Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] RPM signing requires the master secret key, not subkey #2041

Closed
peterzhuamazon opened this issue Apr 26, 2022 · 10 comments
Closed

[Question] RPM signing requires the master secret key, not subkey #2041

peterzhuamazon opened this issue Apr 26, 2022 · 10 comments
Labels
question Further information is requested rpm signing

Comments

@peterzhuamazon
Copy link
Member

peterzhuamazon commented Apr 26, 2022
edited

Here is the master and sub public key:

pub   4096R/39D319879310D3FC 2021-05-11
uid                          OpenSearch project <opensearch@amazon.com>
sub   2048R/C2EE2AF6542C03B4 2021-05-11 [expires: 2022-05-11]

When signing RPM, if I use the sub secret key to sign, it will require to be verified by the sub public key.
(keypair C2EE2AF6542C03B4)

Signature   : RSA/SHA1, Tue Apr 26 19:36:16 2022, Key ID c2ee2af6542c03b4

However, this is not possible to be verified by RPM:

opensearch-2.0.0-rc1-linux-x64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#542c03b4)

As we can see when using rpm --import RPM will only treat the master public key as the one to verify:

gpg-pubkey-9310d3fc-609af0ea (OpenSearch project <opensearch@amazon.com>)

Since our subkey is C2EE2AF6542C03B4 and master key is 39D319879310D3FC, RPM cannot match its signature from c2ee2af6542c03b4 with the current master key 39D319879310D3FC.

If we sign RPM with the master secret key:

Signature   : RSA/SHA1, Tue Apr 26 23:17:02 2022, Key ID 39d319879310d3fc

Verification would complete without any issues, as both the keyID recorded on .rpm and the gpg list (master) is 39d319879310d3fc:

opensearch-2.0.0-rc1-linux-arm64.rpm: rsa sha1 (md5) pgp md5 OK

Note: When we sign the rpms with master secret key, both master public key and sub public key can verify rpm.

This is not the case for detached signature (.sig) when we sign with gpg directly.

I wonder whether this is issue from my side, or RPM requires to use master key to sign.

Thanks.

  • Update 20220427:

    • RPM only starts support of subkey signing in version 4.12.x+, this means RH7/CentOS7/AL2 not supporting at all (4.11.x). If we still want to support these distros for opensearch/dashboards, we can only sign the rpm packages with master secret key. RH8/CentOS8/AL2022 are the ones officially support new rpm version (Or Fedora rawhide). This is a problem that has been raised in 2007 and only get fixed in 2015.

  • Update 20220428:

    • Huan, Tao, David attend the meeting and the decision is to use master secret key to sign RPM as we want to support the RH7/CentOS7/AL2 which are still using rpm 4.11.x. We will create issue to automate the rpm signing into existing workflow so that this process is flexible and repeatable.
@peterzhuamazon
Copy link
Member Author

@spotrh @dblock what is your thoughts on this?

Thanks.

cc @bbarani @gaiksaya

@peterzhuamazon peterzhuamazon mentioned this issue Apr 27, 2022
Closed
51 tasks
@peterzhuamazon peterzhuamazon added rpm signing question Further information is requested labels Apr 27, 2022
@gaiksaya
Copy link
Member

I believe we should avoid signing anything with master key. It is recommended to always use sub-keys which can be revoked in case of security issues (like private key being leaked).

@peterzhuamazon
Copy link
Member Author

I believe we should avoid signing anything with master key. It is recommended to always use sub-keys which can be revoked in case of security issues (like private key being leaked).

I want to avoid but at this point signing with subkey just straight not run on RPM.

@peterzhuamazon
Copy link
Member Author

This ticket seems mentions the issue spawned back in 2007 and only a few years ago has an update in 4.12.90 of fedora release of rpm.

https://bugzilla.redhat.com/show_bug.cgi?id=227632

As of now the common version of rpm shipped within AL2/CentOS7 and more is 4.11.x.

@peterzhuamazon
Copy link
Member Author

I found that rockylinux8 is using higher version of rpm, will test it.

RPM version 4.14.3

@peterzhuamazon
Copy link
Member Author

peterzhuamazon commented Apr 27, 2022
edited

Rockylinux8 also supplies gnupg 2.2.20, which requires additional setup to import secret keys:

yum install pinentry
gpg --pinentry-mode loopback --passphrase-file=passphrase private-key

@peterzhuamazon
Copy link
Member Author

peterzhuamazon commented Apr 27, 2022
edited

We also need to sign as SHA256 not SHA1 anymore.
We can also bump it to SHA512 as well.

@peterzhuamazon
Copy link
Member Author

Test shows if we sign with subkey then verify with rpm version 4.12+ it will pass, but move it to any CentOS7 / AL2 it will fail as rpm version 4.11.x.

Therefore, we cannot afford to sign with subkey if we still want to support CentOS7/AL2.

Thanks.

@bbarani
Copy link
Member

bbarani commented Apr 27, 2022
edited

@peterzhuamazon Can we also look in to option of creating separate master key just for RPM signing to reduce the blast radius in case of key leak?

@peterzhuamazon
Copy link
Member Author

See description for latest update as we are using master secret key to sign rpm.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested rpm signing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gaiksaya @peterzhuamazon @bbarani