search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.9k stars 2.34k forks source link

FYI: the brave repo was added to extrepo #15339

Open tpo opened 3 years ago

tpo commented 3 years ago

See https://salsa.debian.org/extrepo-team/extrepo-data/-/merge_requests/77 and https://salsa.debian.org/extrepo-team/extrepo-data/-/blob/master/repos/debian/brave.yaml.

So now adding the brave repo to deb based distros is reduced to extrepo enable brave. That's it. extrepo will be part of the upcoming Debian bullseye, so from then on the full instructions for installing brave will consist of apt install extrepo && extrepo enable brave && apt install brave-browser. So eventually you might want to add those instructions to your install page.

Greetings & thanks *t

fmarier commented 3 years ago

Thanks @tpo . Do you know what the process is for distributing updated repository signing keys when we rotate our key?

tpo commented 3 years ago

@fmarier I'd suggest:

You can of course do all that manually if it's easier or let someone else pick it up.

If what I'm writing doesn't make sense then please ask.

fmarier commented 3 years ago

Thanks. The main thing I was wondering is whether or not our key will ship with the extrepo package. If it's pulled down on-demand from a server somewhere, then the procedure you've just highlighted would work fine.

On the other hand, if it ships with extrepo, then updating our key would require updating the package in all supported versions of Debian and Ubuntu.

tpo commented 3 years ago

@fmarier - thanks for explaining. The extrepo command will consult the online data.

The URL that extrepo consults is some yaml file somewhere under https://extrepo-team.pages.debian.net/extrepo-data/... (I don't have the exact URL at hand). I think the yaml file gets automatically regenerated on commit by their CI.

Note that I am not the author of extrepo, I've just added the data for brave to it via pull request. So while the info above is verified (I was debugging the process yesterday), I can't speak authoritatively about how extrepo's authors are plaing to evolve it. However I can't think of a reason offhand why they should change the modus operandi of the tool.

fmarier commented 3 years ago

Thanks. That's good then. It means we can roll out a new key in a matter of days, not months.

fmarier commented 3 years ago

I wanted to see what would happen next time we rotate our signing key. I simulated such a key rotation by overwriting the release key with the nightly one:

$ sudo extrepo enable brave_nightly
$ sudo cp /var/lib/extrepo/keys/brave_nightly.asc /var/lib/extrepo/keys/brave_release.asc 
$ sudo apt update
...
Err:3 https://brave-browser-apt-release.s3.brave.com stable InRelease                            
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
...
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
W: Failed to fetch https://brave-browser-apt-release.s3.brave.com/dists/stable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
W: Some index files failed to download. They have been ignored, or old ones used instead.

and in order to fix it I had to run the following manually:

$ sudo extrepo update brave_release
gpgv: Signature made Thu 12 Aug 2021 09:15:51 AM PDT
gpgv:                using RSA key 7A8502E9FF4765B162A964171283BEE904FB0E04
gpgv: Good signature from "Debian external repositories signing key (experimental)"

because there's no cronjob or systemd.

I think this is likely to be a problem for the average Brave Linux user. If we switch to extrepo as the recommended installation mechanism on Debian, we're going to get a lot of support requests from people who don't realize that they have to update the repo keys periodically because a lot of external repos have very long key expiries or never rotate their keys.

wknapik commented 3 years ago

Marking as blocked until there's a cronjob for extrepo to update keys.

wknapik commented 3 years ago

@tpo https://github.com/brave/brave-browser/issues/15339#issuecomment-898778309

tpo commented 3 years ago

@wknapik thanks for the reminder. It looks like in order to to make headway, the key rotation problem should be fixed upstream. However I doubt I'll find the time to go after solving that in the near future. Even though the solution upstream might not be very hard.