Validate GPG keys by fingerprint and not by 8-bit key-ID.
This makes exploiting bug #11539 harder, but not impossible and does not affect existing installations.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- src/pakfire/lib/functions.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index c347916d8..cfb7e5117 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -34,8 +34,8 @@ use Net::Ping; package Pakfire;
# GPG Keys -my $myid = "64D96617"; # Our own gpg-key paks@ipfire.org -my $trustid = "65D0FD58"; # gpg-key of CaCert +my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617"; # Our own gpg-key paks@ipfire.org +my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58"; # gpg-key of CaCert
# A small color-hash :D my %color;
Thanks. I merged this and so we can work on improving this more...
On Sun, 2017-11-12 at 15:40 +0100, Peter Müller wrote:
Validate GPG keys by fingerprint and not by 8-bit key-ID.
This makes exploiting bug #11539 harder, but not impossible and does not affect existing installations.
Signed-off-by: Peter Müller peter.mueller@link38.eu
src/pakfire/lib/functions.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index c347916d8..cfb7e5117 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -34,8 +34,8 @@ use Net::Ping; package Pakfire;
# GPG Keys -my $myid = "64D96617"; # Our own gpg-key paks@ipfire.org -my $trustid = "65D0FD58"; # gpg-key of CaCert +my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617"; # Our own gpg-key paks@ipfire.org +my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58"; # gpg-key of CaCert
# A small color-hash :D my %color;
I commented more on the bug report. Everyone who is interested in this should check that one out...
On Mon, 2017-11-13 at 22:58 +0000, Michael Tremer wrote:
Thanks. I merged this and so we can work on improving this more...
On Sun, 2017-11-12 at 15:40 +0100, Peter Müller wrote:
Validate GPG keys by fingerprint and not by 8-bit key-ID.
This makes exploiting bug #11539 harder, but not impossible and does not affect existing installations.
Signed-off-by: Peter Müller peter.mueller@link38.eu
src/pakfire/lib/functions.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index c347916d8..cfb7e5117 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -34,8 +34,8 @@ use Net::Ping; package Pakfire;
# GPG Keys -my $myid = "64D96617"; # Our own gpg-key paks@ipfire.org -my $trustid = "65D0FD58"; # gpg-key of CaCert +my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617"; # Our own gpg-key paks@ipfire.org +my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58"; # gpg-key of CaCert
# A small color-hash :D my %color;
-
Michael Tremer -
Peter Müller