From patchwork Mon Nov 13 01:40:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1535 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id D5832611A8 for ; Sun, 12 Nov 2017 15:40:40 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id A966E2A0A; Sun, 12 Nov 2017 15:40:39 +0100 (CET) Received: from mx.link38.eu (mx.link38.eu [IPv6:2a03:4000:17:39a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 909FF2A0A for ; Sun, 12 Nov 2017 15:40:36 +0100 (CET) X-Virus-Scanned: ClamAV at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id 20E8D40248 for ; Sun, 12 Nov 2017 15:40:30 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id A41DB9F257 for ; Sun, 12 Nov 2017 15:40:29 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711; t=1510497629; bh=kuERx8d/i+UWKikRpHqEOju47JWSlY/Emz9YdwCqE20=; h=Date:From:To:Subject:From; b=vx5tjZ9tfDZpJ/XOcDP7Ilk3TFfwZJ/p/azD2WB5dTspoSBCw6X2oKcTd74cGUpAJ bKTI0CRZSSMcOa6NEzyzTFCnArx9BcbDC6qwNDn7ShvqaUHEWBkGn5RVEtiDi9LjEG GgvmZsOp1yLk6ZhnTZQNuRzzg8j52bNrPGA3Xn3INkuLpfP2nUiXdte9u8Q1VJwTim sNzq/iVIQbeVKXxI+KDZPBZ1s8wzDy5RK+tk4TgTPSKaPWCPTEXrrUzuvVIqTjkjmz +3C/YhalCqhYwyeic4LrZn+ijs2+zc2+O312+/fx38VS9fsIDCcLkdBGsb3H0BLUOe x1DHhO7O9dWvg== Date: Sun, 12 Nov 2017 15:40:28 +0100 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH] validate GPG keys by fingerprint Message-ID: <20171112154028.4428de21.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Validate GPG keys by fingerprint and not by 8-bit key-ID. This makes exploiting bug #11539 harder, but not impossible and does not affect existing installations. Signed-off-by: Peter Müller --- src/pakfire/lib/functions.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index c347916d8..cfb7e5117 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -34,8 +34,8 @@ use Net::Ping; package Pakfire; # GPG Keys -my $myid = "64D96617"; # Our own gpg-key paks@ipfire.org -my $trustid = "65D0FD58"; # gpg-key of CaCert +my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617"; # Our own gpg-key paks@ipfire.org +my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58"; # gpg-key of CaCert # A small color-hash :D my %color;