https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #131 from Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> --- (In reply to Simone Caronni from comment #128) > Keys might have been revoked and expired and still being left on the key > servers. We pick all those up, regardless of their expired/revoked status > and use them to validate the signed release. When somebody revokes their key they send the message "I have lost control of my secret key. Malicious actors may have acquired it, and may be signing things with it. Do not trust this key anymore!" Heed that warning! When you see a signature made with a revoked key you should assume that an attacker made that signature. > They were valid at the moment of the signature An attacker can easily change their clock while making a signature to make it look like the signature was made before the key was revoked. (In reply to Simone Caronni from comment #129) > And we don't want that list to be empty because of mass revocations or > expirations. If many of the developers revoke their keys, then that's because there has been a huge security breach. By ignoring such an event you'll probably end up distributing malware to Fedora users. If there is a purported new release, but all of the signatures are made with revoked keys, then that release is malicious and you should not package it. > Expired/revoked keys will of course not be used in 0.23 to sign, so they > will not be in that file when we call the script again for the new release. That's true only as long as nobody attempts a supply-chain attack. If you could know that there is no attacker, then there would be no need to verify any signatures at all. For security you must always assume that somebody is trying to attack you any way they can. (In reply to Simone Caronni from comment #130) > If you think this does not answer your concern please provide a patch/diff > to the script so I can understand what you mean. Thanks. I don't have tested code ready right now but I think you can use gpg2 instead of gpgv2 – only in bitcoin-gpg.sh, not in the spec – and (using --status-fd) grep for "^\[GNUPG:\] GOODSIG " only, excluding REVKEYSIG, EXPKEYSIG, BADSIG et cetera. That pattern matches only at the beginning of a line to ensure that it matches a keyword and not some other part of the output. The pattern includes a trailing space to ensure that it matches a whole keyword, not just a prefix. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1834731 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
