New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debian package repository key changed to 4F77679369475BAA #6916
Comments
Sorry about that! This was totally unexpected. On 11th January, I added a new subkey (4F77679369475BAA) for the nightly repo, as a response to this comment: #6865 (comment)
The reason the stable and nightly repos use separate keys is so the build environments can be isolated, and the nightly key being compromised won't affect the stable key. The environment used to sign the nightly repo only contains the nightly subkey, not the stable subkey, and the nightly one can be revoked separately. This key was only supposed to be used for the nightly repo. However, there appears to be a bug with Aptly. We're explicitly signing the stable repo with
However, it appears to be ignoring this and using the wrong subkey (4F77679369475BAA). I want to investigate whether this happens in an isolated test case (new GPG key with two subkeys, and two new Aptly repos) and report it upstream if so. If we can't determine the bug or fix Aptly, next rotation I'll just switch to using an entirely separate key for the nightly repo, rather than just a separate subkey. Also, apologies for the delay in replying... I was on vacation. |
Bug filed upstream: aptly-dev/aptly#805 |
Hi there. Dev ops newbie here. I can't seem to There is someone in this issue thread: that is saying |
@ianrandmckenzie that will add that key as a trusted package key. Pretty low risk in this scenario. But you could always remove it after the issue is resolved. |
Is there any timeline as to when this will be fixed, or will it depend on the |
@jonathanmeier5 - Nothing should be broken at the moment. The only issue is that the stable repo is being signed with the nightly repo's key, however both public keys are included in the public key published at https://dl.yarnpkg.com/debian/pubkey.gpg so it shouldn't be an issue. |
@Daniel15 I guess to rephrase my question: do you have any idea when you will return to signing the stable yarn release with only the most recent stable sub-key? Ideally, we would prefer to not accept signatures from the nightly sub-key in our builds long term. |
Yeah, it mainly depends on the aptly bug. Unfortunately I don't really have time to look into it myself right now :( |
No problem, thanks for the updates 👍 |
I looked into it and it turns out aptly passes through all options correctly. The real problem is GPG which does its best to be hard to use. You can tell it which key to use ("The signing key is chosen by default or can be set explicitly using the If you want it to actually use the key you tell it to use, you have to append an exclamation mark to the key id... |
Thank you so much @sth! I've just re-signed the repo using the proper subkey, thanks to your advice. |
Just recently the key used to sign Debian packages was changed to a new key with id 23E7166788B63E1E. Now that key seems to have changed again:
That new key seems to have been created on 2019-01-11 after the previous change on 2019-01-02.
Is this change intentional?
Are key changes announced somewhere? The signatures are completely pointless if I'm supposed to just redownload a new key whenever there is a signature error. If someone manages to upload a changed package to https://dl.yarnpkg.com/debian they most likely can also upload a new key to that location.
The text was updated successfully, but these errors were encountered: