diff mbox series

validate GPG keys by fingerprint

Message ID 20171112154028.4428de21.peter.mueller@link38.eu
State Accepted
Commit bb6481a82072cf2df27306508c8b72b584eb4f80
Headers
Series validate GPG keys by fingerprint |

Commit Message

Peter Müller Nov. 13, 2017, 1:40 a.m. UTC 
  Validate GPG keys by fingerprint and not by 8-bit key-ID.

This makes exploiting bug #11539 harder, but not impossible
and does not affect existing installations.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 src/pakfire/lib/functions.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Michael Tremer Nov. 14, 2017, 9:58 a.m. UTC | #1 
Thanks. I merged this and so we can work on improving this more...

On Sun, 2017-11-12 at 15:40 +0100, Peter Müller wrote:
> Validate GPG keys by fingerprint and not by 8-bit key-ID.
> 
> This makes exploiting bug #11539 harder, but not impossible
> and does not affect existing installations.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  src/pakfire/lib/functions.pl | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl
> index c347916d8..cfb7e5117 100644
> --- a/src/pakfire/lib/functions.pl
> +++ b/src/pakfire/lib/functions.pl
> @@ -34,8 +34,8 @@ use Net::Ping;
>  package Pakfire;
>  
>  # GPG Keys
> -my $myid = "64D96617";			# Our own gpg-key paks@ipfire.org
> -my $trustid = "65D0FD58";		# gpg-key of CaCert
> +my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617";		# Our own gpg-key paks@ipfire.org
> +my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58";	# gpg-key of CaCert
>  
>  # A small color-hash :D
>  my %color;
Michael Tremer Nov. 14, 2017, 10:07 a.m. UTC | #2 
I commented more on the bug report. Everyone who is interested in this
should check that one out...

On Mon, 2017-11-13 at 22:58 +0000, Michael Tremer wrote:
> Thanks. I merged this and so we can work on improving this more...
> 
> On Sun, 2017-11-12 at 15:40 +0100, Peter Müller wrote:
> > Validate GPG keys by fingerprint and not by 8-bit key-ID.
> > 
> > This makes exploiting bug #11539 harder, but not impossible
> > and does not affect existing installations.
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> >  src/pakfire/lib/functions.pl | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl
> > index c347916d8..cfb7e5117 100644
> > --- a/src/pakfire/lib/functions.pl
> > +++ b/src/pakfire/lib/functions.pl
> > @@ -34,8 +34,8 @@ use Net::Ping;
> >  package Pakfire;
> >  
> >  # GPG Keys
> > -my $myid = "64D96617";			# Our own gpg-key paks@ipfire.org
> > -my $trustid = "65D0FD58";		# gpg-key of CaCert
> > +my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617";		# Our own gpg-key paks@ipfire.org
> > +my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58";	# gpg-key of CaCert
> >  
> >  # A small color-hash :D
> >  my %color;
diff mbox series

Patch

diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl
index c347916d8..cfb7e5117 100644
--- a/src/pakfire/lib/functions.pl
+++ b/src/pakfire/lib/functions.pl
@@ -34,8 +34,8 @@  use Net::Ping;
 package Pakfire;
 
 # GPG Keys
-my $myid = "64D96617";			# Our own gpg-key paks@ipfire.org
-my $trustid = "65D0FD58";		# gpg-key of CaCert
+my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617";		# Our own gpg-key paks@ipfire.org
+my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58";	# gpg-key of CaCert
 
 # A small color-hash :D
 my %color;