Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload gpg key to keyservers #849

Closed
1 task
maltfield opened this issue Nov 12, 2019 · 4 comments
Closed
1 task

Upload gpg key to keyservers #849

maltfield opened this issue Nov 12, 2019 · 4 comments

Comments

@maltfield
Copy link

maltfield commented Nov 12, 2019
edited
Loading

  • [] This is a bug report
  • [x ] This is a feature request
  • I searched existing issues before opening this one

Hi,

Can the docker team please upload their gpg public key to a keyserver to facilitate its users in cross-checking the validity of the key when importing it for the first-time?

I downloaded the docker gpg key from the following URL:

That gave me a key with fingerprint 060A 61C5 1B55 8A7F 742B 77AA C52F EB6B 621E 9F35 and a uid for docker@docker.com

user@personal:~$ gpg --list-keys docker
pub   rsa4096/0xC52FEB6B621E9F35 2017-02-22 [SCEA]
      Key fingerprint = 060A 61C5 1B55 8A7F 742B  77AA C52F EB6B 621E 9F35
uid                   [ unknown] Docker Release (CE rpm) <docker@docker.com>

user@personal:~$

But then I went to validate that this key was indeed correct, and I was stunned to find that it isn't listed on the sks keyservers or the better/replacement keyserver https://keys.openpgp.org/

Moreover, there's no non-self signatures on the key

user@disp4086:~$ curl  --tlsv1.2 --proto =https --location https://download.docker.com/linux/centos/gpg > docker.gpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1627  100  1627    0     0    668      0  0:00:02  0:00:02 --:--:--   668
user@disp4086:~$ cat docker.gpg | gpg --list-packets
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
	version 4, algo 1, created 1487791233, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: C52FEB6B621E9F35
# off=528 ctb=b4 tag=13 hlen=2 plen=43
:user ID packet: "Docker Release (CE rpm) <docker@docker.com>"
# off=573 ctb=89 tag=2 hlen=3 plen=567
:signature packet: algo 1, keyid C52FEB6B621E9F35
	version 4, created 1487792760, md5len 0, sigclass 0x13
	digest algo 10, begin of digest e8 2d
	hashed subpkt 2 len 4 (sig created 2017-02-22)
	hashed subpkt 27 len 1 (key flags: 2F)
	hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
	hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
	hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID C52FEB6B621E9F35)
	data: [4094 bits]
user@disp4086:~$

In-case it isn't clear, there's significant security risks with the X.509 security model used by my browser (or curl, etc) when downloading the docker gpg key from https://download.docker.com/linux/centos/gpg. HSTS is great when re-visiting a website, but the first time I visit docker.com, it wouldn't be too difficult for a malicious actor to MITM the connection with a cert signed by the extremely large list of CAs trusted by popular browsers -- which includes, for example, organizations controlled by State Actors who have a history of human rights abuses. And, historically, included many CAs that had to be removed because the CA's private key was stolen or was otherwise signing certificates that they shouldn't have been. If any cert is signed by any of those CAs, a MITM actor can send the wrong gpg key to a client, and the browser will show no indication of wrong-doing.

As suggested above, the solution to this problem is:

  1. publishing the docker public key on other domains in addition to docker.com, such as the keys.openpgp.org keyserver

  2. signing your public key with other gpg keys that are well integrated in the web of trust

The second item is a more complicated and long-term solution, so this issue is a feature request to upload the docker gpg key to the keys.openpgp.org keyserer, which should only take a few minutes to do. You'll need to click a link sent to the uid of the key (docker@docker.com) as described here https://keys.openpgp.org/about
@maltfield
Copy link
Author

maltfield commented Nov 12, 2019
edited
Loading

I also recommend that docker sets-up a keybase account and uses their official twitter account to publicly list the fingerprint of their gpg key, but I'd be happy to create a distinct issue for this

@andrewhsu
Copy link
Contributor

cc @justincormack

@andrewhsu
Copy link
Contributor

Closing as duplicate of #602

@maltfield
Copy link
Author

maltfield commented Nov 17, 2019
edited
Loading

Sorry, but this is a totally distinct request from #602

This ticket (#849) requests to add the docker gpg public key to keyservers.

#602 requests to add a fingerprint of the key to the docker install script.

While I support #602, it does not solve the issue that the same domain provides both the gpg key and the fingerprint that identifies the gpg key. Putting your key on a keyserver (on a distinct domain from docker.com) is a distinct request that will provide a method for clients to check the validity of the key out-of-band from docker.com.

@andrewhsu, please re-open this ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewhsu @maltfield