Newly installed package : gpg-pubkey- ... - Mandriva

This is a discussion on Newly installed package : gpg-pubkey- ... - Mandriva ; msec nightly checks certain aspects of security on my Mandriva 2007.0 system. One thing it checks for is a change in the list of RPM packages that are installed. That list always reflects the upgrades, new packages and deleted packages, ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Newly installed package : gpg-pubkey- ...

  1. Newly installed package : gpg-pubkey- ...

    msec nightly checks certain aspects of security on my Mandriva 2007.0
    system. One thing it checks for is a change in the list of RPM packages
    that are installed. That list always reflects the upgrades, new
    packages and deleted packages, and I know about all that. But, msec
    just warned me about installing this:

    Newly installed package : gpg-pubkey-22458a98-3969e7de

    Well, that's a package signing key that got installed, and I didn't do
    that manually. How'd it get there? Should I be alarmed? If someone
    wanted to install a rogue package, then they could have signed it with
    the above key, also install the key, and then it wouldn't be detected
    with an unverified key. What should I do about this?

    Thanks...

    --
    PLEASE post a SUMMARY of the answer(s) to your question(s)!
    Show Windows & Gates to the exit door.
    Unless otherwise noted, the statements herein reflect my personal
    opinions and not those of any organization with which I may be affiliated.

  2. Re: Newly installed package : gpg-pubkey- ...

    On 2007-07-24, Kevin the Drummer wrote:
    > msec nightly checks certain aspects of security on my Mandriva 2007.0
    > system. One thing it checks for is a change in the list of RPM packages
    > that are installed. That list always reflects the upgrades, new
    > packages and deleted packages, and I know about all that. But, msec
    > just warned me about installing this:
    >
    > Newly installed package : gpg-pubkey-22458a98-3969e7de
    >
    > Well, that's a package signing key that got installed, and I didn't do
    > that manually. How'd it get there? Should I be alarmed? If someone
    > wanted to install a rogue package, then they could have signed it with
    > the above key, also install the key, and then it wouldn't be detected
    > with an unverified key. What should I do about this?


    That key seems to be from Mandriva. I appear to have the
    same key installed. Doing

    rpm -qi gpg-pubkey-22458a98-3969e7de|more

    shows (among other things)

    Summary : gpg(Mandrake Linux Security Team )

    It would appear to be okay.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  3. Re: Newly installed package : gpg-pubkey- ...

    On 24 Jul 2007 14:54:38 GMT, Kevin the Drummer wrote:
    > msec nightly checks certain aspects of security on my Mandriva 2007.0
    > But, msec just warned me about installing this:
    >
    > Newly installed package : gpg-pubkey-22458a98-3969e7de
    >
    > Well, that's a package signing key that got installed, and I didn't do
    > that manually. How'd it get there? Should I be alarmed?


    I do auto updates and your line matches one of mine.

    # grep gpg-pubkey /var/log/security/rpm-qa.today
    gpg-pubkey-22458a98-3969e7de 1177227142
    gpg-pubkey-26752624-3fd74faa 1177583817
    gpg-pubkey-70771ff3-3c8f768f 1177227215
    gpg-pubkey-70771ff3-44b3822e 1177226351
    gpg-pubkey-70771ff3-44b3822e 1180746221
    gpg-pubkey-78d019f5-3fd7504d 1177226351
    gpg-pubkey-caba22ae-3cf2c469 1177227352

  4. Re: Newly installed package : gpg-pubkey- ...

    Bit Twister wrote:
    > On 24 Jul 2007 14:54:38 GMT, Kevin the Drummer wrote:
    > > msec nightly checks certain aspects of security on my Mandriva 2007.0
    > > But, msec just warned me about installing this:
    > >
    > > Newly installed package : gpg-pubkey-22458a98-3969e7de
    > >
    > > Well, that's a package signing key that got installed, and I didn't do
    > > that manually. How'd it get there? Should I be alarmed?

    >
    > I do auto updates and your line matches one of mine.
    >
    > # grep gpg-pubkey /var/log/security/rpm-qa.today
    > gpg-pubkey-22458a98-3969e7de 1177227142
    > gpg-pubkey-26752624-3fd74faa 1177583817
    > gpg-pubkey-70771ff3-3c8f768f 1177227215
    > gpg-pubkey-70771ff3-44b3822e 1177226351
    > gpg-pubkey-70771ff3-44b3822e 1180746221
    > gpg-pubkey-78d019f5-3fd7504d 1177226351
    > gpg-pubkey-caba22ae-3cf2c469 1177227352


    OK, so something in the Mandriva update process, either urpmi.update or
    'urpmi --update' I suspect, must have installed a new key.

    Thanks folks...

    --
    PLEASE post a SUMMARY of the answer(s) to your question(s)!
    Show Windows & Gates to the exit door.
    Unless otherwise noted, the statements herein reflect my personal
    opinions and not those of any organization with which I may be affiliated.

  5. Re: Newly installed package : gpg-pubkey- ...

    Kevin the Drummer wrote:
    > Bit Twister wrote:
    >> On 24 Jul 2007 14:54:38 GMT, Kevin the Drummer wrote:
    >>> msec nightly checks certain aspects of security on my Mandriva 2007.0
    >>> But, msec just warned me about installing this:
    >>>
    >>> Newly installed package : gpg-pubkey-22458a98-3969e7de
    >>>
    >>> Well, that's a package signing key that got installed, and I didn't do
    >>> that manually. How'd it get there? Should I be alarmed?

    >> I do auto updates and your line matches one of mine.
    >>
    >> # grep gpg-pubkey /var/log/security/rpm-qa.today
    >> gpg-pubkey-22458a98-3969e7de 1177227142
    >> gpg-pubkey-26752624-3fd74faa 1177583817
    >> gpg-pubkey-70771ff3-3c8f768f 1177227215
    >> gpg-pubkey-70771ff3-44b3822e 1177226351
    >> gpg-pubkey-70771ff3-44b3822e 1180746221
    >> gpg-pubkey-78d019f5-3fd7504d 1177226351
    >> gpg-pubkey-caba22ae-3cf2c469 1177227352

    >
    > OK, so something in the Mandriva update process, either urpmi.update or
    > 'urpmi --update' I suspect, must have installed a new key.


    I know that when MCC is used to install or update, it does download
    and check the keys. Did you perhaps use MCC at some point? Or
    maybe urpmi* does the same?

    Cheers!

    jim b.

    --
    UNIX is not user-unfriendly; it merely
    expects users to be computer-friendly.

  6. Re: Newly installed package : gpg-pubkey- ...

    Jim Beard wrote:
    > Kevin the Drummer wrote:
    > > Bit Twister wrote:
    > >> On 24 Jul 2007 14:54:38 GMT, Kevin the Drummer wrote:
    > >>> msec nightly checks certain aspects of security on my Mandriva 2007.0
    > >>> But, msec just warned me about installing this:
    > >>>
    > >>> Newly installed package : gpg-pubkey-22458a98-3969e7de
    > >>>
    > >>> Well, that's a package signing key that got installed, and I didn't do
    > >>> that manually. How'd it get there? Should I be alarmed?
    > >> I do auto updates and your line matches one of mine.
    > >>
    > >> # grep gpg-pubkey /var/log/security/rpm-qa.today
    > >> gpg-pubkey-22458a98-3969e7de 1177227142
    > >> gpg-pubkey-26752624-3fd74faa 1177583817
    > >> gpg-pubkey-70771ff3-3c8f768f 1177227215
    > >> gpg-pubkey-70771ff3-44b3822e 1177226351
    > >> gpg-pubkey-70771ff3-44b3822e 1180746221
    > >> gpg-pubkey-78d019f5-3fd7504d 1177226351
    > >> gpg-pubkey-caba22ae-3cf2c469 1177227352

    > >
    > > OK, so something in the Mandriva update process, either urpmi.update or
    > > 'urpmi --update' I suspect, must have installed a new key.

    >
    > I know that when MCC is used to install or update, it does download
    > and check the keys. Did you perhaps use MCC at some point? Or
    > maybe urpmi* does the same?


    I have used MCC, but the timing is wrong to explain msec's complaint
    about the new key. I think that MCC might just use urpmi and it's
    cousins anyway.

    Thanks....


    --
    PLEASE post a SUMMARY of the answer(s) to your question(s)!
    Show Windows & Gates to the exit door.
    Unless otherwise noted, the statements herein reflect my personal
    opinions and not those of any organization with which I may be affiliated.

+ Reply to Thread