Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debian repository signing key expired #2618

Closed
TimWolla opened this issue Dec 17, 2015 · 6 comments
Closed

Debian repository signing key expired #2618

TimWolla opened this issue Dec 17, 2015 · 6 comments
Assignees

Comments

@TimWolla
Copy link

The signing key of the Debian repository (as explained here: https://software.opensuse.org/download.html?project=shells%3Afish%3Arelease%3A2&package=fish) expired today (note the arrow):

[timwolla@/tmp]pgpdump (curl -L http://download.opensuse.org/repositories/shells:fish:release:2/Debian_8.0/Release.key |psub)                                                                                00:05:55
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   386  100   386    0     0   2921      0 --:--:-- --:--:-- --:--:--  2924
100   387  100   387    0     0   2013      0 --:--:-- --:--:-- --:--:--  2013
100   388  100   388    0     0   1553      0 --:--:-- --:--:-- --:--:--  1553
100  1093  100  1093    0     0   3534      0 --:--:-- --:--:-- --:--:--  3534
Old: Public Key Packet(tag 6)(269 bytes)
    Ver 4 - new
    Public key creation time - Tue Oct  8 17:16:53 CEST 2013
    Pub alg - RSA Encrypt or Sign(pub 1)
    RSA n(2048 bits) - ...
    RSA e(17 bits) - ...
Old: User ID Packet(tag 13)(56 bytes)
    User ID - shells:fish OBS Project <shells:fish@build.opensuse.org>
Old: Signature Packet(tag 2)(316 bytes)
    Ver 4 - new
    Sig type - Positive certification of a User ID and Public Key packet(0x13).
    Pub alg - RSA Encrypt or Sign(pub 1)
    Hash alg - SHA1(hash 2)
    Hashed Sub: signature creation time(sub 2)(4 bytes)
        Time - Tue Oct  8 17:16:53 CEST 2013
    Hashed Sub: key flags(sub 27)(1 bytes)
        Flag - This key may be used to certify other keys
        Flag - This key may be used to sign data
    Hashed Sub: key expiration time(sub 9)(4 bytes)
        Time - Thu Dec 17 16:16:53 CET 2015 <------------------------------------------------------ HERE
    Hashed Sub: preferred symmetric algorithms(sub 11)(5 bytes)
        Sym alg - AES with 256-bit key(sym 9)
        Sym alg - AES with 192-bit key(sym 8)
        Sym alg - AES with 128-bit key(sym 7)
        Sym alg - CAST5(sym 3)
        Sym alg - Triple-DES(sym 2)
    Hashed Sub: preferred hash algorithms(sub 21)(3 bytes)
        Hash alg - SHA1(hash 2)
        Hash alg - SHA256(hash 8)
        Hash alg - RIPEMD160(hash 3)
    Hashed Sub: preferred compression algorithms(sub 22)(3 bytes)
        Comp alg - ZLIB <RFC1950>(comp 2)
        Comp alg - BZip2(comp 3)
        Comp alg - ZIP <RFC1951>(comp 1)
    Hashed Sub: features(sub 30)(1 bytes)
        Flag - Modification detection (packets 18 and 19)
    Hashed Sub: key server preferences(sub 23)(1 bytes)
        Flag - No-modify
    Sub: issuer key ID(sub 16)(8 bytes)
        Key ID - 0x2CE2AC08D880C8E4
    Hash left 2 bytes - 31 82 
    RSA m^d mod n(2048 bits) - ...
        -> PKCS-1
Old: Signature Packet(tag 2)(70 bytes)
    Ver 4 - new
    Sig type - Positive certification of a User ID and Public Key packet(0x13).
    Pub alg - DSA Digital Signature Algorithm(pub 17)
    Hash alg - SHA1(hash 2)
    Hashed Sub: signature creation time(sub 2)(4 bytes)
        Time - Tue Oct  8 17:16:53 CEST 2013
    Sub: issuer key ID(sub 16)(8 bytes)
        Key ID - 0x3B3011B76B9D6523
    Hash left 2 bytes - 62 0e 
    DSA r(159 bits) - ...
    DSA s(160 bits) - ...
        -> hash(DSA q bits)
@zanchey
Copy link
Member

zanchey commented Dec 17, 2015

So it did!

I've run osc signkey --extend shells:fish, but I'm not sure if that's enough. I'll give it a little time to take effect.

@zanchey zanchey self-assigned this Dec 17, 2015
@zanchey
Copy link
Member

zanchey commented Dec 19, 2015

It wasn't enough - I have run osc buildpac in an attempt to rebuild the repositories.

@TimWolla
Copy link
Author

@zanchey After redownloading the key everything is fine (is there a way to verify this new key against the old one?).

@zanchey
Copy link
Member

zanchey commented Dec 19, 2015

It's the same key, just with a different expiry date.

@zanchey zanchey closed this as completed Feb 7, 2016
@zanchey
Copy link
Member

zanchey commented Jan 1, 2018

Thanks to the magic of at, I was reminded that the signing key expires in February. I've extended it again, although this time rather than rebuilding the whole package I added a dummy package and removed it again, which seems to have refreshed the repository metadata.

Hopefully openSUSE/open-build-service#1949 will get some attention between now and March 2020.

@zanchey
Copy link
Member

zanchey commented Feb 6, 2020

Keys have been extended again, and in release:3/beta:3/nightly:master will be picked up automatically with the next package. Not sure what to do about release:2 - I can't remember how I generated the dummy package, now.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants