Closed RokeJulianLockhart closed 1 year ago
Did you import VeraCrypt GPG public key? Without this, your system cannot trust the GPG signature embedded into the rpm package.
The simplest way to do this is to run the command:
sudo rpm --import https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
and check that the fingerprint displayed matches the fingerprint of the official key (ID=0x680D16DE, Fingerprint=5069A233D55A0EEB174A5FC3821ACD02680D16DE)
@idrassi, shouldn't/can't that key be embedded into the package? I've installed many packages before now from external URIs, and they didn't warn me of this problem.
Did they just not have a signature counterpart?
VeraCrypt uses the standard rpm signing procedure which is the same of all rpm packages. Let me give some key points:
/etc/pki/rpm-gpg/
or /var/cache/zypp/pubkeys
. If a package comes from a repository already trusted by your system, its GPG key will match one in your trust store. This indicates the package is authentic and it's safe to install.sudo rpm --import https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
I hope this gives you some clarity about the situation.
Thanks, @idrassi. That's sensical.
Because of
Why Not Embed Keys in Packages?: Including the public key within the package could undermine the purpose of signing. If we did this, a malicious actor could tamper with the package, alter its contents, and provide a new key. This is why keys are separately imported from a trusted, secure source.
for the OpenSUSE section of https://www.veracrypt.fr/en/Downloads.html, could you consider adding
sudo rpm --import -y https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
sudo zypper install -y https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-openSUSE-15-x86_64.rpm
sudo zypper install -y https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-console-1.25.9-openSUSE-15-x86_64.rpm
for the less technical? I expect it would make installation much less scary.
I do ultimately think embedding the key in the package is a better solution though, since anyone technical will verify the signature, and a bad actor can still MITM to add the signature, thereby meaning that only the real package shows the unsigned error text.
This also ultimately does prevent any graphical marketplace installer installing the package currently.
Thank you for your proposal. I have updated the downloads page https://www.veracrypt.fr/en/Downloads.html, as follows:
Expected behaviour
The https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-openSUSE-15-x86_64.rpm.sig should automatically verify.
Observed behaviour
Although the package installs correctly, signature verification fails:
This is problematic because it prevents
plasma-discover
installing the package, per https://discuss.kde.org/t/progress-console-in-discover/14195/7?u=rokejulianlockhart.Steps to reproduce
y
Your Environment
VeraCrypt version
Operating system and version
System type
64-bit