Re: Check for revocation certificates before running apt-get?
On Sun, Dec 15, 2013 at 11:15 AM, adrelanos wrote:
> I can try that. Should that become a separate package or part of, well
> apt-get? It would probably just be three files, a config file, an
> /etc/apt/apt.conf.d/ config fragment and a bash script.
I'm guessing the apt package would be the place to put it.
My initial thought would be that the implementation when run from the
apt hook would go through all the trusted keyrings and fetch the keys
from each of them from the default keyservers in GPG.
/etc/apt/trusted.gpg
/etc/apt/trusted.gpg.d/*.gpg
That would probably be fine for most Debian users but at that point I
remembered that the Riseup OpenGPG best practices document has
something to say about keyring refreshes; that keyring refreshes
should happen using parcimonie to make correlation attacks harder.
This would especially be a problem for folks with multiple PPAs in
their apt trusted keys.
https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#make-sure-you-are-receiving-regular-key-updates
That complicates things but would probably still be doable, thoughts:
Add a system daemon for parcimonie that refreshes the apt keyring when
tor & network is available.
Add an apt hook that refreshes trusted.gpg keyrings in /etc have not
been touched recently (so it works when parcimonie or another refresh
mechanism is not being run) and also checks all keyrings for revoked
keys and reports them to the user.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Reply to: