Gebruikershulpmiddelen

Site-hulpmiddelen

Spoor:
werkinstructies:gpg_key_resign

Verschillen

Dit geeft de verschillen weer tussen de geselecteerde revisie en de huidige revisie van de pagina.

Link naar deze vergelijking

Beide kanten vorige revisie Vorige revisie
Volgende revisie 		Vorige revisie
werkinstructies:gpg_key_resign [2022/06/23 14:59]
abel [Export the public key] 		werkinstructies:gpg_key_resign [2022/08/03 11:27] (huidige)
abel [Resign the secret key]
Regel 6: Regel 6:
 The packages in a repository are signed with the SHA1 signed key, now we resign the gpg key it self but the signage on the package is still valid. (hopefully) The packages in a repository are signed with the SHA1 signed key, now we resign the gpg key it self but the signage on the package is still valid. (hopefully)
  
 +importing the SHA1 gpg key to rpm will trow an error:\\
 +
 +''%%sudo rpm --import EXAMPLEKEY-SHA1-public.gpg%%''
 +<code>
 +error: EXAMPLEKEY-SHA1-public.gpg: key 1 import failed.
 +</code>
 ===== get the original keys ===== ===== get the original keys =====
  
Regel 64: Regel 70:
  
 Do this by: \\ Do this by: \\
-''%%gpg --cipher-algo IDEA --cert-digest-algo sha512 --expert --edit-key secret-key.gpg%%''+''%%gpg --cipher-algo IDEA --cert-digest-algo sha256 --expert --edit-key secret-key.gpg%%''
  
 <code> <code>
Regel 72: Regel 78:
  
 sec  rsa2048/0447A2B8C3FAC3BD sec  rsa2048/0447A2B8C3FAC3BD
-     created: 2016-02-09  expires: never       usage: SC+     created: 2019-02-09  expires: never       usage: SC
      trust: unknown       validity: unknown      trust: unknown       validity: unknown
 ssb  rsa2048/5CA7D2244AEACD3A ssb  rsa2048/5CA7D2244AEACD3A
-     created: 2016-02-09  expires: never       usage: E+     created: 2019-02-09  expires: never       usage: E
 [ unknown] (1). EXAMPLEKEY [ unknown] (1). EXAMPLEKEY
 </code> </code>
Regel 84: Regel 90:
  
 sec  rsa2048/0447A2B8C3FAC3BD sec  rsa2048/0447A2B8C3FAC3BD
-     created: 2016-02-09  expires: never       usage: SC+     created: 2019-02-09  expires: never       usage: SC
      trust: unknown       validity: unknown      trust: unknown       validity: unknown
  Primary key fingerprint: FF7E B743 48CB CA81 256B  28C7 0447 A2B8 C3FA C3BD  Primary key fingerprint: FF7E B743 48CB CA81 256B  28C7 0447 A2B8 C3FA C3BD
Regel 102: Regel 108:
 <code> <code>
 gpg> save gpg> save
- 
 </code> </code>
  
-Check the signatures: ''%%gpg --check-sigs%%''+===== public key signage propagation workaround ===== 
 + 
 +At this point there is still a problem with the sub keys, they are somehow not updated. You can see this when uoy check the signatures:\\ 
 + 
 +''%%gpg --check-sigs%%''
  
 <code> <code>
Regel 119: Regel 128:
 sub   rsa2048 2019-02-09 [E] sub   rsa2048 2019-02-09 [E]
 sig!         0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY sig!         0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY
 +
 +gpg: 3 good signatures
 +</code>
 +the last signature was set at 2019-02-09.
 +
 +fix this by toggleing the expiration date: \\
 +''%%gpg --edit-key EXAMPLEKEY%%''
 +
 +<code>
 +gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
 +This is free software: you are free to change and redistribute it.
 +There is NO WARRANTY, to the extent permitted by law.
 +
 +Secret key is available.
 +
 +gpg: checking the trustdb
 +gpg: no ultimately trusted keys found
 +sec  rsa2048/0447A2B8C3FAC3BD
 +     created: 2019-02-09  expires: never       usage: SC
 +     trust: unknown       validity: unknown
 +ssb  rsa2048/5CA7D2244AEACD3A
 +     created: 2019-02-09  expires: never       usage: E
 +[ unknown] (1). EXAMPLEKEY
 +
 +gpg> expire
 +Changing expiration time for a subkey.
 +Please specify how long the key should be valid.
 +         0 = key does not expire
 +      <n>  = key expires in n days
 +      <n>w = key expires in n weeks
 +      <n>m = key expires in n months
 +      <n>y = key expires in n years
 +Key is valid for? (0) 3
 +Key expires at Sun 26 Jun 2022 02:56:28 PM CEST
 +Is this correct? (y/N) y
 +
 +sec  rsa2048/0447A2B8C3FAC3BD
 +     created: 2019-02-09  expires: never       usage: SC
 +     trust: unknown       validity: unknown
 +ssb* rsa2048/5CA7D2244AEACD3A
 +     created: 2019-02-09  expires: 2022-06-26  usage: E
 +[ unknown] (1). EXAMPLEKEY
 +</code>
 +And save:
 +<code>
 +gpg> save
 +</code>
 +
 +Edit again, and remove the expiration:
 +<code>
 +gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
 +This is free software: you are free to change and redistribute it.
 +There is NO WARRANTY, to the extent permitted by law.
 +
 +Secret key is available.
 +
 +gpg: checking the trustdb
 +gpg: no ultimately trusted keys found
 +sec  rsa2048/0447A2B8C3FAC3BD
 +     created: 2019-02-09  expires: never       usage: SC
 +     trust: unknown       validity: unknown
 +ssb* rsa2048/5CA7D2244AEACD3A
 +     created: 2019-02-09  expires: 2022-06-26  usage: E
 +[ unknown] (1). EXAMPLEKEY
 +
 +gpg> expire
 +Changing expiration time for a subkey.
 +Please specify how long the key should be valid.
 +         0 = key does not expire
 +      <n>  = key expires in n days
 +      <n>w = key expires in n weeks
 +      <n>m = key expires in n months
 +      <n>y = key expires in n years
 +Key is valid for? (0) 0
 +Key does not expire at all
 +Is this correct? (y/N) y
 +
 +sec  rsa2048/0447A2B8C3FAC3BD
 +     created: 2019-02-09  expires: never       usage: SC
 +     trust: unknown       validity: unknown
 +ssb  rsa2048/5CA7D2244AEACD3A
 +     created: 2019-02-09  expires: never       usage: E
 +[ unknown] (1). EXAMPLEKEY
 +</code>
 +And save again:
 +<code>
 +gpg> save
 +</code>
 +
 +Now to see if this did the trick, Check the signatures again: \\ ''%%gpg --check-sigs%%''
 +
 +<code>
 +gpg: checking the trustdb
 +gpg: no ultimately trusted keys found
 +/home/abel/.gnupg/pubring.kbx
 +-----------------------------
 +pub   rsa2048 2019-02-09 [SC]
 +      FF7EB74348CBCA81256B28C70447A2B8C3FAC3BD
 +uid           [ unknown] EXAMPLEKEY
 +sig!3        0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY
 +sig!3        0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY
 +sub   rsa2048 2019-02-09 [E]
 +sig!         0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY
  
 gpg: 3 good signatures gpg: 3 good signatures
Regel 142: Regel 254:
 <code> <code>
 gpg: WARNING: no command supplied.  Trying to guess what you mean ... gpg: WARNING: no command supplied.  Trying to guess what you mean ...
-pub   rsa2048 2020-02-09 [SC]+pub   rsa2048 2019-02-09 [SC]
       FF7EB12345CBCA81256B28C70447A2B8C3FAC3BD       FF7EB12345CBCA81256B28C70447A2B8C3FAC3BD
 uid           EXAMPLEKEY uid           EXAMPLEKEY
-sub   rsa2048 2020-02-09 [E]+sub   rsa2048 2019-02-09 [E]
 </code> </code>
  
Regel 178: Regel 290:
 As you can see the key ID should be the same as the number in the pub part of the gpg key, and are the same as the last 8 digits in the full key ID. As you can see the key ID should be the same as the number in the pub part of the gpg key, and are the same as the last 8 digits in the full key ID.
  
 +===== check an rpm signed with the old SHA1 key =====
 +Now you migt think, "hold on, the last comment says: //**RSA/SHA1 Signature**// and the installed gpg key is now SHA512."
  
 +But if we test before installing: \\
 +''%%rpm -K filename.rpm%%''
  
 +It says OK:
 +<code>
 +filename.rpm: digests OK
 +</code>
  
  
- +<note warning>Ah thats a shame: Error: **GPG check FAILED** </note>
- +
- +
- +
  
 ===== Bronnen ===== ===== Bronnen =====
werkinstructies/gpg_key_resign.1655989142.txt.gz · Laatst gewijzigd: 2022/06/23 14:59 door abel

Paginahulpmiddelen

Tenzij anders vermeld valt de inhoud van deze wiki onder de volgende licentie: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki