Image signing key needs to be refreshed on keyservers

[neilmayhew]

Description

The signing key E25D9AED0593B34A was recently updated to include a new subkey (E9426D8B67E35DF476BD048185F7C8868837E271) since the old one expires soon. Images are now being signed with the new subkey. The copy of the key published on the website includes the new subkey but the one available through keyservers (eg keyserver.ubuntu.com) does not.

Impact

Being able to download the key from keyservers in scripts (eg the one described in #21) is more secure and more convenient than fetching it from the web site using curl. In fact, fetching a key using curl and then using it to verify an image is no more secure than not verifying the image at all. The only time it makes sense to download with curl is when the key is imported onto a long-lived system (eg a developer machine) and used for multiple future verifications.

Environment and steps to reproduce

1. gpg --keyserver keyserver.ubuntu.com --recv-key E25D9AED0593B34A
2. gpg -v --with-subkey-fingerprint --list-keys E25D9AED0593B34A |& grep E9426D8B67E35DF476BD048185F7C8868837E271
3. No output

Expected behavior

E9426D8B67E35DF476BD048185F7C8868837E271 is output

[jepio]

I've pushed the key.

Being able to download the key from keyservers in scripts (eg the one described in #21) is more secure and more convenient than fetching it from the web site using curl

Convenient maybe, but how is a keyserver more secure than curl?

[neilmayhew]

The big difference with the keyserver approach is that you're fetching the key by ID rather than by URL. Although anyone can upload any public key file to the keyservers, they won't be able to upload one with the same ID unless they have the private key. An attacker could create a new private key, sign images with it and overwrite the key file on the web site. A script or a user that downloads the file from the web page would then see the malicious images as verified. However, if the script fetches the key by ID, it will get the original key and the malicious images would not be verified.

Conceptually, with a keyserver the key is still being fetched by URL but the key's ID is part of the URL, and the keyserver is ensuring that the ID and the URL match.

It would be possible to gain that security with curl by downloading the image to a file, and using gpg to verify that it has the correct ID before importing it. However, that's complex and fiddly to do, and gpg isn't really designed to let you do that.

When the key ID is embedded into a script, it's a form of pre-stored verification just like downloading and importing the key file ahead of time would be. However, it's more future-proof than embedding the entire key into the script because it allows for new subkeys to be added without changing the script. (It's also a lot more readable.)

[neilmayhew]

Thanks for pushing the key!

[jepio]

Closing as pushed