Alert to Kali Linux admins: Get the new signing key or no distro updates for you

Kali Linux administrators who haven’t manually updated the signing key for the operating system’s repository are going to find that they can’t get updates.

This comes after the overseers of the open source distribution aimed at penetration testers and other infosec pros admitted this week that they lost access to the signing key for the Kali repository, and had to roll out a new one.

“This is entirely our fault,” Kali acknowledged in a blog.

In fact, the incident happened over a week ago, and Kali had to freeze the update repository on April 18, when a new signing key was created. That’s why no one has been impacted yet. However, this week the repository will be available, and those who don’t have the new signing key will find they can’t do automatic updates.

Admins need to download and install the new key manually, and then verify that the checksum of the file matches one created by Kali. If some admins prefer to rebuild their Kali system from scratch, Kali has updated all of its images to contain the new keyring.

Kali said the old key wasn’t compromised. No reply to a request for comment had been received by our deadline.

This isn’t the first time Kali has had a signing key problem, noted Robert Beggs, head of Canadian penetration testing and incident response provider DigitalDefence. In 2018, a key was allowed to expire.

 “It’s a minor blip,” he said in an interview, “that’s easy to overcome” by typing in a line of code, as detailed in the Kali blog.

Loss of signing keys is “very uncommon” among application vendors, he said, “because this is an enterprise level project where someone should be managing a group of people together. The fact that it happened twice [at Kali] suggests they just don’t have central management. It [loss of the key] doesn’t make the product worse, doesn’t denigrate the excellent work they’re putting in. It just says that the central management piece is absent.”

The only people who will be inconvenienced are the admins who don’t understand the error message they get when trying to update the distribution, and haven’t seen the news that the key is out of date, Beggs said. But he believes most Kali admins already know about the issue and the solution.

The lesson to CISOs whose organizations use anything that has to be renewed, from a key to a software license, is to treat it as an object that has to be maintained, Beggs said.

“You also have to build in continuity,” he added. “The biggest issue we’ve seen in the past isn’t that a person failed to renew, it’s that a person that knew about the key or the license moved on, or to a new position. Enterprises frequently fail to maintain continuity.

“Stop thinking about this as a single person responsibility. It’s an enterprise responsibility,” he advised. “De-personalize it. Make sure there’s a continuity of [object] management so that if someone moves on, has an accident or forgets, there are enterprise controls in place that make sure the [management] process continues.”