On Thu, 2014-06-05 at 08:13 -0400, Matthew Miller wrote:
On Thu, Jun 05, 2014 at 10:46:14AM +0200, Miroslav Suchý wrote:
> >Is there a way to neutralize such packages that does not involve explicit
> >replacement of signing keys on every system trusting the abused keys?
> I am not aware of any method.
At one of my previous jobs, we planned but never had to use an approach for
this: an update to the '-release' RPM which included a post script to remove
the compromised key from systems.
The problem is not just the compromised key, but compromised packages,
though I guess you could re-sign all packages, but then you also have to
ship those signatures out of band (you cannot force people to re-install
all packages right ?).
One way to mitigate the impact is also to create subkeys (say one every
week) so that you can "repudiate" a window of time by marking only a set
of subkeys as compromised. This requires a more complicated signing and
verification process though.
Simo.
--
Simo Sorce * Red Hat, Inc * New York