Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploy pubkey onto a different server (T10573) #207

Open
celticmagic opened this issue Aug 16, 2023 · 1 comment
Open

Deploy pubkey onto a different server (T10573) #207

celticmagic opened this issue Aug 16, 2023 · 1 comment
Assignees
@silkeh
Labels
Priority: Low Low priority Security Security issue

Comments

@celticmagic
Copy link
Collaborator

jo (#tekky), 2023-07-09 12:02:53 UTC

Just wondering whether it's a good idea to have the pubkey on the same server with the rest of the stuff.

But first things first. Please look over the output and confirm or deny the authenticity of the download.

[user#pc ~]$ rm -rf .gnupg
[user#pc ~]$ cd Downloads
[user#pc Downloads]$ gpg --verify Solus-4.4-Plasma.iso.sha256sum.sign Solus-4.4-Plasma.iso.sha256sum
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: Signature made Thu 06 Jul 2023 05:13:15 PM EEST
gpg:                using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg:                issuer "releng#getsol.us"
gpg: Can't check signature: No public key
[user#pc Downloads]$ gpg --import solus-releng-pub.gpg
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 618EB3600BD32D59: public key "Solus (Release & Engineering) <releng&#35;getsol.us>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[user&#35;pc Downloads]$ gpg --list-keys
/home/user/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096 2023-07-02 [SC]
      F5F6685CAF5559771D9CCB92618EB3600BD32D59
uid           [ unknown] Solus (Release & Engineering) <releng&#35;getsol.us>
sub   rsa4096 2023-07-02 [E]

[user&#35;pc Downloads]$ gpg --verify Solus-4.4-Plasma.iso.sha256sum.sign Solus-4.4-Plasma.iso.sha256sum
gpg: Signature made Thu 06 Jul 2023 05:13:15 PM EEST
gpg:                using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg:                issuer "releng&#35;getsol.us"
gpg: Good signature from "Solus (Release & Engineering) <releng&#35;getsol.us>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F5F6 685C AF55 5977 1D9C  CB92 618E B360 0BD3 2D59
[user&#35;pc Downloads]$ sha256sum -c Solus-4.4-Plasma.iso.sha256sum
Solus-4.4-Plasma.iso: OK
[user&#35;pc Downloads]$ sha256sum Solus-4.4-Plasma.iso
5b43ea5c99ed880bcf3822b1668f980b41fbc688a5cddca13aaba0c5989d4b57  Solus-4.4-Plasma.iso
[user&#35;pc Downloads]$ b2sum Solus-4.4-Plasma.iso
669a41cffe1df715c5642b79b214dc8316d24a80d2907b8c33a4cd09f74d6305955cd1a412233d57f340eff1eb140849327e98e24dad658d82465e8cdd1a1a09  Solus-4.4-Plasma.iso
[user&#35;pc Downloads]$```

Is that what it should look like? Much appreciated in advance.
@celticmagic
Copy link
Collaborator Author

Silke (@silkeh), 2023-07-09 12:38:46 UTC

The correct key fingerprint is F5F6 685C AF55 5977 1D9C CB92 618E B360 0BD3 2D59. Which matches your output.

Just wondering whether it's a good idea to have the pubkey on the same server with the rest of the stuff.

It's not a bad idea per se (why would one piece of infra be compromised, but not another?). I do think we can store it someone else though. I'll update this task if we do.

@celticmagic celticmagic added the Priority: Low Low priority label Aug 16, 2023
@silkeh silkeh added the Security Security issue label Aug 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@silkeh silkeh

Labels
Priority: Low Low priority Security Security issue
Projects
Solus
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silkeh @celticmagic