Gebruikershulpmiddelen
Dit is een oude revisie van het document!
Inhoud
Resign a GPG key for rpm
the reason why
In RHEL9 the rpm system no longer accepts SHA1 signed gpg keys. This is because OpenSSL, which is used in compilation of gpg, no longer accepts SHA1, and has a minimum requirement of SHA512.
The packages in a repository are signed with the SHA1 signed key, now we resign the gpg key it self but the signage on the package is still valid. (hopefully)
get the original keys
On the system where the keys were originally made with gpg --gen-key.
List the private keys on the system: gpg --list-secret-keys
/root/.gnupg/pubring.gpg ------------------------ sec 2048R/C3FAC3BD 2019-02-09 uid EXAMPLEKEY ssb 2048R/4AEACD3A 2019-02-09
Export the key with :
gpg --export-secret-keys C3FAC3BD >secret-key.gpg
Or copy the entire directory ~/.gnupg to the other system and adjust the owner and group of the files.
Import the private keys
On the new system you need to import the private key, transport the exported key to the system you want to use it on.
First install some software you need:
dnf install -y pinentry
Then import the key with:
gpg --import secret-key.gpg
When prompted enter the passphrase or “pin” for the secret key.
┌───────────────────────────────────────────────────────────────┐ │ Please enter the passphrase to import the OpenPGP secret key: │ │ "EXAMPLEKEY" │ │ 2048-bit RSA key, ID 0447A2B8C3FAC3BD, │ │ created 2016-02-09. │ │ │ │ │ │ Passphrase: _________________________________________________ │ │ │ │ <OK> <Cancel> │ └───────────────────────────────────────────────────────────────┘
gpg: key 0447A2B8C3FAC3BD: "EXAMPLEKEY" not changed gpg: key 0447A2B8C3FAC3BD: secret key imported gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1
Resign the secret key
Do this by:
gpg --cipher-algo IDEA --cert-digest-algo sha512 --expert --edit-key secret-key.gpg
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa2048/0447A2B8C3FAC3BD
created: 2016-02-09 expires: never usage: SC
trust: unknown validity: unknown
ssb rsa2048/5CA7D2244AEACD3A
created: 2016-02-09 expires: never usage: E
[ unknown] (1). EXAMPLEKEY
gpg> sign
"RWSBUILD" was already signed by key 0447A2B8C3FAC2BD
Do you want to sign it again anyway? (y/N) y
sec rsa2048/0447A2B8C3FAC3BD
created: 2016-02-09 expires: never usage: SC
trust: unknown validity: unknown
Primary key fingerprint: FF7E B743 48CB CA81 256B 28C7 0447 A2B8 C3FA C3BD
EXAMPLEKEY
Are you sure that you want to sign this key with your
key "EXAMPLEKEY" (0447A2B8C3FAC3BD)
This will be a self-signature.
Really sign? (y/N) y
In the test popup, set the pin to the same it was before.
And save:
gpg> save
public key signage propagation workaround
At this point there is still a problem with the sub keys, they are somehow not updated. You can see this when uoy check the signatures:
gpg --check-sigs
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/home/abel/.gnupg/pubring.kbx
-----------------------------
pub rsa2048 2019-02-09 [SC]
FF7EB74348CBCA81256B28C70447A2B8C3FAC3BD
uid [ unknown] EXAMPLEKEY
sig!3 0447A2B8C3FAC3BD 2019-02-09 EXAMPLEKEY
sig!3 0447A2B8C3FAC3BD 2022-06-23 EXAMPLEKEY
sub rsa2048 2019-02-09 [E]
sig! 0447A2B8C3FAC3BD 2019-02-09 EXAMPLEKEY
gpg: 3 good signatures
the last signature was set at 2019-02-09.
fix this by toggleing the expiration date:
gpg --edit-key EXAMPLEKEY
gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: no ultimately trusted keys found
sec rsa2048/0447A2B8C3FAC3BD
created: 2019-02-09 expires: never usage: SC
trust: unknown validity: unknown
ssb rsa2048/5CA7D2244AEACD3A
created: 2019-02-09 expires: never usage: E
[ unknown] (1). EXAMPLEKEY
gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 3
Key expires at Sun 26 Jun 2022 02:56:28 PM CEST
Is this correct? (y/N) y
sec rsa2048/0447A2B8C3FAC3BD
created: 2019-02-09 expires: never usage: SC
trust: unknown validity: unknown
ssb* rsa2048/5CA7D2244AEACD3A
created: 2019-02-09 expires: 2022-06-26 usage: E
[ unknown] (1). EXAMPLEKEY
And save:
gpg> save
Edit again, and remove the expiration:
gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: no ultimately trusted keys found
sec rsa2048/0447A2B8C3FAC3BD
created: 2019-02-09 expires: never usage: SC
trust: unknown validity: unknown
ssb* rsa2048/5CA7D2244AEACD3A
created: 2019-02-09 expires: 2022-06-26 usage: E
[ unknown] (1). EXAMPLEKEY
gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
sec rsa2048/0447A2B8C3FAC3BD
created: 2019-02-09 expires: never usage: SC
trust: unknown validity: unknown
ssb rsa2048/5CA7D2244AEACD3A
created: 2019-02-09 expires: never usage: E
[ unknown] (1). EXAMPLEKEY
And save again:
gpg> save
Now to see if this did the trick, Check the signatures again:
gpg --check-sigs
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/home/abel/.gnupg/pubring.kbx
-----------------------------
pub rsa2048 2019-02-09 [SC]
FF7EB74348CBCA81256B28C70447A2B8C3FAC3BD
uid [ unknown] EXAMPLEKEY
sig!3 0447A2B8C3FAC3BD 2019-02-09 EXAMPLEKEY
sig!3 0447A2B8C3FAC3BD 2022-06-23 EXAMPLEKEY
sub rsa2048 2019-02-09 [E]
sig! 0447A2B8C3FAC3BD 2022-06-23 EXAMPLEKEY
gpg: 3 good signatures
Use the public key
Export the public gpg key for use in rpm:
gpg --output EXAMPLEKEY-SHA512-public.pgp --armor --export EXAMPLEKEY
Then import this gpg key to rpm on a clean system:
sudo rpm --import EXAMPLEKEY-SHA512-public.pgp
check if an rpm is signed with the same key
download the public key from the repository: curl https://<repourl>/gpg_key_content -o retreived-gpg-pub.key
display some content op the key: gpg retreived-gpg-pub.key
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2019-02-09 [SC]
FF7EB12345CBCA81256B28C70447A2B8C3FAC3BD
uid EXAMPLEKEY
sub rsa2048 2019-02-09 [E]
list the signature from the rpm file: rpm -qip –nosignature example.rpm | grep Signature
Signature : RSA/SHA2, Wed 15 Jun 2022 02:19:41 PM CEST, Key ID 0447a2b8c3fac3bd
the last 16 characters of the long HEX number in the gpg output should match the characters in the signature of the rpm (albeit lower case)
alternative method
After importing the public key : gpg --list-keys
/root/.gnupg/pubring.gpg ------------------------ pub 2048R/C3FAC3BD 2019-02-09 uid EXAMPLEKEY sub 2048R/4AEACD3A 2019-02-09
rpm --checksig filename.rpm
./filename.rpm:
Header V4 RSA/SHA1 Signature, key ID c3fac3bd: OK
Header SHA1 digest: OK (07ae83890795d12adc57c39d32bc7166ed4727a6)
V4 RSA/SHA1 Signature, key ID c3fac3bd: OK
MD5 digest: OK (378df6a644641074b949460c22bf941f)
As you can see the key ID should be the same as the number in the pub part of the gpg key, and are the same as the last 8 digits in the full key ID.
Bronnen
Paginahulpmiddelen
