Upgrading SolydXK GPG key

Questions about software.
User avatar
MAYBL8
Posts: 1486
Joined: 10 Mar 2013 18:41
Location: Maryland Heights, MO USA
Contact:

Upgrading SolydXK GPG key

Postby MAYBL8 » 23 Mar 2016 11:16

I've moved part of the discussion concerning the SolydXK GPG key to its own topic here.

This is what MAYBL8 posted in the "Breakages and News tracking Debian Testing" topic:
Update error this morning:

Code: Select all

Reading package lists... Done                     
W: gpgv:/var/lib/apt/lists/repository.solydxk.com_dists_solydxk_InRelease: The repository is insufficiently signed by key 1FD03599DC09A23A5011EB5FEADB2FB0BCA63C3C (weak digest)

Background
For signing the packages in our repository I've created a GPG key back in 2013.
Now, apt has been updated in Debian testing and shows a warning message that our key is too weak (see MAYBL8's post).
Wiki: https://wiki.debian.org/Teams/Apt/Sha1Removal

Goal
Obviously I need to update our key to use SHA256 instead of SHA1 and if that is not possible I need to create a new key.
Unfortunately I don't know how to.

Technical
This is the info on our current key which seems to be able to use SHA512 e.o. but I can be mistaken:

Code: Select all

gpg --edit-key BCA63C3C
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/BCA63C3C  created: 2013-02-17  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/B4187A61  created: 2013-02-17  expires: never       usage: E   
[ultimate] (1). Arjen Balfoort (Schoelje) <arjenbalfoort@solydxk.com>

gpg> showpref
[ultimate] (1). Arjen Balfoort (Schoelje) <arjenbalfoort@solydxk.com>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
However, if I'm right and the key is fine then the packages in our repository (reprepro) isn't signed correctly. At least, that's what I understood from the above mentioned wiki.

Is there somebody who could help me with this?


User avatar
Arjen Balfoort
Site Admin
Posts: 8689
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Breakages and News tracking Debian Testing

Postby Arjen Balfoort » 23 Mar 2016 11:23

MAYBL8 wrote:Update error this morning:

Code: Select all

Reading package lists... Done                     
W: gpgv:/var/lib/apt/lists/repository.solydxk.com_dists_solydxk_InRelease: The repository is insufficiently signed by key 1FD03599DC09A23A5011EB5FEADB2FB0BCA63C3C (weak digest)
That's probably because of this:
The Debian apt maintainers plan to drop SHA-1 support from apt:

https://juliank.wordpress.com/2016/03/1 ... rt-in-apt/

If you are in the To header on this mail then it means your derivative
relies on the security of MD5/SHA1 in some capacity. To find out where,
you can look at the check-package-list file for your distribution and
look at the Hash: fields at the top of your InRelease or Release.gpg
files. Please update your derivatives to add SHA-2 hashes in your apt
metadata and in your OpenPGP signatures of that apt metadata.

http://deriv.debian.net/Ubuntu/check-package-list
I've investigated this but I don't know how to solve it.
As far as I know, my key is sha256 encrypted, but somehow reprepro doesn't recognize that when I add the packages to the repository as you can see in the InRelease file (second line): http://repository.solydxk.nl/dists/solydxk-8/InRelease

So, if anybody knows how to solve this, or point me to a tutorial on how to create sha256 encrypted GPG keys I'm very much obliged (I'm not savvy with key generation and most GPG tutorials are way to technical for me).


SolydXK needs you!
Development | Testing | Translations

User avatar
MAYBL8
Posts: 1486
Joined: 10 Mar 2013 18:41
Location: Maryland Heights, MO USA
Contact:

Re: Breakages and News tracking Debian Testing

Postby MAYBL8 » 23 Mar 2016 11:30

This is way over my head.
But will this help at all:
http://keyring.debian.org/creating-key.html


User avatar
Arjen Balfoort
Site Admin
Posts: 8689
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Breakages and News tracking Debian Testing

Postby Arjen Balfoort » 23 Mar 2016 11:52

MAYBL8 wrote:This is way over my head.
But will this help at all:
http://keyring.debian.org/creating-key.html
Thanks, I did that...at least I think I did...back in 2013.

Could I somehow "upgrade" the existing key or do I need to create a new one?

[Edit]
If I need to create a new key. How do I revoke the current one and remove it from the key servers?


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 1985
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Upgrading SolydXK GPG key

Postby grizzler » 23 Mar 2016 14:14

Is the bit about passing --digest-algo SHA512 to gpg, mentioned at the bottom of this page of any use?
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 8689
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Upgrading SolydXK GPG key

Postby Arjen Balfoort » 23 Mar 2016 15:10

I think I solved it!

It was this section here: https://wiki.debian.org/SettingUpSigned ... thReprepro
Here <keyid> for the public key is F2495744 (that's technically the subkey, which is recommended to be used for this sort of signing purpose).
The subkey? I always understood I had to use the default public key!

So, I've adapted reprepro's configuration to use our key's subkey B4187A61 instead of BCA63C3C and now the InRelease file says this:

Code: Select all

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
That's way better!

I've done an
sudo apt update
on the official Jessie versions and all was fine.

Can somebody check that on an EE?


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 1985
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Upgrading SolydXK GPG key

Postby grizzler » 23 Mar 2016 15:50

Still got the warning, but it appears the mirror hasn't updated yet. When I switched to the main repo, I got the new InRelease file and that worked ok.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 8689
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Upgrading SolydXK GPG key

Postby Arjen Balfoort » 23 Mar 2016 15:59

Cool! Then it's only waiting for the mirrors to upgrade.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 1985
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Upgrading SolydXK GPG key

Postby grizzler » 23 Mar 2016 16:04

The nl-mirror is up to date now.

Looking good.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
xendistar
Posts: 382
Joined: 08 Jun 2014 08:17
Location: Bournemouth, UK

Re: Upgrading SolydXK GPG key

Postby xendistar » 24 Mar 2016 22:28

Will other Repository providers upgrade their GPG Key and you (the user) will download it autocratically (as part of an update) or do you have to download the new GPG key from the repository provider manually??

The reason I ask is that my EE install is complaining about Google GPG key and the Spotify GPG key

Code: Select all

W: gpgv:/var/lib/apt/lists/repository.spotify.com_dists_stable_InRelease: The repository is insufficiently signed by key BBEBDCB318AD50EC6865090613B00F1FD2C19886 (weak digest)
W: gpgv:/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release.gpg: The repository is insufficiently signed by key 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (weak digest)

User avatar
Arjen Balfoort
Site Admin
Posts: 8689
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Upgrading SolydXK GPG key

Postby Arjen Balfoort » 25 Mar 2016 07:11

I was lucky I didn't have to change anything for the key. Only the configuration of the repository was changed and that doesn't impact the user.

For other repositories this means their maintainers will have to take care of that and distribute a new key when necessary. They often have a package to accomplish that. We use the package solydxk-keyring for that.

Until then users following testing will see a warning when upgrading with apt. It is just a warning and apt will still comply.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 1985
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Upgrading SolydXK GPG key

Postby grizzler » 25 Mar 2016 08:09

@xendistar,
This is explained on the page I linked to earlier. As you can see, both repositories you mentioned are listed on that page in the "Half-broken repositories" section. I think in some (most?) cases they won't even have to replace their keys, just switch to using the right hash to sign with.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Tuna130
Posts: 47
Joined: 10 Aug 2013 05:40
Location: Spain

Re: Upgrading SolydXK GPG key

Postby Tuna130 » 24 Apr 2018 10:34

Please update GPG and SHA values on the download pages.
They seem to be missing (404 error). Thanks!

User avatar
Arjen Balfoort
Site Admin
Posts: 8689
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Upgrading SolydXK GPG key

Postby Arjen Balfoort » 24 Apr 2018 11:28

Thanks and updated!


SolydXK needs you!
Development | Testing | Translations


Return to “Software”

Who is online

Users browsing this forum: No registered users and 3 guests