Slashdot Mirror

← Back to Stories (view on slashdot.org)

D-Link Accidentally Publishes Private Code Signing Keys

Posted by timothy on from the oh-is-that-in-the-firmware? dept.

New submitter bartvbl writes: As part of the GPL license, D-Link makes its firmware source code available for many of its devices. When looking through the files I accidentally stumbled upon 4 different private keys used for code signing. Only one — the one belonging to D-Link itself — was still valid at the time. I have successfully used this key to sign an executable as D-Link. A Dutch news site published the full story (translated to english with Google Translate).

2 of 67 comments (clear)

  1. Re:Revoked the keys, but is this still exploitable by dlenmn · · Score: 4, Informative

    Google Chrome no longer even bothers, ignoring revocation lists completely.

    That's not quite what your article says. It says that google stopped checking with the cecurity authority using the Online Certificate Status Protocol. However, the article also says that chrome replaced that with a local list of revoked certificates that can be updated without restarting the browser. So, chrome still does keep track of revoked certificates.

  2. Re:Surely the GPL requires all source to build. by multimediavt · · Score: 3, Informative

    There is NOTHING in the GPL (v1, v2 nor v3, nor any sub license alternative) that says the source code has to compile or that an executable be supplied with source code to use the GPL. The quote you reference (and I read it too, I've read the GPL numerous times!) states that if you DO supply a binary, i.e., "executable work", you must also supply all the source files including compiler scripts used for that binary when you distribute under the GPL. There is nothing in the GPL that says the code has to be executable, has to function correctly, nor has to compile from what you distribute under the GPL. The GPL is a copyright license, not a consumer protection law. It just states that if you code it, the source is made available to anyone that wants to use it or modify it, and that the modifications stay under the ascribed GPL license. That's all, nothing else, thank you for playing. Don't let the door hit you on the way out.

    Here's some more info for you.

    And since you're obviously too lazy to bother to follow links to find information on the web, here:

    I use public key cryptography to sign my code to assure its authenticity. Is it true that GPLv3 forces me to release my private signing keys?
    (#GiveUpKeys)
    No. The only time you would be required to release signing keys is if you conveyed GPLed software inside a User Product, and its hardware checked the software for a valid cryptographic signature before it would function. In that specific case, you would be required to provide anyone who owned the device, on demand, with the key to sign and install modified software on his device so that it will run. If each instance of the device uses a different key, then you need only give each purchaser the key for his instance.