Skip to content

Commit

Permalink
Sign with the main key, not subkey (#3023)
Browse files Browse the repository at this point in the history 
## Description
The keyring uploaded to buddy had some subkeys and the keygrip used in dist-build.sh was for a subkey. While there are no errors while signing, centos/rhel < 8 has an older rpm (4.11.3) which cannot process subkeys.

## Related Issue
TykTechnologies/internal#77

## Motivation and Context
Customers on centos 7 and who care about the signature have complained.

## How This Has Been Tested
1. Built a clean centos 7 image and installed a package signed with the old key
1. Updated `tyk-tyk_gateway.repo` to use the new pubkey
1. Update the package to a new version signed by the new key

## Screenshots (if appropriate)

## Types of changes
<!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)

## Checklist
<!-- Go over all the following points, and put an `x` in all the boxes that apply -->
<!-- If you're unsure about any of these, don't hesitate to ask; we're here to help! -->
- [x] Make sure you are requesting to **pull a topic/feature/bugfix branch** (right side). If pulling from your own
      fork, don't request your `master`!
- [x] Make sure you are making a pull request against the **`master` branch** (left side). Also, you should start
      *your branch* off *our latest `master`*.
- [ ] My change requires a change to the documentation.
  - [ ] If you've changed APIs, describe what needs to be updated in the documentation.
- [ ] I have updated the documentation accordingly.
- [ ] Modules and vendor dependencies have been updated; run `go mod tidy && go mod vendor`
- [ ] I have added tests to cover my changes.
- [x] All new and existing tests passed.
- [ ] Check your code additions will not fail linting checks:
  - [ ] `go fmt -s`
  - [ ] `go vet`

## Deployment checklist
- [ ] gw unstable
- [ ] gw stable
- [ ] db unstable
- [ ] db stable
- [ ] pump stable
- [ ] pump unstable
  • Loading branch information
@alephnull
alephnull committed Apr 17, 2020
1 parent 7bffb5d commit 031e373
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 6 deletions.
15 changes: 10 additions & 5 deletions README.signatures
View file
Expand Up @@ -4,15 +4,20 @@ tl;dr
RHEL does not support signing RPMs with subkeys. This is supposedly
fixed in RHEL 8. Thus, we use the same key to sign rpms and debs.

It is best to have a key with _no_ subkeys as RPM seems to process
these type of keyrings incorrectly.

These keys DO NOT expire.

Fingerprints:
Keygrip:
Main key : 12B5D62C28F57592D1575BD51ED14C59E37DAC20
Signing subkey (deb) : 9ADE11DA6DD70355E7C1C270543ABE02AC6AC40A
Signing subkey (unused) : 9A4FA354841E41E39A49A461B34B3EF69DCBD7FE

These fingerprints above should match between this document and your
keyring. The other numbers in the gpg output will probably not match.
This fingerprints above should match between this document and your
keyring. The other numbers in the gpg output below will probably not
match.

This keygrip corresponds to the cache_id for the gpg passphrase
seeding.

Verification
============
Expand Down
2 changes: 1 addition & 1 deletion bin/dist_build.sh
View file
Expand Up @@ -4,7 +4,7 @@ set -ex

: ${ORGDIR:="/go/src/github.com/TykTechnologies"}
: ${SOURCEBINPATH:="${ORGDIR}/tyk"}
: ${SIGNKEY:="9ADE11DA6DD70355E7C1C270543ABE02AC6AC40A"}
: ${SIGNKEY:="12B5D62C28F57592D1575BD51ED14C59E37DAC20"}
: ${BUILDPKGS:="1"}
: ${SIGNPKGS:="1"}
: ${PKGNAME:="tyk-gateway"}
Expand Down

0 comments on commit 031e373

Please sign in to comment.