Gebruikershulpmiddelen
werkinstructies:gpg_key_resign
Verschillen
Dit geeft de verschillen weer tussen de geselecteerde revisie en de huidige revisie van de pagina.
| Beide kanten vorige revisie Vorige revisie Volgende revisie | Vorige revisie | ||
|
werkinstructies:gpg_key_resign [2022/06/23 14:02] abel [Resign the secret key] |
werkinstructies:gpg_key_resign [2022/08/03 11:27] (huidige) abel [Resign the secret key] |
||
|---|---|---|---|
| Regel 6: | Regel 6: | ||
| The packages in a repository are signed with the SHA1 signed key, now we resign the gpg key it self but the signage on the package is still valid. (hopefully) | The packages in a repository are signed with the SHA1 signed key, now we resign the gpg key it self but the signage on the package is still valid. (hopefully) | ||
| + | importing the SHA1 gpg key to rpm will trow an error:\\ | ||
| + | |||
| + | '' | ||
| + | < | ||
| + | error: EXAMPLEKEY-SHA1-public.gpg: | ||
| + | </ | ||
| ===== get the original keys ===== | ===== get the original keys ===== | ||
| Regel 39: | Regel 45: | ||
| | | ||
| │ Please enter the passphrase to import the OpenPGP secret key: │ | │ Please enter the passphrase to import the OpenPGP secret key: │ | ||
| - | │ "RWSBUILD" | + | │ "EXAMPLEKEY" |
| - | │ 2048-bit RSA key, ID 0447A2B8C3FAC2BD, │ | + | │ 2048-bit RSA key, ID 0447A2B8C3FAC3BD, │ |
| │ created 2016-02-09. | │ created 2016-02-09. | ||
| | | ||
| Regel 52: | Regel 58: | ||
| < | < | ||
| - | gpg: key 0447A2B8C3FAC3BD: | + | gpg: key 0447A2B8C3FAC3BD: |
| gpg: key 0447A2B8C3FAC3BD: | gpg: key 0447A2B8C3FAC3BD: | ||
| gpg: Total number processed: 1 | gpg: Total number processed: 1 | ||
| Regel 64: | Regel 70: | ||
| Do this by: \\ | Do this by: \\ | ||
| - | '' | + | '' |
| < | < | ||
| Regel 71: | Regel 77: | ||
| Secret key is available. | Secret key is available. | ||
| - | sec rsa2048/0447A2B8C3FAC2BD | + | sec rsa2048/0447A2B8C3FAC3BD |
| - | | + | |
| | | ||
| ssb rsa2048/ | ssb rsa2048/ | ||
| - | | + | |
| - | [ unknown] (1). RWSBUILD | + | [ unknown] (1). EXAMPLEKEY |
| </ | </ | ||
| < | < | ||
| Regel 83: | Regel 89: | ||
| Do you want to sign it again anyway? (y/N) y | Do you want to sign it again anyway? (y/N) y | ||
| - | sec rsa2048/0447A2B8C3FAC2BD | + | sec rsa2048/0447A2B8C3FAC3BD |
| - | | + | |
| | | ||
| - | | + | |
| - | RWSBUILD | + | EXAMPLEKEY |
| Are you sure that you want to sign this key with your | Are you sure that you want to sign this key with your | ||
| - | key "RWSBUILD" (0447A2B8C3FAC2BD) | + | key "EXAMPLEKEY" (0447A2B8C3FAC3BD) |
| This will be a self-signature. | This will be a self-signature. | ||
| Regel 102: | Regel 108: | ||
| < | < | ||
| gpg> save | gpg> save | ||
| + | </ | ||
| + | ===== public key signage propagation workaround ===== | ||
| + | |||
| + | At this point there is still a problem with the sub keys, they are somehow not updated. You can see this when uoy check the signatures: | ||
| + | |||
| + | '' | ||
| + | |||
| + | < | ||
| + | gpg: checking the trustdb | ||
| + | gpg: no ultimately trusted keys found | ||
| + | / | ||
| + | ----------------------------- | ||
| + | pub | ||
| + | FF7EB74348CBCA81256B28C70447A2B8C3FAC3BD | ||
| + | uid [ unknown] EXAMPLEKEY | ||
| + | sig!3 0447A2B8C3FAC3BD 2019-02-09 | ||
| + | sig!3 0447A2B8C3FAC3BD 2022-06-23 | ||
| + | sub | ||
| + | sig! | ||
| + | |||
| + | gpg: 3 good signatures | ||
| + | </ | ||
| + | the last signature was set at 2019-02-09. | ||
| + | |||
| + | fix this by toggleing the expiration date: \\ | ||
| + | '' | ||
| + | |||
| + | < | ||
| + | gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc. | ||
| + | This is free software: you are free to change and redistribute it. | ||
| + | There is NO WARRANTY, to the extent permitted by law. | ||
| + | |||
| + | Secret key is available. | ||
| + | |||
| + | gpg: checking the trustdb | ||
| + | gpg: no ultimately trusted keys found | ||
| + | sec rsa2048/ | ||
| + | | ||
| + | | ||
| + | ssb rsa2048/ | ||
| + | | ||
| + | [ unknown] (1). EXAMPLEKEY | ||
| + | |||
| + | gpg> expire | ||
| + | Changing expiration time for a subkey. | ||
| + | Please specify how long the key should be valid. | ||
| + | 0 = key does not expire | ||
| + | < | ||
| + | <n>w = key expires in n weeks | ||
| + | <n>m = key expires in n months | ||
| + | <n>y = key expires in n years | ||
| + | Key is valid for? (0) 3 | ||
| + | Key expires at Sun 26 Jun 2022 02:56:28 PM CEST | ||
| + | Is this correct? (y/N) y | ||
| + | |||
| + | sec rsa2048/ | ||
| + | | ||
| + | | ||
| + | ssb* rsa2048/ | ||
| + | | ||
| + | [ unknown] (1). EXAMPLEKEY | ||
| + | </ | ||
| + | And save: | ||
| + | < | ||
| + | gpg> save | ||
| + | </ | ||
| + | |||
| + | Edit again, and remove the expiration: | ||
| + | < | ||
| + | gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc. | ||
| + | This is free software: you are free to change and redistribute it. | ||
| + | There is NO WARRANTY, to the extent permitted by law. | ||
| + | |||
| + | Secret key is available. | ||
| + | |||
| + | gpg: checking the trustdb | ||
| + | gpg: no ultimately trusted keys found | ||
| + | sec rsa2048/ | ||
| + | | ||
| + | | ||
| + | ssb* rsa2048/ | ||
| + | | ||
| + | [ unknown] (1). EXAMPLEKEY | ||
| + | |||
| + | gpg> expire | ||
| + | Changing expiration time for a subkey. | ||
| + | Please specify how long the key should be valid. | ||
| + | 0 = key does not expire | ||
| + | < | ||
| + | <n>w = key expires in n weeks | ||
| + | <n>m = key expires in n months | ||
| + | <n>y = key expires in n years | ||
| + | Key is valid for? (0) 0 | ||
| + | Key does not expire at all | ||
| + | Is this correct? (y/N) y | ||
| + | |||
| + | sec rsa2048/ | ||
| + | | ||
| + | | ||
| + | ssb rsa2048/ | ||
| + | | ||
| + | [ unknown] (1). EXAMPLEKEY | ||
| + | </ | ||
| + | And save again: | ||
| + | < | ||
| + | gpg> save | ||
| </ | </ | ||
| - | Check the signatures: '' | + | Now to see if this did the trick, |
| < | < | ||
| Regel 112: | Regel 224: | ||
| / | / | ||
| ----------------------------- | ----------------------------- | ||
| - | pub | + | pub |
| - | | + | |
| - | uid [ unknown] | + | uid [ unknown] |
| - | sig!3 | + | sig!3 |
| - | sig!3 | + | sig!3 |
| - | sub | + | sub |
| - | sig! 0447A2B8C3FAC2BD 2016-02-09 RWSBUILD | + | sig! 0447A2B8C3FAC3BD 2022-06-23 EXAMPLEKEY |
| gpg: 3 good signatures | gpg: 3 good signatures | ||
| </ | </ | ||
| + | |||
| + | ===== Use the public key ===== | ||
| + | |||
| + | Export the public gpg key for use in rpm: \\ | ||
| + | '' | ||
| + | |||
| + | |||
| + | |||
| + | Then import this gpg key to rpm on a clean system:\\ | ||
| + | '' | ||
| <note important> | <note important> | ||
| Regel 132: | Regel 254: | ||
| < | < | ||
| gpg: WARNING: no command supplied. | gpg: WARNING: no command supplied. | ||
| - | pub | + | pub |
| FF7EB12345CBCA81256B28C70447A2B8C3FAC3BD | FF7EB12345CBCA81256B28C70447A2B8C3FAC3BD | ||
| uid | uid | ||
| - | sub | + | sub |
| </ | </ | ||
| Regel 168: | Regel 290: | ||
| As you can see the key ID should be the same as the number in the pub part of the gpg key, and are the same as the last 8 digits in the full key ID. | As you can see the key ID should be the same as the number in the pub part of the gpg key, and are the same as the last 8 digits in the full key ID. | ||
| + | ===== check an rpm signed with the old SHA1 key ===== | ||
| + | Now you migt think, "hold on, the last comment says: // | ||
| + | But if we test before installing: \\ | ||
| + | '' | ||
| + | It says OK: | ||
| + | < | ||
| + | filename.rpm: | ||
| + | </ | ||
| - | + | <note warning> | |
| - | + | ||
| - | + | ||
| - | + | ||
| ===== Bronnen ===== | ===== Bronnen ===== | ||
werkinstructies/gpg_key_resign.1655985758.txt.gz · Laatst gewijzigd: 2022/06/23 14:02 door abel
Paginahulpmiddelen
Tenzij anders vermeld valt de inhoud van deze wiki onder de volgende licentie: CC Attribution-Share Alike 4.0 International
