Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apt updates from apt.freedom.press silently failing due to key expiry #713

Closed
eloquence opened this issue Jul 1, 2021 · 5 comments
Closed

apt updates from apt.freedom.press silently failing due to key expiry #713

eloquence opened this issue Jul 1, 2021 · 5 comments
Labels
bug
Projects
SecureDrop Team Board

Comments

@eloquence
Copy link
Member

Steps to reproduce

  1. Ensure your workstation is provisioned to prod
  2. Run sudo apt update in sd-small-buster-template

Expected behavior

Package index is updated

Actual behavior

apt prints an error:

The following signatures were invalid: EXPKEYSIG 310F561200F4AD77 SecureDrop Release Signing Key
...
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://apt.freedom.press buster Release: ...

The repo is dual-signed, but one of the keys expiring appears to be sufficient for apt to no longer consider the signature valid. apt exits 0, and our updater (which triggers updates via Salt) does not error out. However, given the output above, I am assuming updates we issue will no longer be successfully fetched or applied until we switch to the single valid signing key.
@eloquence eloquence added the bug label Jul 1, 2021
@sssoleileraaa
Copy link
Contributor

sssoleileraaa commented Jul 1, 2021
edited

I just want to note that the updater runs successfully without error on prod and the client seems to work fine, but still looking into reproing by following your steps. I can also verify this assumption after some more testing and report back here:

However, given the output above, I am assuming updates we issue will no longer be successfully fetched or applied until we switch to the single valid signing key.

@eloquence
Copy link
Member Author

I'm still getting the EXPKEYSIG failure when running sudo apt update in sd-small-buster-template.

@eloquence
Copy link
Member Author

Removing stale copies in /var/lib/apt/lists resolved. Not sure why it did not fetch the new version automatically :/

@eloquence
Copy link
Member Author

eloquence commented Jul 7, 2021
edited

@zenmonkeykstop pushed a re-signed Release file (with a tiny modification to the Valid-Until field) to the release branch here:
https://github.com/freedomofpress/securedrop-debian-packages-lfs/tree/release

That means it's now available via apt-qa: https://apt-qa.freedom.press/

Switching my template to apt-qa, I can successfully run apt update and install packages; this is not a 100% valid test as it doesn't tell us that apt will correctly replace the stale Release file and signature once this change is live on apt.freedom.press, but since the timestamp on both files is now changed, I would expect so.

I would suggest opening a PR from release to main with this change.

SecureDrop Team Board automation moved this from SecureDrop Sprint #73 to Done Jul 8, 2021
@eloquence
Copy link
Member Author

I can confirm that this was resolved via https://github.com/freedomofpress/securedrop-debian-packages-lfs/pull/56 ; templates that previously failed to update apt.freedom.press are now re-fetching the index and installing packages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
No open projects
SecureDrop Team Board
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eloquence @sssoleileraaa