SKS keyserver is under attack. Certificates might get poisoned

essence-of-foo · 2019-06-29 16:30:12

https://gist.github.com/rjhansen/67ab92 … 8d6955275f

How should we as Arch users react to this situation? My /etc/pacman.d/gnupg/gpg.conf uses `keyserver hkp://pool.sks-keyservers.net` which now could potentially brick my GPG installation. Do we need a separate keyserver that only trusted users can push onto?

bart_vv · 2019-06-29 21:10:48

This looks bad. Are other distros also using GPG for package signing? What are they considering as a solution?

progandy · 2019-06-29 21:51:03

Arch Linux does not use the keyservers to update the pacman keyring. That is done with the archlinux-keyring package. Just make sure you don't execute the "refresh-keys" or "recv-keys" commands of "pacman-key".

Edit: If you build your own (AUR) packages, don't use automatic key retrieval or at least do it with a special build user so you don't brick the gpg keyring of your normal user account. Look for the keys manually on pool.sks-keyservers.net, and only import them if they are not bloated with spam. (neverending text after -----BEGIN PGP PUBLIC KEY BLOCK----- )

Last edited by progandy (2019-06-29 21:58:09)

rodneyp290 · 2019-07-02 00:57:52

There is a mitigation section in the article:
https://gist.github.com/rjhansen/67ab92 … itigations

Users who are confident editing their GnuPG configuration files should follow the following process:
1. Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
2. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.

Can anyone confirm if this is suitable for Arch?

jasonwryan · 2019-07-02 02:04:10

rodneyp290 wrote:

There is a mitigation section in the article:
...
Can anyone confirm if this is suitable for Arch?

This is for your user keychain, not Arch's; but yes, you could do this.

loqs · 2019-07-02 14:28:55

@rodneyp290 I have not been able to add a key I do not already have from the keyserver hkps://keys.openpgp.org but it may be suitable for refresh-keys.

progandy · 2019-07-02 14:39:09

loqs wrote:

@rodneyp290 I have not been able to add a key I do not already have from the keyserver hkps://keys.openpgp.org but it may be suitable for refresh-keys.

This new keyserver only publishes keys without any identifying information like user ids to comply with the GDPR. Currently gnupg doesn't work with such keys. Only after you explicitly allow publishing will it be added, keys where that was done should work I think.

https://keys.openpgp.org/about/faq#older-gnupg

Last edited by progandy (2019-07-02 14:43:20)

loqs · 2019-07-10 16:32:40

https://lists.gnupg.org/pipermail/gnupg … 00439.html

gnupg 2.2.17 includes client side mitigation's but I believe the change of default to self-sigs-only breaks Web of Trust which may impact the archlinux-keyring when fetching a missing key.
Edit:
Possible solutions for the archlinux-keyring:

Private keyserver such as used by Debian
WKD

Last edited by loqs (2019-07-10 20:47:45)

Arch Linux

#1 2019-06-29 16:30:12

SKS keyserver is under attack. Certificates might get poisoned

#2 2019-06-29 21:10:48

Re: SKS keyserver is under attack. Certificates might get poisoned

#3 2019-06-29 21:51:03

Re: SKS keyserver is under attack. Certificates might get poisoned

#4 2019-07-02 00:57:52

Re: SKS keyserver is under attack. Certificates might get poisoned

#5 2019-07-02 02:04:10

Re: SKS keyserver is under attack. Certificates might get poisoned

#6 2019-07-02 14:28:55

Re: SKS keyserver is under attack. Certificates might get poisoned

#7 2019-07-02 14:39:09

Re: SKS keyserver is under attack. Certificates might get poisoned

#8 2019-07-10 16:32:40

Re: SKS keyserver is under attack. Certificates might get poisoned

Board footer