oss-sec mailing list archives
Re: Re: Travis CI MITM RCE
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Mon, 29 Oct 2018 08:52:25 -0400
On Sat 2018-10-27 16:54:46 +0200, Jakub Wilk wrote:
My proposed fix was to use "gpg --recv-key" with full fingerprint. But I now discovered that even this is not resistant against MitM attacks: https://dev.gnupg.org/T3398 "[...] modern gpg automatically applies an import screener that only accepts OpenPGP certificates that have the given fingerprint [...]
It may be even worse than this, because the version of gpg used by default in travis is not "modern gpg", it's either gnupg2 2.0.22-3ubuntu1.4 or gnupg 1.4.16-1ubuntu2.6. I don't think either of these has the baseline "import screener" functionality, let alone a fix for T3398 :( --dkg
Current thread:
- Re: Travis CI MITM RCE Jakub Wilk (Oct 18)
- Re: Travis CI MITM RCE zugtprgfwprz (Oct 20)
- <Possible follow-ups>
- Re: Travis CI MITM RCE Jakub Wilk (Oct 27)
- Re: Re: Travis CI MITM RCE Daniel Kahn Gillmor (Oct 29)
- Re: Re: Travis CI MITM RCE Jakub Wilk (Oct 31)
- Re: Re: Travis CI MITM RCE Daniel Kahn Gillmor (Oct 29)