[Bug 1199184] New: switch Tumbleweed to a 4096bit RSA signing key
https://bugzilla.suse.com/show_bug.cgi?id=1199184 Bug ID: 1199184 Summary: switch Tumbleweed to a 4096bit RSA signing key Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: dimstar@opensuse.org Reporter: meissner@suse.com QA Contact: qa-bugs@suse.de CC: dmueller@suse.com Found By: --- Blocker: --- We currently still use a 2048 bit key for signing. It would be better to switch to a 4096 RSA key. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c1 Fabian Vogt <fvogt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fvogt@suse.com --- Comment #1 from Fabian Vogt <fvogt@suse.com> --- AFAIK 2048 bit RSA is still considered secure. What about switching to something like ECDSA/EdDSA? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c2 --- Comment #2 from Marcus Meissner <meissner@suse.com> --- Is still considered secure, but other distros use longer keys and e.g. Dirk Mueller already argues on why openSUSE does not switch. I am not yet familar how much could break with switching to elliptic curves though. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 Dominique Leuenberger <dleuenberger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |CONFIRMED CC| |dleuenberger@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c3 --- Comment #3 from Dirk Mueller <dmueller@suse.com> --- (In reply to Marcus Meissner from comment #2)
Is still considered secure, but other distros use longer keys and e.g. Dirk Mueller already argues on why openSUSE does not switch.
I'm not arguing, I was asking what needs to be done to implement a longer key for ALP. Based on factory first we should try to roll it out in openSUSE first and see the downsides before doing anything on SLE. From a brief look at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pd... it appears that RSA2048 is the acceptable minimum, and other distributions are chosing larger keys. I don't really care which cryptographic method we chose, so elliptic curve is totally fine by me as well. I don't know the implications of that very thorughly though, more expertise is needed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c4 --- Comment #4 from Fabian Vogt <fvogt@suse.com> --- Looks like EdDSA support landed in RPM in 2020 and it works on TW (with sha256 only, https://github.com/rpm-software-management/rpm/issues/1877 is missing). It doesn't work on Leap though, so either that would have to be backported (https://github.com/rpm-software-management/rpm/pull/1202 at least) or we'd have to deal with RSA a bit longer. IMO it's better to keep RSA 2048 for a a bit longer and then switch to ECC directly instead of switching to RSA 4096 now (and maybe switch to ECC in the future). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c5 --- Comment #5 from Marcus Meissner <meissner@suse.com> --- I filed an OBS ticket to make signing keytypes configurable via api calls, as currently OBS API would only creating 2048bit RSA keys. https://jira.suse.com/browse/OBS-193 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c6 Stefan Seyfried <seife@novell.slipkontur.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |seife@novell.slipkontur.de --- Comment #6 from Stefan Seyfried <seife@novell.slipkontur.de> --- Is there also a github issue or such that I could watch for the OBS implementation discussion? (I want to change to a longer key in a private OBS instance and would hope that this discussion helps me achieve that seamlessly ;-)) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c7 --- Comment #7 from Dirk Mueller <dmueller@suse.com> --- https://github.com/openSUSE/open-build-service/pull/12528 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c8 Adrian Schr�ter <adrian.schroeter@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |adrian.schroeter@suse.com --- Comment #8 from Adrian Schr�ter <adrian.schroeter@suse.com> --- just for the record, the pull request is for changing OBS defaults, but for tumbleweed it is a config setting we can do at any time. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c9 Dirk Mueller <dmueller@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ro@suse.com Flags| |needinfo?(ro@suse.com) --- Comment #9 from Dirk Mueller <dmueller@suse.com> --- Created attachment 860726 --> https://bugzilla.suse.com/attachment.cgi?id=860726&action=edit openSUSE RSA 4096 key This is the new key that was created a few weeks back by Ruediger Oertel. Rudi can you confirm that this is the right key and that we have established backups etc? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c10 --- Comment #10 from Ludwig Nussel <lnussel@suse.com> --- Only one? While we are at it there would be the chance to have a second one that only exists offline and is stored away in a safe for emergencies. So far the SLE key serves as fallback which is a) odd and b) also seems to be only rsa2048. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c11 Ruediger Oertel <ro@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(ro@suse.com) | --- Comment #11 from Ruediger Oertel <ro@suse.com> ---
Rudi can you confirm that this is the right key and that we have established backups etc?
yes, 35A2F86E29B700A4 is the key created 20220620 and this is also in the encrypted backup and in the safe. If a reserve key for openSUSE is needed we can of course create that, but maybe it makes sense to wait a few more weeks until we have the needed infrastructure working for ECC based keys (almost there but still fighting with a few performance issues when switching to current gpg versions). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c12 Dirk Mueller <dmueller@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS --- Comment #12 from Dirk Mueller <dmueller@suse.com> --- pubkey update on its way to factory. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c13 --- Comment #13 from Dirk Mueller <dmueller@suse.com> --- It's been a while here, but I don't see the factory key having changed to the new rsa 4096 key. curl https://download.opensuse.org/tumbleweed/repo/oss/repodata/repomd.xml.key | gpg -v pub rsa2048 2008-11-07 [SC] [expires: 2024-05-02] 22C07BA534178CD02EFE22AAB88B2FD43DBDC284 uid openSUSE Project Signing Key <opensuse@opensuse.org> when do we plan to switch? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 Frank Kr�ger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fkrueger@mailbox.org -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c14 --- Comment #14 from Marcus Meissner <meissner@suse.com> --- Cross check with Dimstar. - switch only after new years as people are already in xmas vacation we need to put this key also in Leap, which I will be working on nowm, for migration purposes (and also to have Leap 15.5 and perhaps olders switch to it too.) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c16 --- Comment #16 from Dirk Mueller <dmueller@suse.com> --- (In reply to Marcus Meissner from comment #14)
Cross check with Dimstar. - switch only after new years as people are already in xmas vacation
technically the tumbleweed key is already created, backed up and on the keyserver, so it is "just" a config change to activate it. it would be the easiest to do (but after xmas break is also fine) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c17 --- Comment #17 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2022:10259-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1199184 CVE References: JIRA References: Sources used: openSUSE Leap 15.4 (src): openSUSE-build-key-1.0-lp154.3.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c18 --- Comment #18 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2023:0003-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1199184 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): openSUSE-build-key-1.0-lp153.4.11.1 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c19 --- Comment #19 from Dirk Mueller <dmueller@suse.com> --- Dominique, happy new year! when would be a good time to do the switch? from OBS side its a one liner config change and can be done at any point in time now. Also the leap update is released. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c20 --- Comment #20 from Marcus Meissner <meissner@suse.com> --- Talked with Dominique, lets target 23.1. for switchover -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1199184 https://bugzilla.suse.com/show_bug.cgi?id=1199184#c23 --- Comment #23 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2023:0084-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1199184 CVE References: JIRA References: Sources used: openSUSE Leap 15.4 (src): rpm-repos-openSUSE-0-lp154.6.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com