lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120614141749.GD2776@sivokote.iziade.m$>
Date: Thu, 14 Jun 2012 17:17:49 +0300
From: Georgi Guninski <guninski@...inski.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Using second gpg keyring may be misleading?

There is chance someone exploits this in apt-key...

Attached is a keyring and here is the output:

$rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --check-sigs --keyring /tmp/sec3
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
/home/joro2/.gnupg/pubring.gpg
------------------------------
pub   4096R/3F272F5B 2007-11-09
uid                  Ubuntu Archive Master Signing Key <ftpmaster@...ntu.com>
sig!3        3F272F5B 2007-11-09  Ubuntu Archive Master Signing Key <ftpmaster@...ntu.com>

/tmp/sec3
---------
pub   1024R/B1C08810 2012-06-14
uid                  kkkkkkk5 <k@k>
sig!3        B1C08810 2012-06-14  [User ID not found]
sig!         3F272F5B 2012-06-14  Ubuntu Archive Master Signing Key <ftpmaster@...ntu.com>
sig!         3F272F5B 2012-06-14  Ubuntu Archive Master Signing Key <ftpmaster@...ntu.com>
sub   1024R/0354AE88 2012-06-14
sig!         B1C08810 2012-06-14  [User ID not found]
sub   2179R/3F272F5B 2012-06-14
sig!         B1C08810 2012-06-14  [User ID not found]

1 signature not checked due to a missing key


$rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --no-default-keyring --check-sigs --keyring /tmp/sec3

gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
/tmp/sec3
---------
pub   1024R/B1C08810 2012-06-14
uid                  kkkkkkk5 <k@k>
sig!3        B1C08810 2012-06-14  kkkkkkk5 <k@k>
sig!         3F272F5B 2012-06-14  kkkkkkk5 <k@k>
sig!         3F272F5B 2012-06-14  kkkkkkk5 <k@k>
sub   1024R/0354AE88 2012-06-14
sig!         B1C08810 2012-06-14  kkkkkkk5 <k@k>
sub   2179R/3F272F5B 2012-06-14
sig!         B1C08810 2012-06-14  kkkkkkk5 <k@k>


Download attachment "sec3" of type "application/octet-stream" (2033 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ