zlacker

[parent] [thread] 4 comments
1. dredmo+(OP)[view] [source] 2018-07-29 08:01:55
Still not safe.

Verify key signatures.

And I really wish GPG had a negative trust signature.

replies(2): >>Dylan1+i4 >>fulafe+O4
2. Dylan1+i4[view] [source] 2018-07-29 10:04:27
>>dredmo+(OP)
Verify it against what?
replies(1): >>dredmo+c5
3. fulafe+O4[view] [source] 2018-07-29 10:16:51
>>dredmo+(OP)
Yeah, if there are signatures then it doesn't matter. But often both are a miss.

Eg the key from https://docs.docker.com/install/linux/docker-ce/ubuntu/#set-... doesn't have signatures, and isn't on the keyservers.

Of course an unsigned key missing from the keyservers still has the advantage that on subsequent installs/updates, the previously downloaded key persists. And you can keep the initially downloaded key in your CI configs.

◧◩
4. dredmo+c5[view] [source] [discussion] 2018-07-29 10:26:47
>>Dylan1+i4
See what keys have signed a given key. See Debian maintainer keys as an example.

This is ... not everything that it could be, and is approaching 30 years old, technology built for a vastly different world.

But this is the basis of the GPG / PGP Web of Trust.

https://en.wikipedia.org/wiki/Web_of_trust

http://www.pgpi.org/doc/pgpintro/

http://www.rubin.ch/pgp/weboftrust.en.html

(I've addressed this point ... a distressing number of times on HN: https://hn.algolia.com/?query=dredmorbius%20web%20of%20trust... 0

replies(1): >>dcbada+H8
◧◩◪
5. dcbada+H8[view] [source] [discussion] 2018-07-29 11:35:08
>>dredmo+c5
Have you contacted maintainers if they're willing to do this? Is there a way to configure apt to verify chain of trust?
[go to top]