Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Dec 2021 14:38:48 -0800
From:      John-Mark Gurney <jmg@funkthat.com>
To:        =?iso-8859-1?B?RGF27fA=?= Steinn Geirsson <david@isnic.is>
Cc:        freebsd-security <freebsd-security@freebsd.org>
Subject:   Re: Expired key for signed checksums
Message-ID:  <20211215223848.GZ35602@funkthat.com>
In-Reply-To: <Ybh8upUne144uHoI@mail>
References:  <UP-f63qDEWMLjjb592fxz6MgOmqFHaqRw5N29C5MT7lEwW6rW_KQgbPq8YtndIiKHt536m3yk5CSSsbsdVrtTarWdicc_zIgoQoY2llBb4k=@protonmail.com> <20211104191742.GK69504@FreeBSD.org> <bWUEdUuTXV6w6B9_zzdL2zv-lPbGvq6KPFEBa-XRYRkgTKqKZZgThkEzsi9NjYYJEud63EQq_tMq0N7gaSJ1nhIT0V5-Zu7ueGshKozaayA=@protonmail.com> <Ybh8upUne144uHoI@mail>

next in thread | previous in thread | raw e-mail | index | archive | help

--Qrgsu6vtpU/OV/zm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Dav Steinn Geirsson wrote this message on Tue, Dec 14, 2021 at 11:15 +0000:
> On Sun, Dec 12, 2021 at 08:40:23PM +0000, Pat via freebsd-security wrote:
> > ????????????????????? Original Message ?????????????????????
> > On Thursday, November 4, 2021 7:17 PM, Glen Barber <gjb@freebsd.org> wr=
ote:
> >=20
> > > On Thu, Nov 04, 2021 at 07:01:50PM +0000, Pat via freebsd-security wr=
ote:
> > >
> > > > Hello,
> > > > I am trying to verify the signed checksum file for FreeBSD 13, but =
the key that
> > > > gets checked is showing to be expired:
> > > > $ gpg --keyserver-options auto-key-retrieve \
> > > > --keyserver hkps://keyserver.ubuntu.com:443 \
> > > > --verify CHECKSUM.SHA256-FreeBSD-13.0-RELEASE-amd64.asc
> > > > gpg: Signature made Tue Apr 13 10:45:44 2021 CDT
> > > > gpg: using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293
> > > > gpg: requesting key 031458A5478FE293 from hkps server keyserver.ubu=
ntu.com
> > > > gpg: key 524F0C37A0B946A3: 76 signatures not checked due to missing=
 keys
> > > > gpg: key 524F0C37A0B946A3: public key "Glen Barber gjb@FreeBSD.org"=
 imported
> > > > gpg: no ultimately trusted keys found
> > > > gpg: Total number processed: 1
> > > > gpg: imported: 1
> > > > gpg: Good signature from "Glen Barber gjb@FreeBSD.org" [expired]
> > > > gpg: aka "Glen Barber glen.j.barber@gmail.com" [expired]
> > > > gpg: aka "Glen Barber gjb@keybase.io" [expired]
> > > > gpg: aka "Glen Barber gjb@glenbarber.us" [expired]
> > > > gpg: Note: This key has expired!
> > > > Primary key fingerprint: 78B3 42BA 26C7 B2AC 681E A7BE 524F 0C37 A0=
B9 46A3
> > > > Subkey fingerprint: 8D12 403C 2E6C AB08 6CF6 4DA3 0314 58A5 478F E2=
93
> > > > It does not matter what keyserver I try, I get the same expiration =
message. Yet
> > > > I see the key expiration was bumped[0]. How would I go about gettin=
g the updated
> > > > key? Or am I just going about this all wrong?
> > >
> > > https://docs.freebsd.org/en/articles/pgpkeys/#_glen_barber_gjbfreebsd=
_org
> > >
> > > Glen
> > Thank you Glen, and apologies for the extreme delay in acknowledging
> > your reply and my success at importing the key. I do appreciate you
> > having taken the time to reply, despite taking five weeks to say that.
> >=20
> > :)
> >=20
>=20
> I think the website could use some better guidance on this. That page has=
 a
> lot of keys for a lot of people. Are they all trusted to sign FreeBSD
> releases?
>=20
> Assuming that they're not, it would be great if the signatures page were
> updated to include a list of keys that are expected to sign a release.
> https://www.freebsd.org/releases/13.0R/signatures/
>=20
> I say this because I had problems finding this as well when writing our
> deployment automation. It's the reason why I did not automate grabbing
> new releases and verifying them, and still leave that as a manual human
> step.

Yeah, I recently updated snapaid.sh to point to the new location.

https://funkthat.com/gitea/jmg/snapaid

I do wish there was better guidence on this as well.  Because if/when
the existing signing key is compromised, there is not a documented way
(that I know of) to handle updating all the past release's signatures
to the new, uncompromised key.  Because if/when the existing key is
compromised, it's easy to sign a new announcement that verifies w/
hashes of compromised images.

--=20
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

--Qrgsu6vtpU/OV/zm
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJhum52XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MEI1RTRGMTNDNzYyMDZDNjEyMDBCNjAy
MDVGMEIzM0REMDA2QURBAAoJECBfCzPdAGraw40P+wS8IMFGheoT0VHbLXu585up
zpYnf8igJHGTOi8WG/Zm/ofCicYPVf9jpZq8d1gHSBfHVAHTiLrPs5rEwb1ZC6pz
Ubp5QXqLf4MdG87b9wE4/ia9yOH5UA4NBAP2T2UyozU+KDsrByR6RmxTnehxgzux
A3Ephu16/NE7WS904h01iVzo4mjMPqavqn39CsZCEwzbKL2hWlCsJsbEbR3sE8qJ
Ns/qBxYcVyIMVpvti0lBwBPHDA2j3dkYENiDIdj8+TosqgcT51QOzLAeO8oYI6kV
Ju54OSp5gT3Lwd67qt9gKoUei/2In62sq8WE+qTJIOKW5lOA+KcQvHTRCAe0yaI7
qTzVgDXsf5SYy7oiGKuC1cJVVWAoBCMZZZlqF8n8xNKC3fp6S+Bd/FekCMK5uH48
bnq58tHDRyXc3QxYYX4cscjbB64wDX78jt+tlv8GDOUK3dgCP0bCrlvRUEF/cjAn
/bcvBhrT2oGpKociilxmgQYrBYjLsNZp0w/Rn0//jwvs1PonJyAWV7oy/+PcDdzm
IZovQNwhLmvQN3lOcyWWrgTG+SGtmKLHtR4LKuZrzQhriyr+Zv5yelNUcUP8TqMa
FXR/bmnnbULbE5X6c9qsFXlNPjWrqIlqn9mBxiyR4ukvxpfcErXIXkxYy3C/X4s1
BdvwZDxc6iIPBefnmjU7
=BSNd
-----END PGP SIGNATURE-----

--Qrgsu6vtpU/OV/zm--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20211215223848.GZ35602>