Gebruikershulpmiddelen

Site-hulpmiddelen

Spoor: gpg_key_resign gitlab_runners x11_display_forwarding
werkinstructies:gpg_key_resign

Verschillen

Dit geeft de verschillen weer tussen de geselecteerde revisie en de huidige revisie van de pagina.

Link naar deze vergelijking

Beide kanten vorige revisie Vorige revisie
Volgende revisie 		Vorige revisie
werkinstructies:gpg_key_resign [2022/06/23 15:06]
abel [Resign the secret key] 		werkinstructies:gpg_key_resign [2022/08/03 11:27] (huidige)
abel [Resign the secret key]
Regel 6: Regel 6:
 The packages in a repository are signed with the SHA1 signed key, now we resign the gpg key it self but the signage on the package is still valid. (hopefully) The packages in a repository are signed with the SHA1 signed key, now we resign the gpg key it self but the signage on the package is still valid. (hopefully)
  
 +importing the SHA1 gpg key to rpm will trow an error:\\
 +
 +''%%sudo rpm --import EXAMPLEKEY-SHA1-public.gpg%%''
 +<code>
 +error: EXAMPLEKEY-SHA1-public.gpg: key 1 import failed.
 +</code>
 ===== get the original keys ===== ===== get the original keys =====
  
Regel 64: Regel 70:
  
 Do this by: \\ Do this by: \\
-''%%gpg --cipher-algo IDEA --cert-digest-algo sha512 --expert --edit-key secret-key.gpg%%''+''%%gpg --cipher-algo IDEA --cert-digest-algo sha256 --expert --edit-key secret-key.gpg%%''
  
 <code> <code>
Regel 72: Regel 78:
  
 sec  rsa2048/0447A2B8C3FAC3BD sec  rsa2048/0447A2B8C3FAC3BD
-     created: 2016-02-09  expires: never       usage: SC+     created: 2019-02-09  expires: never       usage: SC
      trust: unknown       validity: unknown      trust: unknown       validity: unknown
 ssb  rsa2048/5CA7D2244AEACD3A ssb  rsa2048/5CA7D2244AEACD3A
-     created: 2016-02-09  expires: never       usage: E+     created: 2019-02-09  expires: never       usage: E
 [ unknown] (1). EXAMPLEKEY [ unknown] (1). EXAMPLEKEY
 </code> </code>
Regel 84: Regel 90:
  
 sec  rsa2048/0447A2B8C3FAC3BD sec  rsa2048/0447A2B8C3FAC3BD
-     created: 2016-02-09  expires: never       usage: SC+     created: 2019-02-09  expires: never       usage: SC
      trust: unknown       validity: unknown      trust: unknown       validity: unknown
  Primary key fingerprint: FF7E B743 48CB CA81 256B  28C7 0447 A2B8 C3FA C3BD  Primary key fingerprint: FF7E B743 48CB CA81 256B  28C7 0447 A2B8 C3FA C3BD
Regel 102: Regel 108:
 <code> <code>
 gpg> save gpg> save
 +</code>
  
 +===== public key signage propagation workaround =====
 +
 +At this point there is still a problem with the sub keys, they are somehow not updated. You can see this when uoy check the signatures:\\
 +
 +''%%gpg --check-sigs%%''
 +
 +<code>
 +gpg: checking the trustdb
 +gpg: no ultimately trusted keys found
 +/home/abel/.gnupg/pubring.kbx
 +-----------------------------
 +pub   rsa2048 2019-02-09 [SC]
 +      FF7EB74348CBCA81256B28C70447A2B8C3FAC3BD
 +uid           [ unknown] EXAMPLEKEY
 +sig!3        0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY
 +sig!3        0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY
 +sub   rsa2048 2019-02-09 [E]
 +sig!         0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY
 +
 +gpg: 3 good signatures
 </code> </code>
 +the last signature was set at 2019-02-09.
  
-At this point there is still a problem with the sub keys, they are somehow not updated, fix this by toggleing the expiration date: \\+fix this by toggleing the expiration date: \\
 ''%%gpg --edit-key EXAMPLEKEY%%'' ''%%gpg --edit-key EXAMPLEKEY%%''
  
Regel 144: Regel 172:
 </code> </code>
 And save: And save:
-,code>+<code>
 gpg> save gpg> save
 </code> </code>
  
-Edit opnieuwen verwijder de expiration weer:+Edit againand remove the expiration:
 <code> <code>
 gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc. gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
Regel 189: Regel 217:
 </code> </code>
  
-Check the signatures: ''%%gpg --check-sigs%%''+Now to see if this did the trick, Check the signatures again\\ ''%%gpg --check-sigs%%''
  
 <code> <code>
Regel 202: Regel 230:
 sig!3        0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY sig!3        0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY
 sub   rsa2048 2019-02-09 [E] sub   rsa2048 2019-02-09 [E]
-sig!         0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY+sig!         0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY
  
 gpg: 3 good signatures gpg: 3 good signatures
Regel 226: Regel 254:
 <code> <code>
 gpg: WARNING: no command supplied.  Trying to guess what you mean ... gpg: WARNING: no command supplied.  Trying to guess what you mean ...
-pub   rsa2048 2020-02-09 [SC]+pub   rsa2048 2019-02-09 [SC]
       FF7EB12345CBCA81256B28C70447A2B8C3FAC3BD       FF7EB12345CBCA81256B28C70447A2B8C3FAC3BD
 uid           EXAMPLEKEY uid           EXAMPLEKEY
-sub   rsa2048 2020-02-09 [E]+sub   rsa2048 2019-02-09 [E]
 </code> </code>
  
Regel 262: Regel 290:
 As you can see the key ID should be the same as the number in the pub part of the gpg key, and are the same as the last 8 digits in the full key ID. As you can see the key ID should be the same as the number in the pub part of the gpg key, and are the same as the last 8 digits in the full key ID.
  
 +===== check an rpm signed with the old SHA1 key =====
 +Now you migt think, "hold on, the last comment says: //**RSA/SHA1 Signature**// and the installed gpg key is now SHA512."
  
 +But if we test before installing: \\
 +''%%rpm -K filename.rpm%%''
  
 +It says OK:
 +<code>
 +filename.rpm: digests OK
 +</code>
  
  
- +<note warning>Ah thats a shame: Error: **GPG check FAILED** </note>
- +
- +
- +
  
 ===== Bronnen ===== ===== Bronnen =====
werkinstructies/gpg_key_resign.1655989619.txt.gz · Laatst gewijzigd: 2022/06/23 15:06 door abel

Paginahulpmiddelen

Tenzij anders vermeld valt de inhoud van deze wiki onder de volgende licentie: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki