KaToolin just seems to have this unique key hardcoded to work, how can we tell if it is legitimately tied back to the authentic Kali project?

Question

So line 53 of katoolin.py has this hardcoded value:

cmd1 = os.system("apt-key adv --keyserver pool.sks-keyservers.net --recv-keys ED444FF07D8D0BF6")

How can we verify that ED444FF07D8D0BF6 tracks back to the authentic project?

This seems like the better way to add the repo keys:

wget https://http.kali.org/kali/pool/main/k/kali-archive-keyring/kali-archive-keyring_2018.2_all.deb
apt install ./kali-archive-keyring_2018.1_all.deb

Where https://http.kali.org/kali/pool/main/k/kali-archive-keyring/ is where you go to find the latest keyring .deb.

score 0 · Answer 1 · answered Sep 23 '19 at 10:09

You can verify this by using the following steps.

Open the URL http://pool.sks-keyservers.net/ in your browser.
Type in the Key ID 0xED444FF07D8D0BF6 in the search box , select the option "Get Regular Index of matching Keys"

Click Search and you should see the following result

Alternately you may want to craft this url and post it in your browser

http://pool.sks-keyservers.net/pks/lookup?search=0xED444FF07D8D0BF6&op=index

KaToolin just seems to have this unique key hardcoded to work, how can we tell if it is legitimately tied back to the authentic Kali project?

1 Answers1