This ticket is a request for Kali to publish a cryptograhpically-signed Key Transition Statement.

Problem

I went to download Kali today, but the signature was invalid. I checked the signature using the key that Kali had been previously using to sign their releases:

pub   rsa4096/0xED444FF07D8D0BF6 2012-03-05 [SC] [expired: 2025-01-24]
      Key fingerprint = 44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6
uid                   [ expired] Kali Linux Repository <[email protected]>

I searched the kali website for a Key Transition Statement -- a standard document that is published by someone (or some org) when they deprecate an old key and replace it with a new PGP key.

I couldn't find any cryptographically-signed updates on the Kali website indicating that the key had been replaced, so I assumed that the signature was invalid.

I did see the documentation was updated with a new key. But, again, since the documentation is not cryptographically signed with the old key indicating (with an authenticated chain of trust) that this change was official, I assume the documentation/publishing infrastructure was compromised.

Solution

If the Kali team really did change their release signing key, then the Kali org should publish a Key Transition Statement

• https://riseup.net/en/security/message-security/openpgp/key-transition

As described in the article linked above, the Key Transition Statement should clearly state that the old key (listing the key fingerprint) has been replaced by a new key (listing the key fingerprint). The Key Transition Statement should then be cryptographically signed by the old key (and the new key) to indicate a chain of trust for the transition.

This ticket has two actions required:

1. Publish a cryptographically-signed Key Transition Statement on the kali blog https://www.kali.org/blog/

2. Update the kali documentation with a link to the blog post above https://www.kali.org/docs/introduction/download-images-securely/