[Mageia-dev] PGP keys and package signing

David Sjölin david.sjolin at gmail.com
Tue Feb 1 12:31:49 CET 2011


Hello!

I know this is probably a stupid question, but if you don't ask you
won't learn so.

What is this signing? I assume we won't encrypt the entire
distribution? Is it some sort of way of saying that a package is
"Approved by Mageia" so the package manager can warn about non
approved packages?

Regards,

David



On Tue, Feb 1, 2011 at 11:47 AM, Pascal Terjan <pterjan at gmail.com> wrote:
> On Tue, Feb 1, 2011 at 00:35, Dick Gevers <dvgevers at xs4all.nl> wrote:
>> On Tue, 01 Feb 2011 00:15:36 +0100, Michael Scherer wrote about Re:
>> [Mageia-dev] PGP keys and package signing:
>>
>>>Le lundi 31 janvier 2011 à 21:49 +0000, Dick Gevers a écrit :
>>>> On Mon, 31 Jan 2011 17:18:25 +0100, Michael Scherer wrote about Re:
>>>> [Mageia-dev] PGP keys and package signing:
>>>>
>>>> >The problem is not leaking the key, it is about cryptographic attacks
>>>> >about older keys.
>>>> >
>>>> >If in 10 years, there is some technology that allows people to get our
>>>> >private key by bruteforce on the public one
>>>>
>>>> You can never ever obtain the private key from the public one, that is
>>>> impossible. It can only be compromised if someone looses the private key
>>>> plus the password is cracked.
>>>
>>>Some secure systems have been seen compromised ( like
>>>http://www.win.tue.nl/hashclash/rogue-ca/, who explain how the whole SSL
>>>business was compromised 2 years ago, or see the GSM being cracked at
>>>this year 27C3 ).
>>>
>>>And Debian also got ride of older vulnerable gpg keys ( see
>>>http://lists.debian.org/debian-devel-announce/2010/04/msg00018.html and
>>>http://lists.debian.org/debian-devel-announce/2010/09/msg00003.html ),
>>>so I would not be so optimistic about the "never".
>>>
>>>Technically, MD5 should not have been reversible, but see how easy it is
>>>using a rainbow table. Granted, that's a 20 year protocol, but that's
>>>still widely used in lots of software.
>>
>> Sorry, but I am not convinced: the gpg key we are talking about consists of
>> 2 parts: the private key is separate from the public key, or signing key.
>> The signing key is a separate or subkey and does not contain any part of the
>> private key. So you can throw any amount of computing power at it, but
>> there is nothing inside the public key that will enable the rebuilding of
>> the private key from it.
>
> Encrypt stuff with the public one, try to decrypt it with the 2^4096
> (or whatever) possible private keys.
>


More information about the Mageia-dev mailing list