539214C6C11350 cinelli User is no longer in possession of his key
I didn't see anything in security / announce about this (or anywhere else on the board, or rss) so I assume it's no big deal, but I figure I'll ask anyways: is there any need to be concerned? Is this a "key was deleted" or a "key was compromised" (I cannot tell which for certain from the wording above)?
Thanks!
Last edited by tck42 (2013-06-01 08:29:43)
Offline
This key is still in my keyring. Moreover, it is still on the keyservers:
$ sudo pacman-key --refresh-keys C6C11350
gpg: refreshing 1 key from hkp://pgp.mit.edu
gpg: requesting key C6C11350 from hkp server pgp.mit.edu
gpg: key C6C11350: "Federico Cinelli <cinelli.federico@gmail.com>" 1 new signature
gpg: Total number processed: 1
gpg: new signatures: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 6 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 6 signed: 64 trust: 1-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2 valid: 63 signed: 3 trust: 63-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2014-01-22
I tried refreshing all keys but it timed out. There is one new signature? Confused...
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
My gpg knowledge is weak, and I know even less about the keyserver stuff but I think the revocation that's done as part of the referenced commit is separate from gpg revocation (just from reading pacman-key); basically the revocation list is at /usr/share/pacman/keyrings/archlinux-revoked, and it's read upon running pacman-key --populate archlinux. They list all KeyIDs associated with each ID in that file and then just disable it outright. I think you can verify by doing
pacman-key --list-keys -- --with-colons C6C11350 |grep '^pub' |awk -F: '{print $12}'
and checking for a "D" in the output (meaning disabled). I get "scESCD".
I guess if you don't get a "D" in that list you should rerun
sudo pacman-key --populate archlinux
and check again. So it looks like the update did disable the key, but I still wouldn't mind a confirmation that there was no exposure; that key got added on 4/6, only to removed less than 2 months later...
The only other thing that I found interesting is that there _do_ seem to be gpg revocations attached to the key:
$ pacman-key --list-keys -- --with-sig-list C6C11350
gpg: NOTE: trustdb not writable
pub 2048R/C6C11350 2012-11-30
uid Federico Cinelli <cinelli.federico@gmail.com>
sig 3 C6C11350 2012-11-30 Federico Cinelli <cinelli.federico@gmail.com>
sig 4C7EA887 2013-03-11 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sig 824B18E8 2013-03-11 Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sig 6AC6A4C2 2013-04-06 Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig FFF979E7 2013-03-11 Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
rev 4C7EA887 2013-05-25 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
rev 6AC6A4C2 2013-05-25 Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sub 2048R/113502DE 2012-11-30
sig C6C11350 2012-11-30 Federico Cinelli <cinelli.federico@gmail.com>
Note the two lines starting with "rev". I'm not sure how that changes how the key can / can't be used (since I guess that's only 2 / 4 revoked). I guess I have some long overdue reading to do...
cfr - if you (or anyone else reading this) are more familiar with gpg can confirm or correct any of the above that would be great...
Offline
The Trusted User had his laptop stolen that contained the key. He claims it was encrypted though. So we went ahead and revoked that key right away just to be sure.
The revokation is achieved first by adding it to the -revoked file which will disable the key. In addition to this the master key signatures were revoked as well so this key will no longer be accepted by pacman (even if the -revoked list fails or is not used).
Offline
Ah - understood. Thanks very much for the details, I will sleep much easier tonight.
Offline
Thanks also.
@tck42,
What does -- --with-colons do? Normally -- marks the end of options but then I'm confused. Certainly --with-colons doesn't seem to be a pacman-key option according to the help/manual page.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
@cfr - You're correct; -- tells pacman-key to stop processing options. However, since for the arguments we're passing pacman-key is just wrapping gpg (basically just gpg but against the pacman key db), the "--with-colons" gets passed to gpg along with the other arguments (instead of being processed by pacman-key). --with-colons from gpg's man page:
--with-colons
Print key listings delimited by colons. Note that the output
will be encoded in UTF-8 regardless of any --display-charset
setting. This format is useful when GnuPG is called from scripts
and other programs as it is easily machine parsed. The details
of this format are documented in the file ‘doc/DETAILS’, which
is included in the GnuPG source distribution.
That's the only way I found that would show the "disabled" flag.
Offline
Thanks very much for the explanation. I didn't realise things worked that way. Very good to know.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline