-
-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPG key expires on March the 30th #3457
Comments
You are correct @NotMyFault : the GPG key expiration is NOT covered by #3323.
Backstory: the current GPG key (3 year valid, ending the 30 March 2023) was generated as part of #1881, to handover the Jenkins releases from Kohsuke's fromer GPG key. Reference here: https://groups.google.com/g/jenkins-infra/c/c7m_72vUTXE/m/37zw9GXhAQAJ. We can either extend the expiration date or create a new key: both will have the same impact on users who will need to import the new/extended key:
|
Extending the existing key's life span by 3 years sounds solid to me. Not too long, but not too short either, to renew keys on the consumer's end too frequently. The changelogs starting with 2.398 and 2.387.2 onwards have to declare that keys have changed and importing the new ones is mandatory. |
I would also extend the gpg key for three years. If you plan to regenerate a new one then you'll need to communicate about it |
Extending the gpg key also requires communication because end users need to reimport it to get extended date alas |
A new GPG key was generated for the Jenkins project with the following attributes:
This new key has been inserted into the Azure Release Vault, with a secret name Next step:
|
Adding the new public key (with another name to avoid replacing the current one) to pkg.jenkins.io: jenkins-infra/jenkins-infra#2720 |
Adding the new key for the upcoming weekly: jenkins-infra/release#352 |
Communication channels:
|
Proposal for a new key comes from the need for clarity for end users. It can be confusing to "only" check the key ID and not a guranatee that the "extended" key is imported and used properly. As the end users will have to import something one time, ensuring that we have a new key, with a new ID and a new time windows looked clearer: either you got the new key or not. However it might be a mistake: please express yourself here with the rationale if you do not agree with this proposal (I do not want to decide alone :) ) |
+1 for the strategy proposed |
Will ed25519 work on the current platforms? Just tried to import some dummy ed25519 GPG key on Almalinux 8 (compatible with the current Red Hat Enteprise Linux 8):
|
I think this is a valid concern. CentOS 7 fails to import the key and reports that "key 1 is not an armored public key:
Same message is reported on Red Hat Enterprise Linux 8 and Rocky Linux 9. @dduportal I think that we need an RSA key instead of the ED25519 key. |
ack, thanks @MarkEWaite @saper , this is a valid concern! Updated the key to rsa/4096:
|
There seems to be some disagreement in the OpenPGP working group regarding packet format related to Ed25519 signatures (compare https://www.ietf.org/archive/id/draft-koch-openpgp-2015-rfc4880bis-01.txt vs https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-08.txt). |
I placed the jenkins.io-2023.key files on pkg.jenkins.io manually with a little bit of shell script. Permissions on the files match the permissions on the jenkins.io.key files. I placed the jenkins.io-2023.key.info files in the same directories that already had jenkins.io.key.info files. I realize that the automation will probably replace all those files. I think that would be great. I wanted the instructions in the blog post to be workable immediately, without waiting for the automation to run. Discussion on the blog post will happen in the community.jenkins.io post. |
@MarkEWaite , the puppet agent on pkg.origin.jenkins.io VM keeps changing the file Currently checking the weekly Debian and Redhat repositories contents |
I think it is OK that The first interesting lines of the Debian key that I download from https://pkg.jenkins.io/debian/jenkins.io.key looks like this:
The first interesting lines of the jenkins.io-2023.key file are different. They look like this:
|
@MarkEWaite puppet reports
on each run, while we got the following:
It means that "something" keeps changing the content of the file If not, then I'll check the update center scripts |
Ooooh caught the culprit: It's https://github.com/jenkins-infra/mirror-scripts/blob/49abc7c6272d67450ee4c4c1eb57f9c5dab6fb2a/sync.sh#L67-L69 which runs regularly:
Gotta fix it tomorrow. |
|
The debian-stable repo is not signed correctly, neither the old nor the new keys work
|
There is no release of an LTS release (stable repository) yet, which is signed with the new key. The first one is 2.387.2, released on the 5th of April. |
So, the stable repo is just going to not work until next Wednesday? |
I'd just skip the GPG check for now. |
I am a little bit concerned about that answer since this will cause configuration management systems, that in our case has a formula for installing jenkins, to fail for a week. Similar we have tests for installs of Jenkins slave images that are now failing. Sure we can ignore the failing CM and tests, but we don't as we think that is bad practice. |
Yes, it is unfortunate that we didn't prepare far enough in advance so that there would not be a one week window where debian-stable did not have a package available with a valid PGP signature. The last time we made this transition, we planned more thoroughly and the outage was 24 hours or less. We'll host a retrospective to identify the mistakes we made and plan ways to prevent those mistakes for future key expiration.
I'm curious how this would cause Jenkins agent images to fail. Can you explain further how you're configuring Jenkins agents in a way that was disrupted by the expiration of the GPG key that signs the Debian package of the Jenkins controller? |
Click to see the output$ docker run --rm -ti debian
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
3e440a704568: Pull complete
Digest: sha256:7b991788987ad860810df60927e1adbaf8e156520177bd4db82409f81dd3b721
Status: Downloaded newer image for debian:latest
root@394d03e6a42b:/# apt-get install sudo curl gpg -y
# ...
root@394d03e6a42b:/# curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key | sudo tee \
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
root@394d03e6a42b:/# echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
# ...
# Installed
=> this issue is closable from infra point of view. |
=> closing the issue. Feel free to reopen with a comment if you see any issue. |
Service(s)
pkg.jenkins.io
Summary
I assume this is not covered by #3323, given the issue covers the code signing certificate only.
Don't hesitate to correct me if I'm wrong :P
Reproduction steps
No response
The text was updated successfully, but these errors were encountered: