Instructions for `pkgs.k8s.io` should be updated to check GPG fingerprint

[AkihiroSuda]

https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ https://kubernetes.io/blog/2023/08/15/pkgs-k8s-io-introduction/

The current documentations instruct to trust https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key without checking its fingerprint:

https://github.com/kubernetes/website/blob/833291687fd2a241efd3cb295dc4973af3696942/content/en/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md?plain=1#L181-L192

This doesn't seem to be more secure than just relying on HTTPS. The documentation should be updated to check its fingerprint. Or, the GPG can be just removed if the HTTPS infrastructure for https://pkgs.k8s.io is considered to be trustable.

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[dipesh-rawat]

/language en

[sftim]

/sig security

/priority awaiting-more-evidence

Is there any useful way to verify that signing key?

[sftim]

the HTTPS infrastructure for https://pkgs.k8s.io

That's on AWS now, but in the future we might serve packages from other places (eg using a redirect).

Options here include:

• publish the signing key to a URL that we consider even more trusted
• sign the package signing key using GPG and explain how to validate it
• sign the package signing key using some other method, eg S/MIME, and explain how to validate back to a trust authority

[afbjorklund]

The hosting of the key seems to be here: https://build.opensuse.org/projects/isv:kubernetes/signing_keys

Fingerprint de15 b144 86cd 377b 9e87 6e1a 2346 54da 9a29 6436

But there were some issues with the previous key, https://packages.cloud.google.com/apt/doc/apt-key.gpg that caused it to be moved from a different server to the regular dl.k8s.io infrastructure (like the stable.txt)

[xmudrii]

I'll be taking a look into this. /assign

[afbjorklund]

Something simple like hardcoding the fingerprint in the install script and verifying against the downloaded key ?

gpg --show-keys kubernetes-apt-keyring.gpg | grep --quiet DE15B14486CD377B9E876E1A234654DA9A296436

"[expires: 2024-11-02]"

[AkihiroSuda]

Something simple like hardcoding the fingerprint in the install script and verifying against the downloaded key ?

gpg --show-keys kubernetes-apt-keyring.gpg | grep --quiet DE15B14486CD377B9E876E1A234654DA9A296436

"[expires: 2024-11-02]"

This grep seems vulnerable: An attacker may put "DE15B14486CD377B9E876E1A234654DA9A296436" to the signer name, the email address, or maybe other metadata.

[afbjorklund]

The default format only has significant whitespace:

pub   rsa2048 2022-08-25 [SC] [expires: 2024-11-02]
      DE15B14486CD377B9E876E1A234654DA9A296436
uid                      isv:kubernetes OBS Project <isv:kubernetes@build.opensuse.org>

So it is either something hacky like ^, or use the machine readable format.

gpg --show-keys --with-colons kubernetes-apt-keyring.gpg | grep --quiet "fpr:::::::::DE15B14486CD377B9E876E1A234654DA9A296436:"

---

It actually did say so in the manual:

Never use the output of this command in scripts or other programs. The output is intended only for humans and its format is likely to change. The --with-colons option emits the output in a stable, machine-parseable format, which is intended for use by scripts and other programs.

But since we're not doing a simple install script anyway, might as well put words in the complicated instructions?

"Check the fingerprint of the key"

Note that the containerd.io package* does not check, either: https://docs.docker.com/engine/install/ubuntu/

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

* linked from https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime via https://github.com/containerd/containerd/blob/main/docs/getting-started.md#option-2-from-apt-get-or-dnf

[cShirley14]

(Found this thread due to frustration with documentation around gpg keys.)

@AkihiroSuda The following command seems more natural and secure: gpg --fingerprint DE15B14486CD377B9E876E1A234654DA9A296436

Also it seems common practice to publish the fingerprint of the public key in official documentation, is there a reason why this hasn't been done?

[sftim]

/lifecycle frozen

Let's make sure to triage this issue.

[afbjorklund]

The suggested command doesn't seem to help much:

$ gpg --fingerprint DE15B14486CD377B9E876E1A234654DA9A296436
gpg: error reading key: No public key

And it is not obvious, where it should go in the docs...

$ curl -LOJ https://build.opensuse.org/projects/isv:kubernetes/signing_keys/download?kind=gpg
$ gpg --import isv_kubernetes_key.gpg 
gpg: key 234654DA9A296436: 1 signature not checked due to a missing key
gpg: key 234654DA9A296436: public key "isv:kubernetes OBS Project <isv:kubernetes@build.opensuse.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
$ gpg --fingerprint DE15B14486CD377B9E876E1A234654DA9A296436
pub   rsa2048 2022-08-25 [SC] [expires: 2024-11-02]
      DE15 B144 86CD 377B 9E87  6E1A 2346 54DA 9A29 6436
uid           [ unknown] isv:kubernetes OBS Project <isv:kubernetes@build.opensuse.org>

---

i.e. how to check the downloaded key, before using?

OBS: isv_kubernetes_key.gpg

• deb: https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key
• rpm: https://pkgs.k8s.io/core:/stable:/v1.28/rpm/repodata/repomd.xml.key

Same thing also goes for the add-ons, such as cri-o:

https://kubernetes.io/blog/2023/10/10/cri-o-community-package-infrastructure/

• https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/rpm/repodata/repomd.xml.key
• https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key

There are two copies of the key, for each pkg branch.

[afbjorklund]

It makes more sense to me to use gpg, which already has functionality that will take a known Fingerprint and list it if it there.

Right, it was just missing some details like that one needs to import the key to the keyring first? Currently it is just stored in a file...

Listing the fingerprint sounds like a good idea. And I think the suggestion of an install script was already turned down.

So not doing any more hacks, but waiting for the real solution.

---

The question was where the command goes into the current:

curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg

gpgkey=https://pkgs.k8s.io/core:/stable:/v1.28/rpm/repodata/repomd.xml.key

It seems like more steps to the installation process are needed.

[sftim]

This is one for SIG Release and SIG Security. The best first step would be to move things forward so we can triage it, reaching consensus on whether anything needs fixing.

[xmudrii]

I'm not working on this at the moment. /unassign