Date: Mon, 29 Oct 2018 08:52:25 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: Jakub Wilk <jwilk@...lk.net>, oss-security@...ts.openwall.com Subject: Re: Re: Travis CI MITM RCE On Sat 2018-10-27 16:54:46 +0200, Jakub Wilk wrote: > My proposed fix was to use "gpg --recv-key" with full fingerprint. But I > now discovered that even this is not resistant against MitM attacks: > > https://dev.gnupg.org/T3398 > > "[...] modern gpg automatically applies an import screener that only > accepts OpenPGP certificates that have the given fingerprint [...] It may be even worse than this, because the version of gpg used by default in travis is not "modern gpg", it's either gnupg2 2.0.22-3ubuntu1.4 or gnupg 1.4.16-1ubuntu2.6. I don't think either of these has the baseline "import screener" functionality, let alone a fix for T3398 :( --dkg
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.