Recent gnupg keyserver DOS attack

Important informations about SolydXK including releases notes, forum rules and other anouncements
User avatar
Arjen Balfoort
Site Admin
Posts: 9219
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Recent gnupg keyserver DOS attack

Postby Arjen Balfoort » 04 Jul 2019 12:04

There has been a recent keyserver attack and has been reported by Ilu on our forum.

Like most distributions, SolydXK packages the keys needed for repository identification. You are only at risk if you manually download and install keys from a keyserver.

If you use keyservers to get your keys, follow these steps:
  1. Open ~/.gnupg/.gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it or put a "#" before it and save the file. In terminal you need to kill the dirmngr process: gpgconf --kill dirmngr
  2. If you need to import a repository key that isn't packaged, never use the old method with apt-key. Just download the keyfile and put it in the /etc/apt/trusted.gpg.d directory. That way you can easily see how big it is and getting rid if a poisoned key is simply a matter of deleting the file. Key files should be small, definitely smaller than 1 MB.
We have updated our system package solydxk-system (version 3.3.9) to reflect these changes for newly created users.

Source: https://solydxk.com/news/recent-gnupg-k ... dos-attack


SolydXK needs you!
Development | Testing | Translations

Return to “News & Anouncements”

Who is online

Users browsing this forum: No registered users and 2 guests