Re: openSUSE Build Service - science
Hi all, I am sorry for reviving this old thread, but unfortunately this is still a thing. The science gpg key is still using dsa1024 which is considered too weak especially by Ubuntu systems. As the key will expire soon (2021-11-11), is there any chance to upgrade to another signature algorithm? pub dsa1024 2008-01-22 [SC] [expires: 2021-11-11] D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 uid science OBS Project <science@build.opensuse.org <mailto:science@build.opensuse.org>> Best Christian
On 8. May 2018, at 19:14, Felder, Christian <c.felder@fz-juelich.de> wrote:
On 2. May 2018, at 19:11, Adrian Schröter <adrian@suse.de <mailto:adrian@suse.de>> wrote:
On Mittwoch, 2. Mai 2018, 18:06:08 CEST wrote Stanislav Brabec:
Yes, there is DSA1024 key used in science: osc signkey science | gpg returns pub dsa1024 2008-01-22 [SC] [expires: 2019-09-17] D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 uid science OBS Project <science@build.opensuse.org <mailto:science@build.opensuse.org>>
science:gr-framework inherits it from science.
The key is still valid, but DSA1024 seems to be considered as weak, so we probably have to create a new one.
Henne, could you confirm that? Should I use: osc signkey --create science
It will trigger rebuild of all packages in all science sub-projects.
and you should tell the users, since it will be a new key. So it will look for someone as a breach ...
(zypp is not supporting a key upgrade, it will just tell it is different and ask to to accept or refuse)
The key has to be upgraded anyway at some point. As SHA1 encryption has been declared as completely insecure I would prefer to generate a new key asap (and revoke the previous key but this is probably not possible).
Felder, Christian wrote:
Hi,
I am writing this mail to you guys because you are listed as maintainers of the science namespace at opensuse build service (build.opensuse.org <http://build.opensuse.org/> <http://build.opensuse.org <http://build.opensuse.org/>>) and I could not reach you guys either on IRC or via bug reporting which seems to be just on GitHub nowadays (previously there was some bug tracker based on redmine). My issue on github got just closed with the information I should contact you guys directly… (https://github.com/openSUSE/open-build-service/issues/4937 <https://github.com/openSUSE/open-build-service/issues/4937>)
Hi, we get errors on gpg signature checks using the science: repositories (e.g. on Ubuntu 17.04, Ubuntu 18.04). Some time ago we also got errors that the key uses weak encryption (SHA1)
|W: GPG error: http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.0... <http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.04> Release: The following signatures were invalid: D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 E: The repository 'http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.0... Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. |
Is there anything we can do from our side or do you have to replace the science: signing key?
Probably it is sufficient to renew the gpg key for science: which cannot be done by myself. Any help would be appreciated. Thanks in advance. Christian
Christian Felder M. Sc.
Jülich Centre for Neutron Science JCNS at Heinz Maier-Leibnitz Zentrum MLZ Forschungszentrum Jülich GmbH Lichtenbergstraße 1 85747 Garching GERMANY
Telefon: +49 - 89 289 10 773 Telefax: +49 - 89 289 10 799
--
Adrian Schroeter email: adrian@suse.de <mailto:adrian@suse.de>
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5 90409 Nürnberg Germany
On Sonntag, 17. Oktober 2021, 21:04:18 CEST Felder, Christian wrote:
Hi all,
I am sorry for reviving this old thread, but unfortunately this is still a thing.
The science gpg key is still using dsa1024 which is considered too weak especially by Ubuntu systems.
As the key will expire soon (2021-11-11), is there any chance to upgrade to another signature algorithm?
pub dsa1024 2008-01-22 [SC] [expires: 2021-11-11] D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 uid science OBS Project <science@build.opensuse.org <mailto:science@build.opensuse.org>>
any maintainer could call osc signkey --create science to create a new key. But there is no way to migrate a key from dsa to rsa.
On 8. May 2018, at 19:14, Felder, Christian <c.felder@fz-juelich.de> wrote:
On 2. May 2018, at 19:11, Adrian Schröter <adrian@suse.de <mailto:adrian@suse.de>> wrote:
On Mittwoch, 2. Mai 2018, 18:06:08 CEST wrote Stanislav Brabec:
Yes, there is DSA1024 key used in science: osc signkey science | gpg returns pub dsa1024 2008-01-22 [SC] [expires: 2019-09-17] D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 uid science OBS Project <science@build.opensuse.org <mailto:science@build.opensuse.org>>
science:gr-framework inherits it from science.
The key is still valid, but DSA1024 seems to be considered as weak, so we probably have to create a new one.
Henne, could you confirm that? Should I use: osc signkey --create science
It will trigger rebuild of all packages in all science sub-projects.
and you should tell the users, since it will be a new key. So it will look for someone as a breach ...
(zypp is not supporting a key upgrade, it will just tell it is different and ask to to accept or refuse)
The key has to be upgraded anyway at some point. As SHA1 encryption has been declared as completely insecure I would prefer to generate a new key asap (and revoke the previous key but this is probably not possible).
Felder, Christian wrote:
Hi,
I am writing this mail to you guys because you are listed as maintainers of the science namespace at opensuse build service (build.opensuse.org <http://build.opensuse.org/> <http://build.opensuse.org <http://build.opensuse.org/>>) and I could not reach you guys either on IRC or via bug reporting which seems to be just on GitHub nowadays (previously there was some bug tracker based on redmine). My issue on github got just closed with the information I should contact you guys directly… (https://github.com/openSUSE/open-build-service/issues/4937 <https://github.com/openSUSE/open-build-service/issues/4937>)
Hi, we get errors on gpg signature checks using the science: repositories (e.g. on Ubuntu 17.04, Ubuntu 18.04). Some time ago we also got errors that the key uses weak encryption (SHA1)
|W: GPG error: http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.0... <http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.04> Release: The following signatures were invalid: D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 E: The repository 'http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.0... Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. |
Is there anything we can do from our side or do you have to replace the science: signing key?
Probably it is sufficient to renew the gpg key for science: which cannot be done by myself. Any help would be appreciated. Thanks in advance. Christian
Christian Felder M. Sc.
Jülich Centre for Neutron Science JCNS at Heinz Maier-Leibnitz Zentrum MLZ Forschungszentrum Jülich GmbH Lichtenbergstraße 1 85747 Garching GERMANY
Telefon: +49 - 89 289 10 773 Telefax: +49 - 89 289 10 799
-- Adrian Schroeter <adrian@suse.de> Build Infrastructure Project Manager SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany (HRB 247165, AG München), Geschäftsführer: Felix Imendörffer
On Montag, 18. Oktober 2021, 08:34:17 CEST Adrian Schröter wrote:
On Sonntag, 17. Oktober 2021, 21:04:18 CEST Felder, Christian wrote:
Hi all,
I am sorry for reviving this old thread, but unfortunately this is still a thing.
The science gpg key is still using dsa1024 which is considered too weak especially by Ubuntu systems.
As the key will expire soon (2021-11-11), is there any chance to upgrade to another signature algorithm?
pub dsa1024 2008-01-22 [SC] [expires: 2021-11-11] D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 uid science OBS Project <science@build.opensuse.org <mailto:science@build.opensuse.org>>
any maintainer could call
osc signkey --create science
to create a new key. But there is no way to migrate a key from dsa to rsa.
just to be explicit here: A new key will of course mean that every repository user of the repository will be prompted about the change. So any kind of announcement might be necessary .... -- Adrian Schroeter <adrian@suse.de> Build Infrastructure Project Manager SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany (HRB 247165, AG München), Geschäftsführer: Felix Imendörffer
Am 18.10.2021 um 08:38 schrieb Adrian Schröter <adrian@suse.de>:
On Montag, 18. Oktober 2021, 08:34:17 CEST Adrian Schröter wrote:
On Sonntag, 17. Oktober 2021, 21:04:18 CEST Felder, Christian wrote: Hi all,
I am sorry for reviving this old thread, but unfortunately this is still a thing.
The science gpg key is still using dsa1024 which is considered too weak especially by Ubuntu systems.
As the key will expire soon (2021-11-11), is there any chance to upgrade to another signature algorithm?
pub dsa1024 2008-01-22 [SC] [expires: 2021-11-11] D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 uid science OBS Project <science@build.opensuse.org <mailto:science@build.opensuse.org>>
any maintainer could call
osc signkey --create science
to create a new key. But there is no way to migrate a key from dsa to rsa.
just to be explicit here: A new key will of course mean that every repository user of the repository will be prompted about the change.
So any kind of announcement might be necessary ....
The key will be due soon (2021-11-11). I don‘t ask to renew before that, but it would be nice to renew with rsa this time.
--
Adrian Schroeter <adrian@suse.de> Build Infrastructure Project Manager
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany (HRB 247165, AG München), Geschäftsführer: Felix Imendörffer
------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------
Hey guys, I was not aware of the possibility to create your own key for subprojects. I thought it is always inherited from the parent project. Finally, after creating it’s own gpg key for science:gr-framework this is sorted out. Thanks Christian
On 18. Oct 2021, at 09:22, Felder, Christian <c.felder@fz-juelich.de> wrote:
Am 18.10.2021 um 08:38 schrieb Adrian Schröter <adrian@suse.de>:
On Montag, 18. Oktober 2021, 08:34:17 CEST Adrian Schröter wrote:
On Sonntag, 17. Oktober 2021, 21:04:18 CEST Felder, Christian wrote: Hi all,
I am sorry for reviving this old thread, but unfortunately this is still a thing.
The science gpg key is still using dsa1024 which is considered too weak especially by Ubuntu systems.
As the key will expire soon (2021-11-11), is there any chance to upgrade to another signature algorithm?
pub dsa1024 2008-01-22 [SC] [expires: 2021-11-11] D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 uid science OBS Project <science@build.opensuse.org <mailto:science@build.opensuse.org>>
any maintainer could call
osc signkey --create science
to create a new key. But there is no way to migrate a key from dsa to rsa.
just to be explicit here: A new key will of course mean that every repository user of the repository will be prompted about the change.
So any kind of announcement might be necessary ....
The key will be due soon (2021-11-11). I don‘t ask to renew before that, but it would be nice to renew with rsa this time.
--
Adrian Schroeter <adrian@suse.de <mailto:adrian@suse.de>> Build Infrastructure Project Manager
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany (HRB 247165, AG München), Geschäftsführer: Felix Imendörffer
------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------
participants (2)
-
Adrian Schröter -
Felder, Christian