← Back to context Comment by dredmorbius 7 years ago Still not safe.Verify key signatures.And I really wish GPG had a negative trust signature. 4 comments dredmorbius Reply fulafel 7 years ago Yeah, if there are signatures then it doesn't matter. But often both are a miss.Eg the key from https://docs.docker.com/install/linux/docker-ce/ubuntu/#set-... doesn't have signatures, and isn't on the keyservers.Of course an unsigned key missing from the keyservers still has the advantage that on subsequent installs/updates, the previously downloaded key persists. And you can keep the initially downloaded key in your CI configs. Dylan16807 7 years ago Verify it against what? dredmorbius 7 years ago See what keys have signed a given key. See Debian maintainer keys as an example.This is ... not everything that it could be, and is approaching 30 years old, technology built for a vastly different world.But this is the basis of the GPG / PGP Web of Trust.https://en.wikipedia.org/wiki/Web_of_trusthttp://www.pgpi.org/doc/pgpintro/http://www.rubin.ch/pgp/weboftrust.en.html(I've addressed this point ... a distressing number of times on HN: https://hn.algolia.com/?query=dredmorbius%20web%20of%20trust... 0 dcbadacd 7 years ago Have you contacted maintainers if they're willing to do this? Is there a way to configure apt to verify chain of trust?
fulafel 7 years ago Yeah, if there are signatures then it doesn't matter. But often both are a miss.Eg the key from https://docs.docker.com/install/linux/docker-ce/ubuntu/#set-... doesn't have signatures, and isn't on the keyservers.Of course an unsigned key missing from the keyservers still has the advantage that on subsequent installs/updates, the previously downloaded key persists. And you can keep the initially downloaded key in your CI configs.
Dylan16807 7 years ago Verify it against what? dredmorbius 7 years ago See what keys have signed a given key. See Debian maintainer keys as an example.This is ... not everything that it could be, and is approaching 30 years old, technology built for a vastly different world.But this is the basis of the GPG / PGP Web of Trust.https://en.wikipedia.org/wiki/Web_of_trusthttp://www.pgpi.org/doc/pgpintro/http://www.rubin.ch/pgp/weboftrust.en.html(I've addressed this point ... a distressing number of times on HN: https://hn.algolia.com/?query=dredmorbius%20web%20of%20trust... 0 dcbadacd 7 years ago Have you contacted maintainers if they're willing to do this? Is there a way to configure apt to verify chain of trust?
dredmorbius 7 years ago See what keys have signed a given key. See Debian maintainer keys as an example.This is ... not everything that it could be, and is approaching 30 years old, technology built for a vastly different world.But this is the basis of the GPG / PGP Web of Trust.https://en.wikipedia.org/wiki/Web_of_trusthttp://www.pgpi.org/doc/pgpintro/http://www.rubin.ch/pgp/weboftrust.en.html(I've addressed this point ... a distressing number of times on HN: https://hn.algolia.com/?query=dredmorbius%20web%20of%20trust... 0 dcbadacd 7 years ago Have you contacted maintainers if they're willing to do this? Is there a way to configure apt to verify chain of trust?
dcbadacd 7 years ago Have you contacted maintainers if they're willing to do this? Is there a way to configure apt to verify chain of trust?
Yeah, if there are signatures then it doesn't matter. But often both are a miss.
Eg the key from https://docs.docker.com/install/linux/docker-ce/ubuntu/#set-... doesn't have signatures, and isn't on the keyservers.
Of course an unsigned key missing from the keyservers still has the advantage that on subsequent installs/updates, the previously downloaded key persists. And you can keep the initially downloaded key in your CI configs.
Verify it against what?
See what keys have signed a given key. See Debian maintainer keys as an example.
This is ... not everything that it could be, and is approaching 30 years old, technology built for a vastly different world.
But this is the basis of the GPG / PGP Web of Trust.
https://en.wikipedia.org/wiki/Web_of_trust
http://www.pgpi.org/doc/pgpintro/
http://www.rubin.ch/pgp/weboftrust.en.html
(I've addressed this point ... a distressing number of times on HN: https://hn.algolia.com/?query=dredmorbius%20web%20of%20trust... 0
Have you contacted maintainers if they're willing to do this? Is there a way to configure apt to verify chain of trust?