On 11/01/2017 01:19 PM, Przemek Klosowski wrote: > On 11/01/2017 03:14 PM, Kevin Fenzi wrote: >> The only attack vector I can see is tricking someone into installing a >> package from an EOL release with a known vulnerablity, but if you can do >> that you likely can get them to just download it and install it or > > Is it possible to compromise an old key, and use it to sign new malware > that looks like it is from a recent distribution? Well, rpm doesn't care what a file is named... you can make a foobar-1.0.fc30.x86_64.rpm signed by any key you want. That said, you would have to trick someone into downloading and installing it. >I understand that it's > unlikely because private keys are protected equally well regardless > whether they are old or new, but maybe there's some way that makes older > keys more vulnerable? Sure, older keys are likely less bits (I don't recall). So it's more likely someone could brute force them somehow or the like. As far as I know even 1024 bit gpg keys are not brute forceable currently. kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
