Maybe I’m missing something, but what prevents someone from using a key they have made and uploaded to the ubuntu keyserver to serve a corrupted ISO?
I just created a fake ubuntu signing key, uploaded it to the ubuntu key server, created a fake SHA256SUM.gpg, and was able to download my fake key from the server, and it looks legit.
Nothing! This is why I don’t fetch random keys from a keyserver, I use the archive keyring shipped with Ubuntu (apt install ubuntu-keyring):
gpgv --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg SHA256SUMS.gpg SHA256SUMS
This, of course, assumes that you already have an Ubuntu system that contains this keyring.
If you don’t, fetching the key from the keyserver should be safe, if you check the fingerprint against a source you trust. Ideally those would be published on an HTTPS-authenticated page somewhere on the Ubuntu website, but if they are, I couldn’t find it.
The tutorial instructions are, IMHO, insecure.
Hi, thanks for the disussion.
We do publish the archive keys and other import gpg keys used in Ubuntu at https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu ; that page is accessible via HTTPS and there are acls on that page that only permit editing by the Ubuntu Security Team.
That said, it’s not nearly discoverable enough and should be split into its own page, and would also warrant links to https://keyserver.ubuntu.com so that the keys can be downloaded directly.
I’m posting this here because it seems to be the most relevant, and I sent an email about this to Canonical already, and haven’t heard back.
I had to change the format of the email addresses in the terminal output I included in order to get around the link limit.
I write to you to let you know that you have an issue, and potentially
a hack, on your old-releases server.
I downloaded the Ubuntu 16.04 files from here.
I was verifying the download, and had run these commands.
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-
keys 0x46181433FBB75451 0xD94AA3F0EFE21092
gpg --list-keys --with-fingerprint 0x46181433FBB75451
0xD94AA3F0EFE21092
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
I checked the returned fingerprints from the second command to make
sure they were right, using the fingerprints given here for the
comparison.
Upon running the third command given above, I got the following output.
gpg: Signatur vom Do 28 Feb 2019 10:26:07 CST
gpg: mittels DSA-Schlüssel 46181433FBB75451
gpg: FALSCHE Signatur von “Ubuntu CD Image Automatic Signing Key
<cdimage_at_ubuntu.com>” [unbekannt]
gpg: Signatur vom Do 28 Feb 2019 10:26:07 CST
gpg: mittels RSA-Schlüssel D94AA3F0EFE21092
gpg: FALSCHE Signatur von “Ubuntu CD Image Automatic Signing Key (2012)
<cdimage_at_ubuntu.com>” [unbekannt]
Something is clearly wrong. I am building an archive of all the old
Ubuntu releases, and have thus been verifying the downloads of many
other Ubuntu releases, all downloaded from the same official Ubuntu
server. This is the first one that has failed. It seems odd that
someone would hack the server to compromise a version that old, that
almost no one is using anymore, but the failed GPG verification
suggests something is going on.
Thanks for reporting this - turns out that when the latest ISO point releases were made for 16.04 that while the various SUMS files were updated, the corresponding .gpg signature files were not regenerated. This has now been done.
To add a bit more info here - the date of the original old signature was 28 Feb 2019 10:26:07 CST as can be seen in your output - this corresponds with the release of 16.04.6 - but subsequently, 16.04.7 was released for the Boothole vulnerabilities https://lists.ubuntu.com/archives/ubuntu-announce/2020-August/000261.html - when this was done, the various SUMS files were regenerated but not the associated SUMS.gpg files.