Signature of deb repo is weak #718
Comments
|
Changing a signing key is a very big deal. Since this is a warning, I don't think it's worth the change for now.
|
|
I think you misunderstand, the message digest is weak, you can keep your key you just need to sign using SHA2. |
|
Also the latest LTS version of Ubuntu will not install packages signed with SHA1 keys. |
|
If you can tell me what build tools you use to sign your debs, I would be happy to investigate this further. |
michaelklishin
added
effort-low
pkg-rpm
pkg-deb
pkg-windows
|
@noahhaon thank you, I believe we use gpg. @dumbbell has more info on the release toolchain. |
|
+1 |
|
As @noahhaon stated, Ubuntu 16.04 LTS users will be unable to install packages. AFAIK there is no workaround, apart from downloading and installing the package and all its dependencies by hand. |
|
Hi, sorry I didn't get an earlier notification on this. I have some ideas and will do some digging today. |
|
@michaelklishin Unfortunately I think this change is most easily handled in your build environment. You would need to add the following to the the
Disappointingly, Relevant bits for build the deb repo appear to live here: https://github.com/rabbitmq/rabbitmq-server/tree/master/packaging/debs/apt-repository c.f. https://manpages.debian.org/cgi-bin/man.cgi?query=reprepro&apropos=0&sektion=0&format=html&locale=en |
|
@michaelklishin from what I understand of the issue, there should be no reason for you to generate a new key. Once you get the fix in, you should be able to verify the signature digest algorithm that reprepro used: |
|
@noahhaon OK, thanks, we'll see if we can do something about this before |
|
BTW I don't see any release artifacts (debs, etc) mentioned in these repos: http://www.rabbitmq.com/debian/dists/kitten/Release |
|
@noahhaon: To answer your last question, reprepro uses a "pool" of packages to share them among several distributions, instead of duplicating files. You can find it at http://www.rabbitmq.com/debian/pool/. Now, about the signing digest algorithm, I confirm we use the default SHA1 and that Ubuntu 16.04's apt displays a warning. That said, it let me install RabbitMQ. As you suggest, we can set Unfortunately, our key is an old DSA-1024 key and So either we use the non-recommended Because our current key is really old and weak, I would prefer to go with a new key, following today's best practices. We'll discuss that internally. |
|
After some tests on Ubuntu Server 16.04, it looks like We decided to go with a new stronger key and start the transition. Because we can sign the repository again whenever we want, the 3.6.2 release cycle will continue independently. To create the new key, I used the following popular checklist: The new one has a RSA-4096 primary key to certify other keys, and two RSA-4096 subkeys; one to encrypt, one to sign. I tested it with a plain text file and our Debian repository and GnuPG picks SHA-512 as the digest algo without forcing it with With the freshly installed Ubuntu mentionned above and this newly signed repository, With the new key imported, About the transition, we will follow the process described in the link mentionned above:
Update: The roadmap above was updated to take into account the transition of the Nightlies key which suffers the same weakness. Update: We decided to use a single key with two signing subkeys for the release and nightly artifacts. That way, end user will only have to import one key, no matter whichi branch they want to use. Update: Thanks to RPM poor support for PGP keys, we are back to two simple RSA-4096 keys; we can't use subkeys. |
|
@dumbbell I was unaware that the signing key was DSA, which would require a key migration :( Your proposed course of action for the transition looks perfect - thanks for your work on this! Some more background from the Debian folks here: https://wiki.debian.org/Teams/Apt/Sha1Removal
|
|
Thanks! That confirms my findings. And even if we could continue to use the old DSA-1024 key, it's a perfect opportunity to transition to something more current :-) I did that for my own key two years ago and it went more easily than I thought. |
|
Sometimes it's better to just rip off the band-aid :) Looks like Debian is not going to enforce the SHA1 deprecation until Jan 1, 2017 , and apparently Ubuntu 16.04 is throwing a warning so you have a bit of time. Thanks again! |
|
We need to transition the key for the nightly builds too! I'm updating the roadmap above. |
References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
This is the only way to select a specific subkey. The user ID is useless for that. References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
By default, honor the default key; usually it is specified in `gpg.conf`. References #718. [#118296861]
This is the only way to select a specific subkey. The user ID is useless for that. References #718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
|
So RPM support for PGP key and signature is ten years old and quite poor. In particular, we can't use subkeys. Thus, we are back to two simple keys... |
References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
By default, honor the default key; usually it is specified in `gpg.conf`. References #718. [#118296861]
This is the only way to select a specific subkey. The user ID is useless for that. References #718. [#118296861]
By default, honor the default key; usually it is specified in `gpg.conf`. References #718. [#118296861]
This is the only way to select a specific subkey. The user ID is useless for that. References #718. [#118296861]
This is the only way to select a specific subkey. The user ID is useless for that. References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
References rabbitmq/rabbitmq-server#718. [#118296861]
|
New keys are now in place, I've also restored http://www.rabbitmq.com/rabbitmq-signing-key-public.asc temporarily because apparently enough people depend on the sole existence of the file. |
|
The Debian repository is now signed with the new release key; it was made available a few minutes ago. apt(1) from Ubuntu 16.04 is now happy! |
|
Why is this closed if the InRelease file digest hash is still SHA1? This was never about the Signing key. It was about that Warning. |
|
@gsker I'm no Debian expert but this was about a whole bunch of things that had to be changed at once. FWIW this happened over 4 months ago and except for those who haven't imported the new key, we didn't have any apt warning reports since then. There are Package Cloud and Bintray Debian repositories available in case that's not good enough for you. Please post your observations to rabbitmq-users since we don't reopen issues that were closed and part of a release. |
@gsker: This was both a problem with the signing key and the signature. The previous key was a DSA/1024 key which didn't permit to use a SHA-512 digest. Thus we had to replace it first with something more current. The warning re-appeared recently because of a regression in our build process. The digest preference was not honored and GnuPG used SHA-1. We restored the configuration to select SHA-512 explicitely and the repository is signed again. The regression should be solved now. |
Since the release of APT 1.2.7 keys which use SHA1 are considered weak and give a warning on
apt update.https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/
W: http://www.rabbitmq.com/debian/dists/testing/InRelease: Signature by key F78372A06FF50C80464FC1B4F7B8CEA6056E8E56 uses weak digest algorithm (SHA1)The text was updated successfully, but these errors were encountered: