Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue: deprecated 32-bit key ID is recommended for verification of the Linux Mint ISO #17

Open
morton-f opened this issue Sep 21, 2020 · 0 comments

Comments

@morton-f
Copy link

morton-f commented Sep 21, 2020

I checked English and several other language guides and found out that OpenPGP 32-bit key ID is recommended as an alternative for verifying an ISO.

Linux Mint Installation Guide --> Verify your ISO image --> Authenticity check

If gpg complains about the key ID, try the following commands instead:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key A25BAE09
gpg --list-key --with-fingerprint A25BAE09

Check the output of the last command, to make sure the fingerprint is 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09 (with or without spaces).

results in

pub   rsa1024 2014-01-26 [C]
      1828 C98D 1C52 E20C 95DF  B632 6ABA 455A A25B AE09
uid           [ unknown] Totally Legit Signing Key <[email protected]>

There are some users in the wild including Linux Mint forum which are not familiar enough with GnuPG to resolve a problem even if they see that signature is wrong. It is a well known issue and only full 64-bit identifiers should be used. See:
https://github.com/jwilk/stopgp32
https://seclists.org/oss-sec/2018/q3/174

@morton-f morton-f changed the title Security issue: malicious key is reccomended for verification of the Linux Mint ISO Security issue: deprecated 32-bit key ID is reccomended for verification of the Linux Mint ISO Sep 22, 2020
@morton-f morton-f changed the title Security issue: deprecated 32-bit key ID is reccomended for verification of the Linux Mint ISO Security issue: deprecated 32-bit key ID is recommended for verification of the Linux Mint ISO Oct 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant