[Full-disclosure] Using second gpg keyring may be misleading?

---

• From: Georgi Guninski <guninski@xxxxxxxxxxxx>
• Date: Thu, 14 Jun 2012 17:17:49 +0300

---

There is chance someone exploits this in apt-key...

Attached is a keyring and here is the output:

$rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --check-sigs --keyring /tmp/sec3
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
/home/joro2/.gnupg/pubring.gpg
------------------------------
pub 4096R/3F272F5B 2007-11-09
uid Ubuntu Archive Master Signing Key <ftpmaster@xxxxxxxxxx>
sig!3 3F272F5B 2007-11-09 Ubuntu Archive Master Signing Key <ftpmaster@xxxxxxxxxx>

/tmp/sec3
---------
pub 1024R/B1C08810 2012-06-14
uid kkkkkkk5 <k@k>
sig!3 B1C08810 2012-06-14 [User ID not found]
sig! 3F272F5B 2012-06-14 Ubuntu Archive Master Signing Key <ftpmaster@xxxxxxxxxx>
sig! 3F272F5B 2012-06-14 Ubuntu Archive Master Signing Key <ftpmaster@xxxxxxxxxx>
sub 1024R/0354AE88 2012-06-14
sig! B1C08810 2012-06-14 [User ID not found]
sub 2179R/3F272F5B 2012-06-14
sig! B1C08810 2012-06-14 [User ID not found]

1 signature not checked due to a missing key


$rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --no-default-keyring --check-sigs --keyring /tmp/sec3

gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
/tmp/sec3
---------
pub 1024R/B1C08810 2012-06-14
uid kkkkkkk5 <k@k>
sig!3 B1C08810 2012-06-14 kkkkkkk5 <k@k>
sig! 3F272F5B 2012-06-14 kkkkkkk5 <k@k>
sig! 3F272F5B 2012-06-14 kkkkkkk5 <k@k>
sub 1024R/0354AE88 2012-06-14
sig! B1C08810 2012-06-14 kkkkkkk5 <k@k>
sub 2179R/3F272F5B 2012-06-14
sig! B1C08810 2012-06-14 kkkkkkk5 <k@k>

Attachment: sec3
Description: Binary data

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Follow-Ups:
  • Re: [Full-disclosure] Using second gpg keyring may be misleading?
    • From: Thor (Hammer of God)

• Prev by Date: [Full-disclosure] [ MDVSA-2012:091 ] libreoffice
• Next by Date: Re: [Full-disclosure] Using second gpg keyring may be misleading?
• Previous by thread: [Full-disclosure] [ MDVSA-2012:091 ] libreoffice
• Next by thread: Re: [Full-disclosure] Using second gpg keyring may be misleading?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: OT: Pgp trusted keys for OpenSSH download, help with usage please ... >gpg: checking the trustdb ... >gpg: ... The "no ultimately trusted keys found" normally indicates that you don't ... Normally trustdb is updated automatically, ... (comp.security.ssh) Re: [Full-disclosure] Using second gpg keyring may be misleading? ... [Full-disclosure] Using second gpg keyring may be misleading? ... sub 1024R/0354AE88 2012-06-14 ... (Full-Disclosure) OT: Pgp trusted keys for OpenSSH download, help with usage please ... I need a little help with GPG. ... Now I imported the public key: ... no ultimately trusted keys found ... gpg: WARNING: This key is not certified with a trusted signature! ... (comp.security.ssh) Re: http://ftp.debian-unofficial.org/debian/dists/sarge/Release.gpg problem. ... gpg: no valid OpenPGP data found. ... no ultimately trusted keys found ... You may want to run apt-get update to correct these problems ... (Debian-User) Re: gpg key error in unstable ... gpg: key 1F41B907: public key "Christian Marillat ... no ultimately trusted keys found ... even now I got warning during apt-get update ... (Debian-User)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Full-Disclosure  > 2012-06