X2Go Bug report logs - #1401
Update GPG key bootstrapping instructions for Debian

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: "Daniel Ullrich" <store@posteo.de>

Date: Sat, 24 Aug 2019 02:40:02 UTC

Severity: normal

Done: Mihai Moldovan <ionic@ionic.de>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, owner@bugs.x2go.org:
Bug#1401; Package complete x2go repo. (Sat, 24 Aug 2019 02:40:02 GMT) (full text, mbox, link).


Acknowledgement sent to "Daniel Ullrich" <store@posteo.de>:
New Bug report received and forwarded. Copy sent to owner@bugs.x2go.org. (Sat, 24 Aug 2019 02:40:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: "Daniel Ullrich" <store@posteo.de>
To: submit@bugs.x2go.org
Subject: PGP-Key is not available on keyservers for debian buster
Date: Sat, 24 Aug 2019 02:36:24 +0000
[Message part 1 (text/plain, inline)]
Package: complete x2go repo
version: none

sudo apt update
The following signatures could not be verified because their public key 
is not available: NO_PUBKEY E1F958385BFE2B6E
W: GPG error: http://packages.x2go.org/debian buster InRelease: The 
following signatures could not be verified because their public key is 
not available: NO_PUBKEY E1F958385BFE2B6E
E: The depot "http://packages.x2go.org/debian buster InRelease" is not 
signed.
N: An update from such a repository cannot be done in a secure way, so 
it is disabled by default.
N: See the apt-secure(8) manual page for more details on package vault 
creation and user configuration.

sudo apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E
Executing: /tmp/apt-key-gpghome.4WhtJFIi3f/gpg.1.sh --recv-keys 
--keyserver keys.gnupg.net E1F958385BFE2B6E
gpg: Received from key server failed: The waiting time for the 
connection has expired.

x2go-keyring package is not available for debian buster => would solve 
this issue!
[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.x2go.org, owner@bugs.x2go.org:
Bug#1401; Package complete x2go repo. (Sat, 24 Aug 2019 17:10:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to owner@bugs.x2go.org. (Sat, 24 Aug 2019 17:10:02 GMT) (full text, mbox, link).


Message #10 received at 1401@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: 1401@bugs.x2go.org
Subject: Re: Bug#1401: PGP-Key is not available on keyservers for debian buster
Date: Sat, 24 Aug 2019 19:06:24 +0200
[Message part 1 (text/plain, inline)]
Control: reassign -1 packages.x2go.org


> N: An update from such a repository cannot be done in a secure way, so
> it is disabled by default.

The x2go-keyring package is available for Debian buster, includes the required
key file and should work just fine.

However, newer apt versions will disallow downloading from an untrusted repository.

In order to actually install the keyring package, try running something like:
sudo apt-get --allow-unauthenticated install x2go-keyring

Afterwards, sudo apt update should not return an error again. Do not use the
--allow-unauthenticated flag without understanding its implications.


> sudo apt-key adv --recv-keys --keyserver keys.gnupg.net E1F958385BFE2B6E
> Executing: /tmp/apt-key-gpghome.4WhtJFIi3f/gpg.1.sh --recv-keys
> --keyserver keys.gnupg.net E1F958385BFE2B6E
> gpg: Received from key server failed: The waiting time for the
> connection has expired.

The public key is also available on keyservers. Most keyservers are still
stoned, however, from the attacks that have been carried out a few months ago
and a year ago. For more information, and why this problem is unlike to be fixed
in the first place, refer to
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f for instance.
I cannot fix public keyservers for you.

Like the message said: there was a timeout while fetching the key. It did not
say that such a key does not exist.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Bug reassigned from package 'complete x2go repo' to 'packages.x2go.org'. Request was from Mihai Moldovan <ionic@ionic.de> to 1401-submit@bugs.x2go.org. (Sat, 24 Aug 2019 17:10:02 GMT) (full text, mbox, link).


No longer marked as found in versions none. Request was from Mihai Moldovan <ionic@ionic.de> to 1401-submit@bugs.x2go.org. (Sat, 24 Aug 2019 17:10:02 GMT) (full text, mbox, link).


Information forwarded to x2go-dev@lists.x2go.org, x2go-dev@lists.x2go.org:
Bug#1401; Package packages.x2go.org. (Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).


Acknowledgement sent to 1401@bugs.x2go.org:
Extra info received and forwarded to list. Copy sent to x2go-dev@lists.x2go.org. (Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).


Message #19 received at 1401@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: 1401@bugs.x2go.org
Subject: Re: Bug#1401: PGP-Key is not available on keyservers for debian buster
Date: Thu, 12 Sep 2019 19:40:40 +0200
[Message part 1 (text/plain, inline)]
Control: reassign wiki.x2go.org
Control: retitle -1 Update GPG key bootstrapping instructions for Debian
Control: close -1


* On 8/24/19 7:06 PM, Mihai Moldovan wrote:
> Control: reassign -1 packages.x2go.org
> 
> 
>> N: An update from such a repository cannot be done in a secure way, so
>> it is disabled by default.
> 
> The x2go-keyring package is available for Debian buster, includes the required
> key file and should work just fine.
> 
> However, newer apt versions will disallow downloading from an untrusted repository.
> 
> In order to actually install the keyring package, try running something like:
> sudo apt-get --allow-unauthenticated install x2go-keyring
> 
> Afterwards, sudo apt update should not return an error again. Do not use the
> --allow-unauthenticated flag without understanding its implications.

That wasn't correct - at least not completely. --allow-unauthenticated should
work for package installations, but not for downloading repository metadata.

To allow apt to work with unauthenticated repository metadata, users would need
to use something like:
apt-get update --allow-insecure-repositories

This said: this is totally risky, now and later. Installing packages from an
unauthenticated repository doesn't give apt any chance to check the origin. A
successful Man-in-the-Middle attack is very likely in such a scenario. Worse,
even after the initial bootstrap, all subsequent operations and packages from
such a repository could still be malicious.


I've updated https://wiki.x2go.org/doku.php/wiki:repositories:debian et al with
this information, big fat warning signs and explanations.

**Users should always bootstrap with the currently valid GPG key and then
install the x2go-keyring package from the validated X2Go repository location!**


Closing up here.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Changed Bug title to 'Update GPG key bootstrapping instructions for Debian' from 'PGP-Key is not available on keyservers for debian buster'. Request was from Mihai Moldovan <ionic@ionic.de> to 1401-submit@bugs.x2go.org. (Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).


Marked Bug as done Request was from Mihai Moldovan <ionic@ionic.de> to 1401-submit@bugs.x2go.org. (Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).


Notification sent to "Daniel Ullrich" <store@posteo.de>:
Bug acknowledged by developer. (Thu, 12 Sep 2019 17:45:02 GMT) (full text, mbox, link).


Bug reopened Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Thu, 12 Sep 2019 18:05:01 GMT) (full text, mbox, link).


Bug reassigned from package 'packages.x2go.org' to 'wiki.x2go.org'. Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Thu, 12 Sep 2019 18:05:02 GMT) (full text, mbox, link).


Marked Bug as done Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Thu, 12 Sep 2019 18:05:02 GMT) (full text, mbox, link).


Notification sent to "Daniel Ullrich" <store@posteo.de>:
Bug acknowledged by developer. (Thu, 12 Sep 2019 18:05:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Sep 20 03:23:17 2019; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.