From nobody Wed Dec 15 22:38:48 2021 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 931A718E4C8E for ; Wed, 15 Dec 2021 22:38:58 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JDqss5HHxz4m34 for ; Wed, 15 Dec 2021 22:38:57 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 1BFMcn2H078378 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 15 Dec 2021 14:38:49 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 1BFMcmQi078374; Wed, 15 Dec 2021 14:38:48 -0800 (PST) (envelope-from jmg) Date: Wed, 15 Dec 2021 14:38:48 -0800 From: John-Mark Gurney To: =?iso-8859-1?B?RGF27fA=?= Steinn Geirsson Cc: freebsd-security Subject: Re: Expired key for signed checksums Message-ID: <20211215223848.GZ35602@funkthat.com> Mail-Followup-To: =?iso-8859-1?B?RGF27fA=?= Steinn Geirsson , freebsd-security References: <20211104191742.GK69504@FreeBSD.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Qrgsu6vtpU/OV/zm" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Wed, 15 Dec 2021 14:38:49 -0800 (PST) X-Rspamd-Queue-Id: 4JDqss5HHxz4m34 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-3.87 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.973]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; SIGNED_PGP(-2.00)[]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N --Qrgsu6vtpU/OV/zm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dav Steinn Geirsson wrote this message on Tue, Dec 14, 2021 at 11:15 +0000: > On Sun, Dec 12, 2021 at 08:40:23PM +0000, Pat via freebsd-security wrote: > > ????????????????????? Original Message ????????????????????? > > On Thursday, November 4, 2021 7:17 PM, Glen Barber wr= ote: > >=20 > > > On Thu, Nov 04, 2021 at 07:01:50PM +0000, Pat via freebsd-security wr= ote: > > > > > > > Hello, > > > > I am trying to verify the signed checksum file for FreeBSD 13, but = the key that > > > > gets checked is showing to be expired: > > > > $ gpg --keyserver-options auto-key-retrieve \ > > > > --keyserver hkps://keyserver.ubuntu.com:443 \ > > > > --verify CHECKSUM.SHA256-FreeBSD-13.0-RELEASE-amd64.asc > > > > gpg: Signature made Tue Apr 13 10:45:44 2021 CDT > > > > gpg: using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293 > > > > gpg: requesting key 031458A5478FE293 from hkps server keyserver.ubu= ntu.com > > > > gpg: key 524F0C37A0B946A3: 76 signatures not checked due to missing= keys > > > > gpg: key 524F0C37A0B946A3: public key "Glen Barber gjb@FreeBSD.org"= imported > > > > gpg: no ultimately trusted keys found > > > > gpg: Total number processed: 1 > > > > gpg: imported: 1 > > > > gpg: Good signature from "Glen Barber gjb@FreeBSD.org" [expired] > > > > gpg: aka "Glen Barber glen.j.barber@gmail.com" [expired] > > > > gpg: aka "Glen Barber gjb@keybase.io" [expired] > > > > gpg: aka "Glen Barber gjb@glenbarber.us" [expired] > > > > gpg: Note: This key has expired! > > > > Primary key fingerprint: 78B3 42BA 26C7 B2AC 681E A7BE 524F 0C37 A0= B9 46A3 > > > > Subkey fingerprint: 8D12 403C 2E6C AB08 6CF6 4DA3 0314 58A5 478F E2= 93 > > > > It does not matter what keyserver I try, I get the same expiration = message. Yet > > > > I see the key expiration was bumped[0]. How would I go about gettin= g the updated > > > > key? Or am I just going about this all wrong? > > > > > > https://docs.freebsd.org/en/articles/pgpkeys/#_glen_barber_gjbfreebsd= _org > > > > > > Glen > > Thank you Glen, and apologies for the extreme delay in acknowledging > > your reply and my success at importing the key. I do appreciate you > > having taken the time to reply, despite taking five weeks to say that. > >=20 > > :) > >=20 >=20 > I think the website could use some better guidance on this. That page has= a > lot of keys for a lot of people. Are they all trusted to sign FreeBSD > releases? >=20 > Assuming that they're not, it would be great if the signatures page were > updated to include a list of keys that are expected to sign a release. > https://www.freebsd.org/releases/13.0R/signatures/ >=20 > I say this because I had problems finding this as well when writing our > deployment automation. It's the reason why I did not automate grabbing > new releases and verifying them, and still leave that as a manual human > step. Yeah, I recently updated snapaid.sh to point to the new location. https://funkthat.com/gitea/jmg/snapaid I do wish there was better guidence on this as well. Because if/when the existing signing key is compromised, there is not a documented way (that I know of) to handle updating all the past release's signatures to the new, uncompromised key. Because if/when the existing key is compromised, it's easy to sign a new announcement that verifies w/ hashes of compromised images. --=20 John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." --Qrgsu6vtpU/OV/zm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJhum52XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MEI1RTRGMTNDNzYyMDZDNjEyMDBCNjAy MDVGMEIzM0REMDA2QURBAAoJECBfCzPdAGraw40P+wS8IMFGheoT0VHbLXu585up zpYnf8igJHGTOi8WG/Zm/ofCicYPVf9jpZq8d1gHSBfHVAHTiLrPs5rEwb1ZC6pz Ubp5QXqLf4MdG87b9wE4/ia9yOH5UA4NBAP2T2UyozU+KDsrByR6RmxTnehxgzux A3Ephu16/NE7WS904h01iVzo4mjMPqavqn39CsZCEwzbKL2hWlCsJsbEbR3sE8qJ Ns/qBxYcVyIMVpvti0lBwBPHDA2j3dkYENiDIdj8+TosqgcT51QOzLAeO8oYI6kV Ju54OSp5gT3Lwd67qt9gKoUei/2In62sq8WE+qTJIOKW5lOA+KcQvHTRCAe0yaI7 qTzVgDXsf5SYy7oiGKuC1cJVVWAoBCMZZZlqF8n8xNKC3fp6S+Bd/FekCMK5uH48 bnq58tHDRyXc3QxYYX4cscjbB64wDX78jt+tlv8GDOUK3dgCP0bCrlvRUEF/cjAn /bcvBhrT2oGpKociilxmgQYrBYjLsNZp0w/Rn0//jwvs1PonJyAWV7oy/+PcDdzm IZovQNwhLmvQN3lOcyWWrgTG+SGtmKLHtR4LKuZrzQhriyr+Zv5yelNUcUP8TqMa FXR/bmnnbULbE5X6c9qsFXlNPjWrqIlqn9mBxiyR4ukvxpfcErXIXkxYy3C/X4s1 BdvwZDxc6iIPBefnmjU7 =BSNd -----END PGP SIGNATURE----- --Qrgsu6vtpU/OV/zm--