Heads up: Transition to RSA 4096 signing key for Tumbleweed
Hi folks, We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week. They key is already delivered for several months and in your systems. rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc fingerprint: pub rsa4096/0x35A2F86E29B700A4 2022-06-20 [SC] [expires: 2026-06-19] Key fingerprint = AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4 uid openSUSE Project Signing Key <opensuse@opensuse.org> and should be in trusted RPM keyring already: rpm -qi gpg-pubkey-29b700a4-62b07e22 ... will show it ... Tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1199184 Ciao, Marcus
Hi Marcus, On 18.01.23 14:35, Marcus Meissner wrote:
Hi folks,
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week.
They key is already delivered for several months and in your systems.
What will happen if I try to "zypper dup" a system that had been sitting on a shelf for a year switched off? Will this break badly or will I just have to trust the key manually? Best regards, -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
On Wed, Jan 18, 2023 at 05:14:52PM +0100, Stefan Seyfried wrote:
Hi Marcus,
On 18.01.23 14:35, Marcus Meissner wrote:
Hi folks,
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week.
They key is already delivered for several months and in your systems.
What will happen if I try to "zypper dup" a system that had been sitting on a shelf for a year switched off? Will this break badly or will I just have to trust the key manually?
It will ask to trust the new key via the key import dialog. Ciao, Marcus
List, On Wed, Jan 18, 2023 at 2:35 PM Marcus Meissner <meissner@suse.de> wrote:
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week. rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc
brand new 15.4 system some months old but apparently the system sees this key or package, and appropriate file ---------------- rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg /usr/lib/rpm/gnupg/dumpsigs /usr/lib/rpm/gnupg/keys /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-307e3d54-5aaa90a5.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-39db7c82-5847eb1f.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-3dbdc284-53674dd4.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-65176565-61a0ee8f.asc /usr/share/container-keys /usr/share/container-keys/opensuse-container-key.asc /usr/share/doc/packages/openSUSE-build-key /usr/share/doc/packages/openSUSE-build-key/security_at_suse_de.asc ----------------------- but rpm doesnt trust or show or use this key?
and should be in trusted RPM keyring already: rpm -qi gpg-pubkey-29b700a4-62b07e22 ... will show it ... Tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1199184
--------- rpm -qi gpg-pubkey-29b700a4-62b07e22 package gpg-pubkey-29b700a4-62b07e22 is not installed --------- what did this system miss? bug? how does rpm gets fed with the proper stuff? ty.
On Wed, Jan 18, 2023 at 07:03:24PM +0100, cagsm wrote:
List,
On Wed, Jan 18, 2023 at 2:35 PM Marcus Meissner <meissner@suse.de> wrote:
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week. rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc
brand new 15.4 system some months old but apparently the system sees this key or package, and appropriate file
---------------- rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg /usr/lib/rpm/gnupg/dumpsigs /usr/lib/rpm/gnupg/keys /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-307e3d54-5aaa90a5.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-39db7c82-5847eb1f.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-3dbdc284-53674dd4.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-65176565-61a0ee8f.asc /usr/share/container-keys /usr/share/container-keys/opensuse-container-key.asc /usr/share/doc/packages/openSUSE-build-key /usr/share/doc/packages/openSUSE-build-key/security_at_suse_de.asc -----------------------
but rpm doesnt trust or show or use this key?
and should be in trusted RPM keyring already: rpm -qi gpg-pubkey-29b700a4-62b07e22 ... will show it ... Tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1199184
--------- rpm -qi gpg-pubkey-29b700a4-62b07e22 package gpg-pubkey-29b700a4-62b07e22 is not installed ---------
what did this system miss? bug? how does rpm gets fed with the proper stuff? ty.
The key was not auto imported into Leap 15.4 RPM database yet. Currently the first product to transition is openSUSE Tumbleweed, Leap I have not yet scheduled. You can already do rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc As I also plan to migrate Leap at some point. Ciao, Marcus
Am Mittwoch, 18. Januar 2023, 14:35:05 CET schrieb Marcus Meissner:
Hi folks,
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week.
They key is already delivered for several months and in your systems.
rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc
Great, this reveals two more questions, Marcus: Do we have instructions somewhere to migrate home projects correctly? What about the kernel SSL signing keys? Cheers Pete
On Thu, Jan 19, 2023 at 12:52:35PM +0100, Hans-Peter Jansen wrote:
Am Mittwoch, 18. Januar 2023, 14:35:05 CET schrieb Marcus Meissner:
Hi folks,
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week.
They key is already delivered for several months and in your systems.
rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc
Great, this reveals two more questions, Marcus:
Do we have instructions somewhere to migrate home projects correctly?
There the keys are managed by OBS. Currently the default is still 2048 bit, I will see that the OBS dev team changes that. Then "osc signkey --create PROJECT" will replace the key with a new RSA 4096 bit key.
What about the kernel SSL signing keys?
We will change this with the next UEFI secure boot key rotation. I expect this also to happen first half of this year, as we had some UEFI secure boot issues with grub2 end of last year. Ciao, Marcus
Not sure if this is the appropriate Forum/Thread, but since a recent update (3/4 days?), am now getting the continual dialog box: Title: Software Updates Heading: Update Error Message: Failed to obtain authentication. Appears on login, reappears intermittently. Have done a zypper dup, and also ensured all updates applied in Discover - They all install fine, both in zypper and discover. Wondering if this is to do with the Signing Key? Thanks.
On Tue, Jan 24, 2023 at 12:31:53AM -0000, John Bennett wrote:
Not sure if this is the appropriate Forum/Thread, but since a recent update (3/4 days?), am now getting the continual dialog box:
Title: Software Updates Heading: Update Error Message: Failed to obtain authentication.
Appears on login, reappears intermittently. Have done a zypper dup, and also ensured all updates applied in Discover - They all install fine, both in zypper and discover.
Wondering if this is to do with the Signing Key?
No, it was changed only today. Ciao, Marcus
On Wed, Jan 18, 2023 at 8:35 AM Marcus Meissner <meissner@suse.de> wrote:
Hi folks,
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week.
They key is already delivered for several months and in your systems.
rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc
fingerprint: pub rsa4096/0x35A2F86E29B700A4 2022-06-20 [SC] [expires: 2026-06-19] Key fingerprint = AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4 uid openSUSE Project Signing Key <opensuse@opensuse.org>
and should be in trusted RPM keyring already:
rpm -qi gpg-pubkey-29b700a4-62b07e22 ... will show it ...
Tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1199184
Is the openSUSE Backports key changing too? -- 真実はいつも一つ!/ Always, there's only one truth!
On Wed, Feb 15, 2023 at 06:54:37AM -0500, Neal Gompa wrote:
On Wed, Jan 18, 2023 at 8:35 AM Marcus Meissner <meissner@suse.de> wrote:
Hi folks,
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week.
They key is already delivered for several months and in your systems.
rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc
fingerprint: pub rsa4096/0x35A2F86E29B700A4 2022-06-20 [SC] [expires: 2026-06-19] Key fingerprint = AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4 uid openSUSE Project Signing Key <opensuse@opensuse.org>
and should be in trusted RPM keyring already:
rpm -qi gpg-pubkey-29b700a4-62b07e22 ... will show it ...
Tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1199184
Is the openSUSE Backports key changing too?
Yes, this is in my plan, as it is also 2048bit RSA. It is a bit more tricky as the SLE PackageHub module imports it in a bit too hardcoded fashion currently. Ciao, Marcus
On Wed, Feb 15, 2023 at 6:57 AM Marcus Meissner <meissner@suse.de> wrote:
On Wed, Feb 15, 2023 at 06:54:37AM -0500, Neal Gompa wrote:
On Wed, Jan 18, 2023 at 8:35 AM Marcus Meissner <meissner@suse.de> wrote:
Hi folks,
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week.
They key is already delivered for several months and in your systems.
rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc
fingerprint: pub rsa4096/0x35A2F86E29B700A4 2022-06-20 [SC] [expires: 2026-06-19] Key fingerprint = AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4 uid openSUSE Project Signing Key <opensuse@opensuse.org>
and should be in trusted RPM keyring already:
rpm -qi gpg-pubkey-29b700a4-62b07e22 ... will show it ...
Tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1199184
Is the openSUSE Backports key changing too?
Yes, this is in my plan, as it is also 2048bit RSA.
It is a bit more tricky as the SLE PackageHub module imports it in a bit too hardcoded fashion currently.
Do you have a timeline for that? I'm working on refreshing the keys in distribution-gpg-keys and rpm-repos-openSUSE, since that was missed in the initial key transition for Factory. -- 真実はいつも一つ!/ Always, there's only one truth!
On Wed, Feb 15, 2023 at 07:15:48AM -0500, Neal Gompa wrote:
On Wed, Feb 15, 2023 at 6:57 AM Marcus Meissner <meissner@suse.de> wrote:
On Wed, Feb 15, 2023 at 06:54:37AM -0500, Neal Gompa wrote:
On Wed, Jan 18, 2023 at 8:35 AM Marcus Meissner <meissner@suse.de> wrote:
Hi folks,
We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week.
They key is already delivered for several months and in your systems.
rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc
fingerprint: pub rsa4096/0x35A2F86E29B700A4 2022-06-20 [SC] [expires: 2026-06-19] Key fingerprint = AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4 uid openSUSE Project Signing Key <opensuse@opensuse.org>
and should be in trusted RPM keyring already:
rpm -qi gpg-pubkey-29b700a4-62b07e22 ... will show it ...
Tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1199184
Is the openSUSE Backports key changing too?
Yes, this is in my plan, as it is also 2048bit RSA.
It is a bit more tricky as the SLE PackageHub module imports it in a bit too hardcoded fashion currently.
Do you have a timeline for that? I'm working on refreshing the keys in distribution-gpg-keys and rpm-repos-openSUSE, since that was missed in the initial key transition for Factory.
Multiple (2+) weeks ahead still until I have the key and then I need to do migration work. so at least a month away. Ciao, Marcus
participants (6)
-
cagsm -
Hans-Peter Jansen -
John Bennett -
Marcus Meissner -
Neal Gompa -
Stefan Seyfried