On Thu, 2014-06-05 at 08:13 -0400, Matthew Miller wrote: > On Thu, Jun 05, 2014 at 10:46:14AM +0200, Miroslav Suchý wrote: > > >Is there a way to neutralize such packages that does not involve explicit > > >replacement of signing keys on every system trusting the abused keys? > > I am not aware of any method. > > At one of my previous jobs, we planned but never had to use an approach for > this: an update to the '-release' RPM which included a post script to remove > the compromised key from systems. The problem is not just the compromised key, but compromised packages, though I guess you could re-sign all packages, but then you also have to ship those signatures out of band (you cannot force people to re-install all packages right ?). One way to mitigate the impact is also to create subkeys (say one every week) so that you can "repudiate" a window of time by marking only a set of subkeys as compromised. This requires a more complicated signing and verification process though. Simo. -- Simo Sorce * Red Hat, Inc * New York -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
