search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4.05k stars 1.2k forks source link

SHA1 Key signature warnings in Debian build for releases 3.x #979

Open linqigang888 opened 1 year ago

linqigang888 commented 1 year ago

I am the Debian maintainer for easy-rsa. While building the latest release, I received the following output:

dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: verifying ./easy-rsa_3.1.5.orig.tar.gz.asc
gpgv: Signature made Sat 10 Jun 2023 08:58:15 PM +07
gpgv:                using RSA key C8FCA3E7F787072CDEB91D2F72964219390D0D0E
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: WARNING: signing subkey 72964219390D0D0E has an invalid cross-certification
gpgv: Can't check signature: General error
dpkg-source: warning: cannot verify upstream tarball signature for ./easy-rsa_3.1.5.orig.tar.gz: no acceptable signature found

I took the latest public key from here and the .tgz and .tgz.sig from here. Could you look into the issues with cross-certification and SHA1?

ecrist commented 1 year ago

I'll look into this.

Eric F Crist

From: Lance Lin @.> Sent: Wednesday, July 12, 2023 11:53:03 AM To: OpenVPN/easy-rsa @.> Cc: Subscribed @.***> Subject: [OpenVPN/easy-rsa] Key signature warnings in Debian build for release 3.1.5 (Issue #979)

I am the Debian maintainer for easy-rsa. While building the latest release, I received the following output:

dpkg-source: info: using source format '3.0 (quilt)' dpkg-source: info: verifying ./easy-rsa_3.1.5.orig.tar.gz.asc gpgv: Signature made Sat 10 Jun 2023 08:58:15 PM +07 gpgv: using RSA key C8FCA3E7F787072CDEB91D2F72964219390D0D0E gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: WARNING: signing subkey 72964219390D0D0E has an invalid cross-certification gpgv: Can't check signature: General error dpkg-source: warning: cannot verify upstream tarball signature for ./easy-rsa_3.1.5.orig.tar.gz: no acceptable signature found

I took the latest public key from herehttps://github.com/OpenVPN/easy-rsa/tree/master/release-keys and the .tgz and .tgz.sig from herehttps://github.com/OpenVPN/easy-rsa/releases/tag/v3.1.5. Could you look into the issues with cross-certification and SHA1?

— Reply to this email directly, view it on GitHubhttps://github.com/OpenVPN/easy-rsa/issues/979, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AANXQP6UCHBI22KVHMWQ543XP3I67ANCNFSM6AAAAAA2HYOFOM. You are receiving this because you are subscribed to this thread.Message ID: @.***>

TinCanTech commented 4 months ago

Release 3.1.5, replaced by 3.1.6 and 3.1.7, without complaint.

linqigang888 commented 4 months ago

Please reopen, since this is still an issue:

dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: verifying ./easy-rsa_3.2.0.orig.tar.gz.asc
gpgv: Signature made Sat 18 May 2024 07:21:02 PM +07
gpgv:                using RSA key C8FCA3E7F787072CDEB91D2F72964219390D0D0E
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: WARNING: signing subkey 72964219390D0D0E has an invalid cross-certification
gpgv: Can't check signature: General error
dpkg-source: warning: cannot verify upstream tarball signature for ./easy-rsa_3.2.0.orig.tar.gz: no acceptable signature found
dpkg-source: info: building easy-rsa using existing ./easy-rsa_3.2.0.orig.tar.gz
dpkg-source: info: building easy-rsa using existing ./easy-rsa_3.2.0.orig.tar.gz.asc
dpkg-source: info: building easy-rsa in easy-rsa_3.2.0-1.debian.tar.xz
dpkg-source: info: building easy-rsa in easy-rsa_3.2.0-1.dsc
TinCanTech commented 4 months ago

@ecrist are you willing to upgrade your key yet ?

TinCanTech commented 4 months ago

@ecrist

FTR:

While there was some reconfiguration under the hood, the main difference between Easy-RSA v3.0.8 and v3.1.x is support for OpenSSL v3.x.x, over OpenSSL v.1.x.x.

Easy-RSA v3.1.7 is signed by your current SHA1 key.

Easy-RSA v3.2.0 is signed by your current SHA1 key.

Easy-RSA v3.2.1 could be signed by your new SHA256 key.

sdavids commented 3 months ago

Could we maybe get a new version in the Debian repos?

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ apt-cache showpkg easy-rsa
Package: easy-rsa
Versions: 
3.1.0-1 (/var/lib/apt/lists/deb.debian.org_debian_dists_bookworm_main_binary-amd64_Packages) (/var/lib/dpkg/status)
 Description Language: 
                 File: /var/lib/apt/lists/deb.debian.org_debian_dists_bookworm_main_binary-amd64_Packages
                  MD5: 30ef8db774064b75fc32b3b7baedeb03
 Description Language: en
                 File: /var/lib/apt/lists/deb.debian.org_debian_dists_bookworm_main_i18n_Translation-en
                  MD5: 30ef8db774064b75fc32b3b7baedeb03

Reverse Depends: 
  fbx-all,easy-rsa
  openvpn,easy-rsa
Dependencies: 
3.1.0-1 - openssl (0 (null)) opensc (0 (null)) 
Provides: 
3.1.0-1 - 
Reverse Provides: 
$ /usr/share/easy-rsa/easyrsa --version
EasyRSA Version Information
Version:     3.1.0
Generated:   Wed May 18 20:53:50 CDT 2022
SSL Lib:     OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
Git Commit:  1600b3fe9bd71e229b8648cd24206c55917b2f9b
Source Repo: https://github.com/OpenVPN/easy-rsa
linqigang888 commented 3 months ago

easy-rsa 3.2.0-1 is available in Debian's unstable and testing distributions. Here is documentation on choosing a Debian distribution to have packages from.

sdavids commented 3 months ago

Can I use Sid packages on "stable"?

I should have phrased my comment differently 😉

Is it possible to promote a version greater than 3.1.0 from unstable to stable?

linqigang888 commented 3 months ago

It is possible to backport new features to stable, but I want to avoid doing that since openssl is a dependency of easy-rsa. Backporting easy-rsa without a backported openssl would most likely lead to instabilities.

TinCanTech commented 3 months ago

EasyRSA is tested against OpenSSL 1.1.1f 31 Mar 2020 and various OpenSSL version 3 binaries.

linqigang888 commented 3 months ago

I would rather volunteer my time doing other things than backporting in Debian, but any Debian Developer should be able to backport in my place.

While it is not recommended in Debian to install packages from testing or unstable, it is an option for users.

sdavids commented 3 months ago

Even stable is updated once in a while. Those updates are called "Point Releases". They usually incorporate the security fixes released until the time of the update and fixes for important bugs in the current release.

https://wiki.debian.org/DebianReleases/PointReleases

Uploading to stable means that the package will be transferred to the proposed-updates-new queue for review by the stable release managers, and if approved will be installed in the stable-proposed-updates directory of the Debian archive. From there, it will be included in stable with the next point release. [...] The bug should be of severity "important" or higher. [...] Fixes must be minimal and relevant and include a sufficiently detailed changelog entry

https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Currently, the easy-rsa project does not closely adhere to Semantic versioning—patch releases add/change/remove functionality, for example:

3.1.2

Command 'renew': Remove option 'nopass' Introduce command 'set-pass'

As it is now, the easy-rsa version is frozen in stable: Every two years we get a new version via a Debian release and the version in a specific release is frozen for its 3 (5 LTS) year lifecycle.

sdavids commented 3 months ago

NOTICE: EasyRSA version 3.2.0 is a development snapshot.

https://github.com/OpenVPN/easy-rsa/releases/tag/v3.2.0

[2024-05-31] easy-rsa 3.2.0-1 MIGRATED to testing (Debian testing watch)

https://tracker.debian.org/pkg/easy-rsa/news/?page=1

Is it correct, that 3.2.0 is already in Debian testing? — Should it not remain in unstable?

If Debian were to cut its trixie release today, it would bake in this version for the upcoming 3-5 years.

TinCanTech commented 3 months ago

I strongly advise that debian does not pick up EasyRSA v3.2.0

It would be much better long-term to pick v3.2.1, upon its release - September 2024.

If that is not possible then debian should use EasyRSA v3.1.7

linqigang888 commented 3 months ago

It usually takes 2-5 days for packages to migrate from unstable to testing. Debian's tracker pages for packages helps to see the status of a package in Debian.

No bugs have been reported so far for the easy-rsa 3.2.0-1 in Debian testing or unstable, so there should be no issue having this version. With a planned release for September 2024, I can easily package easy-rsa 3.2.1-1 before the next stable Debian release.

Importing upstream versions earlier to unstable and testing helps test for longer so that bugs can be resolved as they appear. If a bug is serious enough to downstream to Debian, I would be happy to apply a patch before the next upstream release.

TinCanTech commented 3 months ago

With a planned release for September 2024, I can easily package easy-rsa 3.2.1-1 before the next stable Debian release

That is excellent news. EasyRSA v3.2.1 is intended to be a long term stable release.