Closed peterzhuamazon closed 2 years ago
@spotrh @dblock @bbarani would love to have your thoughts on this.
Thanks.
@anirudha Do you have any inputs since your team helped create the initial signing keys? The current sub key is set to expire in a year from the creation date. We are wondering if its better to create a new sub key from master key without expiration (we feel its risky) OR create sub key with 1 year expiration. Do you have any security recommendation?
@peterzhuamazon What are the pros/cons of each of these proposals?
@peterzhuamazon What are the pros/cons of each of these proposals?
Added in description.
Thanks.
What do other projects do? We also have the option to defer this decision and extend the key for a limited period of time (e.g. another year)?
Our subkey officially expired right now:
pub 4096R/9310D3FC 2021-05-11
uid OpenSearch project <opensearch@amazon.com>
# Note you cannot see any `sub` key anymore
% gpg --verify opensearch-2.0.0-rc1-linux-x64.tar.gz.sig
gpg: Signature made Tue 03 May 2022 05:30:55 PM UTC using RSA key ID 542C03B4
gpg: Good signature from "OpenSearch project <opensearch@amazon.com>"
gpg: Note: This key has expired!
Primary key fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
Subkey fingerprint: 2187 3199 B103 0FCD 49DA 83F8 C2EE 2AF6 542C 03B4
Just work with @prudhvigodithi on extending to a new public key, the private key will not expire but include the old sub public key.
Additional steps after RHEL9 introduce strict verification and requires SHA2:
Run gpg command one in your system. Add these to the gpg.conf file:
personal-digest-preferences SHA512
digest-algo SHA512
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-mode 3
s2k-count 65011712
gpg --edit-key C2EE2AF6542C03B4
key <number>
such as key 1
to select the key that is not 39D319879310D3FC
or C2EE2AF6542C03B4
(see a * next to the selected keys), then delkey
to delete it as it is not needed in the signing key chain.key number
again to select the key C2EE2AF6542C03B4
then type expire
.save
to save all the progress.C2EE2AF6542C03B4
with gpg --export --armor C2EE2AF6542C03B4 > new_sub_public
. This key should be about 8.0K in size instead of 4.0K.39D319879310D3FC
as well as master public.sub private key
and new_sub_public
to sign.Thanks.
We will make some changes to the public key page and replace the extended key for another year until 2023/05/12.
@peterzhuamazon as discussed, we'll need to add a note to https://opensearch.org/verify-signatures.html. I propose the following - under the line Our current PGP key fingerprint is C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
"*Note: On 2022-05-11, the existing public key expired. If used, you will see "gpg: Note: This key has expired!" as noted in Issue 2040. Please download the new key which we have extended to 2023-05-12."
pushing out the edit for that page in project-website PR 823
We have updated the key on the same url with the new sub public key that extended from the original sub public key that was expired on 20220511.
This extended new sub public key will expire on 20230512, and can be used to verify all previous and later signatures.
pub 4096R/39D319879310D3FC 2021-05-11
Key fingerprint = C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
uid OpenSearch project <opensearch@amazon.com>
sub 2048R/C2EE2AF6542C03B4 2021-05-11 [expires: 2023-05-12]
% gpg --verify opensearch-2.0.0-rc1-linux-x64.tar.gz.sig
gpg: Signature made Tue 03 May 2022 05:30:55 PM UTC using RSA key ID 542C03B4
gpg: Good signature from "OpenSearch project <opensearch@amazon.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
Subkey fingerprint: 2187 3199 B103 0FCD 49DA 83F8 C2EE 2AF6 542C 03B4
Thanks.
Add follow up issue for next year:
Upload to these key servers to replace the existing ones, manually upload do not use --send-key command (reason):
{"inserted":null,"updated":["rsa4096/c5b7498965efd1c2924ba9d539d319879310d3fc"],"ignored":null}
Key block added to key server database. New public keys added:
1 key(s) added successfully.
Bare in mind the keyserver is trying to chain the old key with new key and trusted with their server so the copy on their server is not exactly the copy you upload. But when download then import it shows the same behavior in PGP and same fingerprint.
Thanks @krisfreedain the website is now updated: https://opensearch.org/verify-signatures.html
We will close this issue for now. Thanks.
Our current sub private key that we use for signing detached signature (.sig), and the sub public key that we attach to website for community to verify, will expire soon. https://opensearch.org/verify-signatures.html
Once the key expired we need to do a few things to resolve this. Questions are:
opensearch.pgp
with the new sub public key.Note: Do we also want to just extend the existing key so it wont expire?
Thanks.
Options:
1. Extend the existing subkey to be not expired.
2. Get a new pair of subkey from the master, no expiration.
3. Get a new pair of subkey from the master, set it to expire in 1 year.
4. Get a new pair of subkey from the master for every product, or every major release of all products.