{"id":3004,"date":"2025-04-29T17:31:35","date_gmt":"2025-04-29T17:31:35","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3004"},"modified":"2025-04-29T17:31:35","modified_gmt":"2025-04-29T17:31:35","slug":"alert-to-kali-linux-admins-get-the-new-signing-key-or-no-distro-updates-for-you","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3004","title":{"rendered":"Alert to Kali Linux admins: Get the new signing key or no distro updates for you"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Kali Linux administrators who haven\u2019t manually updated the signing key for the operating system\u2019s repository are going to find that they can\u2019t get updates.<\/p>\n

This comes after the overseers of the open source distribution aimed at penetration testers<\/a> and other infosec pros admitted this week that they lost access to the signing key for the Kali repository, and had to roll out a new one.<\/p>\n

\u201cThis is entirely our fault,\u201d Kali acknowledged in a blog<\/a>.<\/p>\n

In fact, the incident happened over a week ago, and Kali had to freeze the update repository on April 18, when a new signing key was created. That\u2019s why no one has been impacted yet. However, this week the repository will be available, and those who don\u2019t have the new signing key will find they can\u2019t do automatic updates.<\/p>\n

Admins need to download and install the new key manually, and then verify that the checksum of the file matches one created by Kali. If some admins prefer to rebuild their Kali system from scratch, Kali has updated all of its images to contain the new keyring.<\/p>\n

Kali said the old key wasn\u2019t compromised. No reply to a request for comment had been received by our deadline.<\/p>\n

This isn\u2019t the first time Kali has had a signing key problem, noted Robert Beggs, head of Canadian penetration testing and incident response provider DigitalDefence. In 2018, a key was allowed to expire.<\/p>\n

\u00a0\u201cIt\u2019s a minor blip,\u201d he said in an interview, \u201cthat\u2019s easy to overcome\u201d by typing in a line of code, as detailed in the Kali blog.<\/p>\n

Loss of signing keys is \u201cvery uncommon\u201d among application vendors, he said, \u201cbecause this is an enterprise level project where someone should be managing a group of people together. The fact that it happened twice [at Kali] suggests they just don\u2019t have central management. It [loss of the key] doesn\u2019t make the product worse, doesn\u2019t denigrate the excellent work they\u2019re putting in. It just says that the central management piece is absent.\u201d<\/p>\n

The only people who will be inconvenienced are the admins who don\u2019t understand the error message they get when trying to update the distribution, and haven\u2019t seen the news that the key is out of date, Beggs said. But he believes most Kali admins already know about the issue and the solution.<\/p>\n

The lesson to CISOs whose organizations use anything that has to be renewed, from a key to a software license, is to treat it as an object that has to be maintained, Beggs said.<\/p>\n

\u201cYou also have to build in continuity,\u201d he added. \u201cThe biggest issue we\u2019ve seen in the past isn\u2019t that a person failed to renew, it\u2019s that a person that knew about the key or the license moved on, or to a new position. Enterprises frequently fail to maintain continuity.<\/p>\n

\u201cStop thinking about this as a single person responsibility. It\u2019s an enterprise responsibility,\u201d he advised. \u201cDe-personalize it. Make sure there\u2019s a continuity of [object] management so that if someone moves on, has an accident or forgets, there are enterprise controls in place that make sure the [management] process continues.\u201d<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Kali Linux administrators who haven\u2019t manually updated the signing key for the operating system\u2019s repository are going to find that they can\u2019t get updates. This comes after the overseers of the open source distribution aimed at penetration testers and other infosec pros admitted this week that they lost access to the signing key for the […]<\/p>\n","protected":false},"author":0,"featured_media":2985,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3004","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3004"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3004"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3004\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2985"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}