Google Chrome Repository Insecurity

From Kicksecure


Google Chrome Repository Insecurity[edit]


As per 14 March 2021,

  • Google wants you to install a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.
  • Repository download happens over plain http without encryption/authentication (TLS) (https).


Signing Key[edit]

As per 14 March 2021, Google wants you to run the following command. (archived)

wget -q -O - | sudo apt-key add -

This effectively results in installing a weak cryptographic key (DSA key with only 1024 bits) as a Debian package manager APT key.

What this does is using the wget command line downloader to download an APT signing key and then using Debian's apt-key utility to install the signing key to the system's APT keyring /etc/apt/trusted.gpg. Sidenote: both apt-key and /etc/apt/trusted.gpg are deprecated by Debian [1] but that doesn't have a security impact here.

1) Download

2) View OpenPGP key information.

gpg --keyid-format long --import --import-options show-only --with-fingerprint

3) Will show.

pub   dsa1024/A040830F7FAC5991 2007-03-08 [SC]
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                            Google, Inc. Linux Package Signing Key <>
sub   elg2048/4F30B6B4C07CB649 2007-03-08 [E]

gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                            Google Inc. (Linux Packages Signing Authority) <>
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]

The first key shows dsa1024 which means a DSA key with only 1024 bits.

In January 2011 the National Institute of Standards and Technology (NIST) stated, quote:

Disallowed after 2013

Google seems to agree with this assessment since their signing key file already contains a newer key rsa4096 (RSA with 4096 bits). There is however no need whatsoever to still include the weak dsa1024 in the signing key file


1) Download (archived google-chrome-stable_current_amd64.deb)

2) Extract or open with ark the google-chrome-stable_current_amd64.deb compressed archive file.

ark google-chrome-stable_current_amd64.deb

3) Extract or open control.tar.gz a file inside the google-chrome-stable_current_amd64.deb compressed archive file.

4) Open the file postinst (the Debian package maintenance script by the google-chrome-stable_current_amd64.deb Debian package).

5) Line 137 is:

REPOCONFIG="deb [arch=amd64] stable main"

6) Conclusion.

Using plain http instead of https (TLS).

Other sources showing using http instead of https:

Bug Reports[edit]



  1. Quote

    apt-key was made obsolete in version, released in January 2010, by /etc/apt/trusted.gpg.d becoming a supported place to drop additional keyring files, and was since then only intended for deleting keys in the legacy trusted.gpg keyring.

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.