validate GPG keys by fingerprint
authorPeter Müller <peter.mueller@link38.eu>
Sun, 12 Nov 2017 14:40:28 +0000 (15:40 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 13 Nov 2017 22:41:21 +0000 (22:41 +0000)
Validate GPG keys by fingerprint and not by 8-bit key-ID.

This makes exploiting bug #11539 harder, but not impossible
and does not affect existing installations.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/pakfire/lib/functions.pl

index c347916..cfb7e51 100644 (file)
@@ -34,8 +34,8 @@ use Net::Ping;
 package Pakfire;
 
 # GPG Keys
-my $myid = "64D96617";                 # Our own gpg-key paks@ipfire.org
-my $trustid = "65D0FD58";              # gpg-key of CaCert
+my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617";         # Our own gpg-key paks@ipfire.org
+my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58";      # gpg-key of CaCert
 
 # A small color-hash :D
 my %color;