Re: Expired key for signed checksums
- In reply to: Davíð Steinn Geirsson : "Re: Expired key for signed checksums"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 15 Dec 2021 22:38:48 UTC
Dav Steinn Geirsson wrote this message on Tue, Dec 14, 2021 at 11:15 +0000: > On Sun, Dec 12, 2021 at 08:40:23PM +0000, Pat via freebsd-security wrote: > > ????????????????????? Original Message ????????????????????? > > On Thursday, November 4, 2021 7:17 PM, Glen Barber <gjb@freebsd.org> wrote: > > > > > On Thu, Nov 04, 2021 at 07:01:50PM +0000, Pat via freebsd-security wrote: > > > > > > > Hello, > > > > I am trying to verify the signed checksum file for FreeBSD 13, but the key that > > > > gets checked is showing to be expired: > > > > $ gpg --keyserver-options auto-key-retrieve \ > > > > --keyserver hkps://keyserver.ubuntu.com:443 \ > > > > --verify CHECKSUM.SHA256-FreeBSD-13.0-RELEASE-amd64.asc > > > > gpg: Signature made Tue Apr 13 10:45:44 2021 CDT > > > > gpg: using RSA key 8D12403C2E6CAB086CF64DA3031458A5478FE293 > > > > gpg: requesting key 031458A5478FE293 from hkps server keyserver.ubuntu.com > > > > gpg: key 524F0C37A0B946A3: 76 signatures not checked due to missing keys > > > > gpg: key 524F0C37A0B946A3: public key "Glen Barber gjb@FreeBSD.org" imported > > > > gpg: no ultimately trusted keys found > > > > gpg: Total number processed: 1 > > > > gpg: imported: 1 > > > > gpg: Good signature from "Glen Barber gjb@FreeBSD.org" [expired] > > > > gpg: aka "Glen Barber glen.j.barber@gmail.com" [expired] > > > > gpg: aka "Glen Barber gjb@keybase.io" [expired] > > > > gpg: aka "Glen Barber gjb@glenbarber.us" [expired] > > > > gpg: Note: This key has expired! > > > > Primary key fingerprint: 78B3 42BA 26C7 B2AC 681E A7BE 524F 0C37 A0B9 46A3 > > > > Subkey fingerprint: 8D12 403C 2E6C AB08 6CF6 4DA3 0314 58A5 478F E293 > > > > It does not matter what keyserver I try, I get the same expiration message. Yet > > > > I see the key expiration was bumped[0]. How would I go about getting the updated > > > > key? Or am I just going about this all wrong? > > > > > > https://docs.freebsd.org/en/articles/pgpkeys/#_glen_barber_gjbfreebsd_org > > > > > > Glen > > Thank you Glen, and apologies for the extreme delay in acknowledging > > your reply and my success at importing the key. I do appreciate you > > having taken the time to reply, despite taking five weeks to say that. > > > > :) > > > > I think the website could use some better guidance on this. That page has a > lot of keys for a lot of people. Are they all trusted to sign FreeBSD > releases? > > Assuming that they're not, it would be great if the signatures page were > updated to include a list of keys that are expected to sign a release. > https://www.freebsd.org/releases/13.0R/signatures/ > > I say this because I had problems finding this as well when writing our > deployment automation. It's the reason why I did not automate grabbing > new releases and verifying them, and still leave that as a manual human > step. Yeah, I recently updated snapaid.sh to point to the new location. https://funkthat.com/gitea/jmg/snapaid I do wish there was better guidence on this as well. Because if/when the existing signing key is compromised, there is not a documented way (that I know of) to handle updating all the past release's signatures to the new, uncompromised key. Because if/when the existing key is compromised, it's easy to sign a new announcement that verifies w/ hashes of compromised images. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."