[Bug 1052789] Re: Need to send long keyids to software-center to prevent MITM attack

[Marc Deslauriers]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aptdaemon in Ubuntu.
https://bugs.launchpad.net/bugs/1052789

Title:
  Need to send long keyids to software-center to prevent MITM attack

Status in Online service used by software center:
  Fix Released
Status in “aptdaemon” package in Ubuntu:
  Fix Released
Status in “aptdaemon” source package in Oneiric:
  Fix Released
Status in “aptdaemon” source package in Precise:
  Fix Released
Status in “aptdaemon” source package in Quantal:
  Fix Released
Status in “aptdaemon” source package in Raring:
  Fix Released

Bug description:
  In the subscriptions_for_me json and in the purchase json wgrant noticed that we use the short gpg keyids:
  e.g. u'signing_key_id': u'1024r/75254d99'

  These are vulnerable to man-in-the-middle attacks as its relatively easy to create collisions on them and sneak
  in a different key into the keyring and compromise the system. Instead we need to send the long keyid. This
  *should* be transparent to the client (but obviously we need to test that). It should send the long fingerprint,
  e.g.  019A25FED88F961763935D7F129196470EB12F05  from http://launchpad.net/~mvo/+archive under
  fingerprint

To manage notifications about this bug go to:
https://bugs.launchpad.net/software-center-agent/+bug/1052789/+subscriptions