From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] validate GPG keys by fingerprint
Date: Sun, 12 Nov 2017 15:40:28 +0100
Message-ID: <20171112154028.4428de21.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2672804469617588020=="
List-Id: <development.lists.ipfire.org>

--===============2672804469617588020==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Validate GPG keys by fingerprint and not by 8-bit key-ID.

This makes exploiting bug #11539 harder, but not impossible
and does not affect existing installations.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
---
 src/pakfire/lib/functions.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl
index c347916d8..cfb7e5117 100644
--- a/src/pakfire/lib/functions.pl
+++ b/src/pakfire/lib/functions.pl
@@ -34,8 +34,8 @@ use Net::Ping;
 package Pakfire;
=20
 # GPG Keys
-my $myid =3D "64D96617";			# Our own gpg-key paks(a)ipfire.org
-my $trustid =3D "65D0FD58";		# gpg-key of CaCert
+my $myid =3D "179740DC4D8C47DC63C099C74BDE364C64D96617";		# Our own gpg-key =
paks(a)ipfire.org
+my $trustid =3D "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58";	# gpg-key of CaC=
ert
=20
 # A small color-hash :D
 my %color;
--=20
2.13.6


--===============2672804469617588020==--