launchpad-reviewers team mailing list archive

[Andy Brody <abrody@xxxxxxxxxx>]

Andy Brody has proposed merging lp:~abrody/launchpad/rocketfuel-apt into lp:launchpad.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~abrody/launchpad/rocketfuel-apt/+merge/362639

Use full gpg key fingerprints in rocketfuel-setup. This addresses the vulnerability with fetching keys by the 64-bit key ID.

Also add a script utilities/rocketfuel-rm-evil-keys to make it easy for users to find and remove potentially malicious GPG keys trusted by apt that share a key ID with a genuine key.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~abrody/launchpad/rocketfuel-apt into lp:launchpad.

=== added file 'utilities/rocketfuel-rm-evil-keys'
--- utilities/rocketfuel-rm-evil-keys	1970-01-01 00:00:00 +0000
+++ utilities/rocketfuel-rm-evil-keys	2019-02-02 21:23:04 +0000
@@ -0,0 +1,57 @@
+#!/bin/bash
+# Search for evil apt keys that share a key ID with the genuine Launchpad PPA
+# apt keys, which could have been added by older versions of rocketfuel-setup.
+set -euo pipefail
+
+genuine_keys=(
+    2AF499CB24AC5F65461405572D1FFB6C0A5174AF
+    ECE2800BACF028B31EE3657CD702BF6B8C6C1EFD
+)
+
+run() {
+    echo >&2 "+ $*"
+    "$@"
+}
+
+prompt_run() {
+    echo >&2 "Will run: $*"
+    read -rp "Press enter to continue..."
+    echo >&2 "+ $*"
+    "$@"
+}
+
+trusted_keys="$(APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 \
+    run apt-key adv --list-keys --with-colons --fingerprint | grep ^fpr: | cut -d: -f10)"
+
+bad_keys_found=
+
+echo "Current gpg keys trusted by apt:"
+sed 's/^/  - /' <<< "$trusted_keys"
+
+for fpr in "${genuine_keys[@]}"; do
+    keyid="${fpr:(-8)}"
+    echo "Checking $fpr ($keyid)"
+
+    # Find keys with the same Key ID but a different fingerprint
+    malicious=$(echo "$trusted_keys" | grep "${keyid}$" | grep -v "$fpr" || true)
+
+    if [ -z "$malicious" ]; then
+        echo "$keyid OK"
+        continue
+    fi
+
+    bad_keys_found=1
+    echo "Found malicious key!"
+    echo "Should not be trusted: $malicious"
+
+    for bad_fpr in $malicious; do
+        run apt-key list "$malicious"
+        prompt_run sudo apt-key del "$bad_fpr"
+    done
+done
+
+if [ -n "$bad_keys_found" ]; then
+    echo "Found and removed malicious apt keys"
+else
+    echo "All OK. No unexpected apt keys found"
+fi

=== modified file 'utilities/rocketfuel-setup'
--- utilities/rocketfuel-setup	2017-12-18 12:57:01 +0000
+++ utilities/rocketfuel-setup	2019-02-02 21:23:04 +0000
@@ -74,12 +74,12 @@
 done
 
 # Enable relevant Ubuntu package repositories
-grep -q "^deb http:.* ${DISTRIB_CODENAME} .*universe" /etc/apt/sources.list
+grep -qE "^deb https?:.* ${DISTRIB_CODENAME} .*universe" /etc/apt/sources.list
 if [ $? -ne 0 ]; then
     echo "Please enable the 'universe' component in /etc/apt/sources.list'"
     exit 1
 fi
-grep -q "^deb http:.* ${DISTRIB_CODENAME} .*multiverse" /etc/apt/sources.list
+grep -qE "^deb https?:.* ${DISTRIB_CODENAME} .*multiverse" /etc/apt/sources.list
 if [ $? -ne 0 ]; then
     echo "Please enable the 'multiverse' component in /etc/apt/sources.list'"
     exit 1
@@ -96,7 +96,7 @@
   echo "Adding ~launchpad PPA repository to package source list."
   echo "$LP_PPA"  | sudo tee -a $LPDEV_SOURCES
 fi
-REQUIRED_PPA_KEYS="0A5174AF"
+REQUIRED_PPA_KEYS="2AF499CB24AC5F65461405572D1FFB6C0A5174AF"
 
 if [ "$DISTRIB_CODENAME" = precise ]; then
   BZR_PPA="deb http://ppa.launchpad.net/bzr/ppa/ubuntu ${DISTRIB_CODENAME} main"
@@ -105,12 +105,13 @@
     echo "Adding ~bzr PPA repository to package source list."
     echo "$BZR_PPA" | sudo tee -a $LPDEV_SOURCES
   fi
-  REQUIRED_PPA_KEYS="$REQUIRED_PPA_KEYS 8C6C1EFD"
+  REQUIRED_PPA_KEYS="$REQUIRED_PPA_KEYS ECE2800BACF028B31EE3657CD702BF6B8C6C1EFD"
 fi
 
 # Get the key used to sign the launchpad-developer-dependencies in the PPA.
 for key in $REQUIRED_PPA_KEYS; do
-   sudo apt-key list | grep -q $key
+   sudo APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 \
+       apt-key adv --list-keys --with-colons --fingerprint | grep -qE "^fpr:+$key"
    if [ $? -ne 0 ]; then
      echo "Retrieving key $key."
      gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $key