[Apt] [Keysigning] [Security] Entire Apt Repositiory compromised

You should know that Private key isn’t private is a completely valid and extremely concerning issue. apt is completely compromised because it appears @guu doesn’t understand PGP signatures. The entire repo can not be used safely or securely until a new private key is generated, actually kept private, and the packages are resigned.

Just to show you the severity of what you’ve done:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Thu 13 Jan 2022 01:12:57 AM UTC

WE HAVE HACKED YOUR MICROWAVE

BEWARE OF THE JABBERWOCK, MY SON

BE SURE TO CHANGE YOUR PASSWORD TO “B0OGEREATER5” FOR FREE UPDATE

CRYPTOCURRENCY GIVEAWAY: GIVE $100 TO 0X421 AND RECIEVE $1000 IN BTC

PLURIBUS ENIGMA WAS A MARKETING CAMPAIGN, YOU SIMP!

ALL HAIL EMPEROR XAI
WHO BRINGS US GREAT LEAP FORWARD 2.0
WHINNE THE POOH BREINGS US GREAT RESET FOR BRIGHTER TOMORROW

HACKER ATTACK 2022!

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV7epi766jBDKRFiBDdCIEUeLEkkFAmHffRMACgkQDdCIEUeL
EkknmAv/UgdR3OBaaX+rkxR8OS+5FBNlahJr0IHpSrBhAs8zQJ6NuMHp6EZrUeNV
G/uM28+qRtijYRzfq7Tx0xos79uAoZJkWyq1/vWgEhyy+ThTLfOC9zevqEE5ASWI
04jwSIkC8AHttOCAbQ6vWdd88pojwpsVt+bi0GAq25xxlexWAmCH1FRXF2l4RRD9
nFZdAXzm8bZdTzg2MQwHfL1IAuOuPNWHEx0DuxCZvLXcjDpTdbbCay+IVcLTC6xM
Rv274tUJvMrUxL5z/cdc/Sbnr8n4zzy/ZfObJIl/cJgGb7soIkxLceiSGhl3sBNY
lFnCXi9OShtepYnCaDg7PtSCb2gOu8f9cNpP9uouPTkioBLVrzgFY5IYU8ZRIqNf
d7DFj6u0a0laFvkZarErn7NLW9JPGSirb8PjvP4eit7BbDiLYXDiEfu27yTrfRwj
fFRWB28KYRZqKySzEdZwmiUgxyWxTEwV+g+PEWUbQW8J+d1piAai/ufsEP/vFcvC
ZuboHMZj
=tnd2
-----END PGP SIGNATURE-----

I am sorry

you been hacked ?

No, you have haha 20 chars 20 chars 20 chars

so how to use this public private key to hack people’s device?

Because you have had the private apt key published since September 2021, I have imported it and made the above message signed as you. The message appears to be from you because it is. You need to immediately revoke the key, research what PGP is, research proper apt keysigning procedure, and resign every package in your apt repo.

so if you can be as me , what will happend?

fake debs ,inject mal-ware inside debs?

I know what you mean and your concern

I don’t know if there is anyone will receive my message through a PGP signed msg

and for the total opensource project , people can/should setup their own apt repo if they care/know this sec issue
if not
I think they probably won’t send/recv message through PGP keys

You really don’t understand what you’ve done, do you? It is now unsafe to use your apt repo, and you have compromised the security of everyone who is using it. This isn’t just a mistake, this is a critical error that will haunt your project for the rest of your days. On a scale from 1 to 10, the severity is a 10. You don’t know what you’re doing, and have self-compromised the integrity of your apt repo.

I just sent off the email to support@clockworkpi.com demanding a refund. Everyone else should too. This affects the entire apt repo, which means it also affects Gameshell, and anyone else using the repo. This is complete and total inteptness, and it disgusts me that someone could be this stupid. I regret purchasing this product. I would flash something else on it, but it is dependent on the custom-compiled drivers that ClockworkPi publishes.

I am reposting what you just deleted because you aren’t going to get away with this

What was deleted was:

What will happen is not only can persons with malicious intent sign any deb they want and make it look like it is an official source, they can do what I just did and make fake announcements and messages using the entierly compromised key claiming that it is from you. I don’t think you know what you’re doing because you’ve had this key published since at least September 2021 and have had multiple people tell you how insanely idiotic this is. The entierty of your apt repo has been compromised from the point since you initially published the private key.

  1. Abusive discussions don’t help solve the problem.
  2. You can temporarily blacklist the source of cpi deb.
  3. We will re-sign the new source.

BTW there are many other distributions to choose from, and we provide all the source code enough to support anyone building their own system from scratch.

If you have problems compiling, you can always contact me

1 Like