Skip to content

Distro keys updater keep only primary signing key remove expired ones : reduces size of archlinux.key and tails.key#2078

Merged
tlaurion merged 2 commits intolinuxboot:masterfrom
tlaurion:distro_keys_updater-keep_only_primary_signing_key-remove_expired_ones
Mar 27, 2026
Merged

Distro keys updater keep only primary signing key remove expired ones : reduces size of archlinux.key and tails.key#2078
tlaurion merged 2 commits intolinuxboot:masterfrom
tlaurion:distro_keys_updater-keep_only_primary_signing_key-remove_expired_ones

Conversation

@tlaurion
Copy link
Copy Markdown
Collaborator

@tlaurion tlaurion commented Mar 27, 2026
edited
Loading

bin/: add update_distro_signing_key/ scripts for all distro signing keys

Introduces a maintainable structure for keeping distro signing keys under initrd/etc/distro/keys/ up to date:

  • bin/update_distro_signing_key/lib/helper.sh -- shared logic
  • bin/update_distro_signing_key/tails.sh -- Tails
  • bin/update_distro_signing_key/archlinux.sh -- Arch Linux
  • bin/update_distro_signing_key/qubes.sh -- Qubes OS 4.2/4.3/weekly
  • bin/update_distro_signing_keys.sh -- meta: runs all scripts

Result of running scripts:

  • archlinux.key: 1168B -> 673B (495B saved, auth+encrypt subkeys removed)
  • tails.key: 21282B -> 7376B (13906B saved, expired+non-signing subkeys removed)
  • QubesOS keys unchanged (were already just containing signing key, minimized correctly

WARNING: [Tails] Primary key expires 2027-01-13 (292 days) -- update soon!

To reproduce:

user@debian-13:~/heads-master$ ./bin/update_distro_signing_keys.sh 
[Arch Linux] Downloading https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C ...
[Arch Linux] Importing key into temporary keyring ...
[Arch Linux] Exporting normalized key for 'pierre@archlinux.org' ...
[Arch Linux] Written to initrd/etc/distro/keys/archlinux.key

[Arch Linux] Primary key expires 2037-10-27 (4231 days)
[Arch Linux] No change — key is identical to the committed version.

[Qubes OS 4.2] Downloading https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc ...
[Qubes OS 4.2] Importing key into temporary keyring ...
[Qubes OS 4.2] Exporting normalized key for 'Qubes OS Release 4.2 Signing Key' ...
[Qubes OS 4.2] Written to initrd/etc/distro/keys/qubes-4.2.key

[Qubes OS 4.2] Primary key: no expiry
[Qubes OS 4.2] No change — key is identical to the committed version.
[Qubes OS 4.3] Downloading https://keys.qubes-os.org/keys/qubes-release-4.3-signing-key.asc ...
[Qubes OS 4.3] Importing key into temporary keyring ...
[Qubes OS 4.3] Exporting normalized key for 'Qubes OS Release 4.3 Signing Key' ...
[Qubes OS 4.3] Written to initrd/etc/distro/keys/qubes-4.3.key

[Qubes OS 4.3] Primary key: no expiry
[Qubes OS 4.3] No change — key is identical to the committed version.
[Qubes OS weekly builds] Downloading https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9B7E61D3BB70C4B1335CE5B67B72A119CCCA57BB ...
[Qubes OS weekly builds] Importing key into temporary keyring ...
[Qubes OS weekly builds] Exporting normalized key for 'Qubes OS Weekly Builds Signing Key' ...
[Qubes OS weekly builds] Written to initrd/etc/distro/keys/qubes-weekly-builds-signing-key.asc

[Qubes OS weekly builds] Primary key: no expiry
[Qubes OS weekly builds] No change — key is identical to the committed version.

[Tails] Downloading https://tails.boum.org/tails-signing.key ...
[Tails] Importing key into temporary keyring ...
[Tails] Exporting normalized key for 'tails@boum.org' ...
[Tails] Written to initrd/etc/distro/keys/tails.key

WARNING: [Tails] Primary key expires 2027-01-13 (291 days) -- update soon!
[Tails] No change — key is identical to the committed version.

========================================
All keys are up to date.

tlaurion added 2 commits March 27, 2026 10:08
@tlaurion
bin: add update_distro_signing_key/ scripts for all distro signing keys
ebdde47 
Introduces a maintainable structure for keeping distro signing keys
under initrd/etc/distro/keys/ up to date:

  bin/update_distro_signing_key/lib/helper.sh   -- shared logic
  bin/update_distro_signing_key/tails.sh         -- Tails
  bin/update_distro_signing_key/archlinux.sh     -- Arch Linux
  bin/update_distro_signing_key/qubes.sh         -- Qubes OS 4.2/4.3/weekly
  bin/update_distro_signing_keys.sh              -- meta: runs all scripts

The meta script auto-discovers all *.sh in update_distro_signing_key/;
adding a new distro only requires adding one script there.

Exit codes of the meta script:
  0  all keys up to date, no action needed
  1  one or more keys changed (review with git diff, then commit)
  2  one or more per-distro scripts failed (download/import error)

The helper normalizes each key with:
  --export-options export-minimal,export-clean
  --export-filter  drop-subkey=expired -gt 0 || usage !~ s

Only the primary key and non-expired signing subkeys are kept -- no
encryption, authentication, or expired subkeys.

The helper also reports primary key expiry with days remaining, and
emits a color-coded warning (yellow) when expiry is within 365 days
(one full release cycle) or red if already expired -- so rotations are
caught before they ship in a release and break users in the field.

All gpg calls use --batch to prevent interactive prompts in CI.
git diff uses -C flag to avoid cd side-effects.
qubes.sh propagates the highest exit code across all three key updates.

GPG work is done in a mktemp directory wiped via trap on EXIT.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion
distro/keys: minimize archlinux and tails signing keys
348a306 
Re-export both keys through the new update_distro_signing_key scripts
to strip non-signing subkeys (encryption, authentication) and expired
subkeys that had accumulated in the in-tree copies.  Only the primary
key and currently-valid signing subkeys are retained.

  archlinux.key: 1168B -> 673B  (495B saved,   auth+encrypt subkeys removed)
  tails.key:     21282B -> 7376B (13906B saved, expired+non-signing subkeys removed)

Qubes OS keys (4.2, 4.3, weekly builds) were already minimal -- no change.

Fixes linuxboot#2066.

This class of manual update has been needed repeatedly in the past and
was caught late each time, causing distro ISO verification failures in
the field for Tails and other supported distros:
  linuxboot#1808 (issue: Tails key expired, ISOs unbootable)
  linuxboot#1631 (PR: update tails.key, replay of manual steps)
  linuxboot#1809 (PR: replay of linuxboot#1631 for next Tails rotation)
  linuxboot#2000 (PR: Tails 7.0 key, same manual process again)
  linuxboot#1457 (PR: Arch Linux key update)
  linuxboot#2033 (PR: Qubes OS 4.3 key addition)

TODO: wire bin/update_distro_signing_keys.sh into CI (e.g. a scheduled
      workflow) so upstream key rotations are detected automatically
      before they break users.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion tlaurion mentioned this pull request Mar 27, 2026
Closed
@tlaurion tlaurion merged commit 19e4358 into linuxboot:master Mar 27, 2026
1 check passed
@tlaurion tlaurion linked an issue Mar 27, 2026 that may be closed by this pull request
Automate Tails key download + minimize to see if it changed #2066
Closed
@tlaurion tlaurion changed the title Distro keys updater keep only primary signing key remove expired ones : reduces size of archilinx.key and tails.key Distro keys updater keep only primary signing key remove expired ones : reduces size of archlinux.key and tails.key Mar 27, 2026
@tlaurion
Copy link
Copy Markdown
Collaborator Author

tlaurion commented Mar 27, 2026

Concern on Tails distro signing key short expiration window raised in my relance for exfat support under their initramfs at reopened issue https://gitlab.tails.boum.org/tails/tails/-/work_items/20621

@tlaurion
Copy link
Copy Markdown
Collaborator Author

tlaurion commented Apr 1, 2026
edited
Loading

Concern on Tails distro signing key short expiration window

opened https://gitlab.tails.boum.org/tails/tails/-/work_items/21492

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

buildsystem CI feature freeze 2026-04 security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Automate Tails key download + minimize to see if it changed

1 participant

@tlaurion