On 11/01/2017 01:19 PM, Przemek Klosowski wrote:
On 11/01/2017 03:14 PM, Kevin Fenzi wrote:
> The only attack vector I can see is tricking someone into installing a
> package from an EOL release with a known vulnerablity, but if you can do
> that you likely can get them to just download it and install it or
Is it possible to compromise an old key, and use it to sign new malware
that looks like it is from a recent distribution?
Well, rpm doesn't care what a file is named... you can make a
foobar-1.0.fc30.x86_64.rpm signed by any key you want. That said, you
would have to trick someone into downloading and installing it.
I understand that it's
unlikely because private keys are protected equally well regardless
whether they are old or new, but maybe there's some way that makes older
keys more vulnerable?
Sure, older keys are likely less bits (I don't recall). So it's more
likely someone could brute force them somehow or the like. As far as I
know even 1024 bit gpg keys are not brute forceable currently.
kevin