search

Yubico / yubihsm-connector

https://developers.yubico.com/yubihsm-connector/
Apache License 2.0
31 stars 14 forks source link

Release signed with unknown key #50

Open barabo opened 11 months ago

barabo commented 11 months ago

I did find #15 - which did not resolve my issue.

canderson@60-signing-01:~$ gpg --verify yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz.sig
gpg: assuming signed data in 'yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz'
gpg: Signature made Tue 24 Jan 2023 01:35:50 PM UTC
gpg:                using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Can't check signature: No public key

canderson@60-signing-01:~$ gpg --recv-key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: keyserver receive failed: Server indicated a failure

canderson@60-signing-01:~$ cat ~/.gnupg/gpg.conf
keyserver hkps://keys.openpgp.org

Also, looking at the list of yubico developers, here - the signing key A8CE167914EEE232B9237B5410CAC4962E03C7CC is not listed on that page.

barabo commented 11 months ago

For extra context, here's what debug-level 9 reveals.

canderson@60-signing-01:~$ gpg --recv-key --debug-level 9 A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/canderson/.gnupg
gpg: DBG: chan_3 <- # Config: /home/canderson/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.27 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.27
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkps://keys.openpgp.org
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0xA8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: DBG: chan_3 <- ERR 219 Server indicated a failure <Unspecified source>
gpg: keyserver receive failed: Server indicated a failure
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks

Also, I did find this related issue. So I do believe the signature to be trusted, but I'm confused about why I'm unable to receive the keys with gpg --recv-key.

I've tried both keys.openpgp.org and keyserver.ubuntu.com for my key server config, and neither one worked.

barabo commented 11 months ago

Aha! For posterity, I'll post how I resolved this here.

I went to the key download link for Aveen and downloaded the listed key, then imported it as a file.

canderson@60-signing-01:~$ wget https://keys.openpgp.org/vks/v1/by-fingerprint/1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
--2023-11-07 21:29:54--  https://keys.openpgp.org/vks/v1/by-fingerprint/1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
Resolving keys.openpgp.org (keys.openpgp.org)... 37.218.245.50, 2a00:c6c0:0:154:1::1
Connecting to keys.openpgp.org (keys.openpgp.org)|37.218.245.50|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34377 (34K) [application/pgp-keys]
Saving to: ‘1D7308B0055F5AEF36944A8F27A9C24D9588EA0F’

1D7308B0055F5AEF36944A8F27A9C24D9588EA0F     100%[==============================================================================================>]  33.57K  --.-KB/s    in 0s

2023-11-07 21:29:55 (237 MB/s) - ‘1D7308B0055F5AEF36944A8F27A9C24D9588EA0F’ saved [34377/34377]

canderson@60-signing-01:~$ gpg --import 1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
gpg: key 27A9C24D9588EA0F: public key "Aveen Ismail <aveen.ismail@yubico.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

canderson@60-signing-01:~$ gpg --verify ./yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz.sig
gpg: assuming signed data in './yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz'
gpg: Signature made Tue 24 Jan 2023 01:35:50 PM UTC
gpg:                using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Good signature from "Aveen Ismail <aveen.ismail@yubico.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 1D73 08B0 055F 5AEF 3694  4A8F 27A9 C24D 9588 EA0F
     Subkey fingerprint: A8CE 1679 14EE E232 B923  7B54 10CA C496 2E03 C7CC

Also note, @aveenismail - your subkey is expired! ;-)

barabo commented 10 months ago

I should add that the instructions for importing developer keys listed in the documentation are not complete. When a release is signed with a subkey, it's not clear which primary key needs to be imported in order to verify the release. I don't know if the keyserver is supposed to determine whether the key fingerprint is a subkey and also import the primary key, but this wasn't working.

aveenismail commented 10 months ago

@barabo Thank you for the notification and apologies for the confusion. My key isn't actually expired but I seem to have missed uploading it to keys.openpgp.org after renewal. I just uploaded it now so hopefully the expired warning shouldn't be displayed again. Please let me know if the problem persists.