Open AkihiroSuda opened 1 year ago
This issue is currently awaiting triage.
SIG Docs takes a lead on issue triage for this website, but any Kubernetes member can accept issues by applying the triage/accepted
label.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
/language en
/sig security
/priority awaiting-more-evidence
Is there any useful way to verify that signing key?
the HTTPS infrastructure for https://pkgs.k8s.io
That's on AWS now, but in the future we might serve packages from other places (eg using a redirect).
Options here include:
The hosting of the key seems to be here: https://build.opensuse.org/projects/isv:kubernetes/signing_keys
Fingerprint
de15 b144 86cd 377b 9e87 6e1a 2346 54da 9a29 6436
But there were some issues with the previous key, https://packages.cloud.google.com/apt/doc/apt-key.gpg
that caused it to be moved from a different server to the regular dl.k8s.io infrastructure (like the stable.txt
)
I'll be taking a look into this. /assign
Something simple like hardcoding the fingerprint in the install script and verifying against the downloaded key ?
gpg --show-keys kubernetes-apt-keyring.gpg | grep --quiet DE15B14486CD377B9E876E1A234654DA9A296436
"[expires: 2024-11-02]"
Something simple like hardcoding the fingerprint in the install script and verifying against the downloaded key ?
gpg --show-keys kubernetes-apt-keyring.gpg | grep --quiet DE15B14486CD377B9E876E1A234654DA9A296436
"[expires: 2024-11-02]"
This grep seems vulnerable: An attacker may put "DE15B14486CD377B9E876E1A234654DA9A296436" to the signer name, the email address, or maybe other metadata.
The default format only has significant whitespace:
pub rsa2048 2022-08-25 [SC] [expires: 2024-11-02]
DE15B14486CD377B9E876E1A234654DA9A296436
uid isv:kubernetes OBS Project <isv:kubernetes@build.opensuse.org>
So it is either something hacky like ^
, or use the machine readable format.
gpg --show-keys --with-colons kubernetes-apt-keyring.gpg | grep --quiet "fpr:::::::::DE15B14486CD377B9E876E1A234654DA9A296436:"
It actually did say so in the manual:
Never use the output of this command in scripts or other programs. The output is intended only for humans and its format is likely to change. The --with-colons option emits the output in a stable, machine-parseable format, which is intended for use by scripts and other programs.
But since we're not doing a simple install script anyway, might as well put words in the complicated instructions?
"Check the fingerprint of the key"
Note that the containerd.io
package* does not check, either: https://docs.docker.com/engine/install/ubuntu/
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
* linked from https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime via https://github.com/containerd/containerd/blob/main/docs/getting-started.md#option-2-from-apt-get-or-dnf
(Found this thread due to frustration with documentation around gpg keys.)
@AkihiroSuda The following command seems more natural and secure: gpg --fingerprint DE15B14486CD377B9E876E1A234654DA9A296436
Also it seems common practice to publish the fingerprint of the public key in official documentation, is there a reason why this hasn't been done?
/lifecycle frozen
Let's make sure to triage this issue.
The suggested command doesn't seem to help much:
$ gpg --fingerprint DE15B14486CD377B9E876E1A234654DA9A296436
gpg: error reading key: No public key
And it is not obvious, where it should go in the docs...
$ curl -LOJ https://build.opensuse.org/projects/isv:kubernetes/signing_keys/download?kind=gpg
$ gpg --import isv_kubernetes_key.gpg
gpg: key 234654DA9A296436: 1 signature not checked due to a missing key
gpg: key 234654DA9A296436: public key "isv:kubernetes OBS Project <isv:kubernetes@build.opensuse.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
$ gpg --fingerprint DE15B14486CD377B9E876E1A234654DA9A296436
pub rsa2048 2022-08-25 [SC] [expires: 2024-11-02]
DE15 B144 86CD 377B 9E87 6E1A 2346 54DA 9A29 6436
uid [ unknown] isv:kubernetes OBS Project <isv:kubernetes@build.opensuse.org>
i.e. how to check the downloaded key, before using?
Same thing also goes for the add-ons, such as cri-o:
https://kubernetes.io/blog/2023/10/10/cri-o-community-package-infrastructure/
There are two copies of the key, for each pkg branch.
It makes more sense to me to use gpg, which already has functionality that will take a known Fingerprint and list it if it there.
Right, it was just missing some details like that one needs to import the key to the keyring first? Currently it is just stored in a file...
Listing the fingerprint sounds like a good idea. And I think the suggestion of an install script was already turned down.
So not doing any more hacks, but waiting for the real solution.
The question was where the command goes into the current:
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
gpgkey=https://pkgs.k8s.io/core:/stable:/v1.28/rpm/repodata/repomd.xml.key
It seems like more steps to the installation process are needed.
This is one for SIG Release and SIG Security. The best first step would be to move things forward so we can triage it, reaching consensus on whether anything needs fixing.
I'm not working on this at the moment. /unassign
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ https://kubernetes.io/blog/2023/08/15/pkgs-k8s-io-introduction/
The current documentations instruct to trust
https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key
without checking its fingerprint:https://github.com/kubernetes/website/blob/833291687fd2a241efd3cb295dc4973af3696942/content/en/docs/setup/production-environment/tools/kubeadm/install-kubeadm.md?plain=1#L181-L192
This doesn't seem to be more secure than just relying on HTTPS. The documentation should be updated to check its fingerprint. Or, the GPG can be just removed if the HTTPS infrastructure for
https://pkgs.k8s.io
is considered to be trustable.