3

There are many packages on AUR which, when you attempt to install them, result in an error like: ==> ERROR: One or more PGP signatures could not be verified!

This is resolved by importing the key with something like gpg --recv-keys 123456789ABCDEF. The AUR discussion will often provide the key.

I have a few questions about this:

  1. What exactly do these keys do? What is being verified with GPG, and why is it necessary?

  2. Why is it necessary to import keys by hand? Why can't it be automated?

  3. If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?

  4. Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?

Searching online, I've found references to a well known blog post. I'm sad to say that after several careful readings I still do not understand the above points.

Bagalaw
  • 835
  • 2
  • 9
  • 24

2 Answers2

3

What exactly do these keys do? What is being verified with GPG, and why is it necessary?

The keys are used to verify that the software you're downloading is what the author of the package intended it to be instead of trojan-horse malware from a repository server that may have been successfully infiltrated by an attacker. Or maybe an attacker can redirect your download request to his disguised malware repository instead of a genuine AUR repository. Verification by GPG makes it very difficult for an attacker to successfully use the software repositories as a malware distribution channel.

Why is it necessary to import keys by hand? Why can't it be automated?

You're supposed to make a conscious choice on whether you trust a particular software author/packager or not, and whether you're confident enough for your purposes that the key you've received is genuine and not from an imposter.

The necessary trust & confidence level depends on what you're doing: a private home system for fun, a server that will handle other people's health and/or credit card information for a business, and an ancillary support server for a national missile defense system should each have somewhat different requirements.

If blindly importing the key from the AUR comment thread is bad, what steps am I supposed to take to "verify" the key?

If the key is signed by other people whose keys you already have and you trust those people's judgement at least when it comes to signing GPG keys, you can take that as evidence that the key is probably genuine. Otherwise, you might try getting the key from multiple different sources and compare the results. If it's important enough for you, you might even call or meet the developer to get stronger confirmation that you have the right key.

Where am I supposed to find the key if nobody's bothered to post it in the comments, and if I don't have time to post a comment and hope the maintainer replies?

GPG public keys that are intended to be widely used are commonly published on SKS keyservers: if you don't have the right key, the package tools should be able to display the keyID of the required key, and you can use that to search for the key on the keyservers.

See here for more information on SKS keyserver network: https://sks-keyservers.net/

You can also google for the keyID.

telcoM
  • 87,318
  • 3
  • 112
  • 232
1

TL;DR - new and enhanced and automated "check the md5sum of the download against the list posted on the website"

The signature is a digital verification of who signed the package with assurance that it hasn't been modified since it was made. Typically signed by either the package maintainer or release manager or someone of "authority" in the distributions core project maintenance group. In essence, it is an enhanced and automated integrity check on what you are about to install - the new "we've posted the md5sum hash of the list of files, you should compare what you download with these" .

The way it works is public/private key - I create a private key with a password (good strong one) and generate a public key with it. I can give out the public key. I generate the package, sign it, and when you install it you are told that the public key matching ABC321FF or whatever is what is needed to verify the signature. Once you import the key, the software on your end can verify that the identifying hash is the same and that the hash was signed by my private key.

The security concerns when it comes to adding software from a repository to your system are "who is it behind this software - oh, and the key too". If it is the key for a distribution (some releases have their own keys, or have revoked and created new keys) then it doesn't matter, you are running software from their distribution anyway. Note that when you get into 3rd party repositories (like Ubuntu and project PPAs) you'll end up importing a key for each of them, and this could be a concern for you.

What you should be aware of is that that key will now Just Work for anything else that key has signed. Depending on your paranoia level, you may want to add a key as needed, and remove it from your trusted keys list when you've finished installing the package. Of course, with frequent updates you're creating more work and steps to update.

And if you are that paranoid about that key signing something nasty you probably shouldn't be willingly trying to install anything from that repository.

ivanivan
  • 4,870
  • 1
  • 9
  • 20