hbsd-update... "Public key failed to validate."
18 views
Skip to first unread message
B.C. Cotman
Dec 16, 2023, 4:40:24 PM12/16/23
to us...@hardenedbsd.org
Hello,
I was attempting to update a server when I encountered this...
rm -rf /SOME_PATH/hbsd-install-tmp
mkdir -p /SOME_PATH/hbsd-install-tmp
hbsd-update -V -n -T -t /SOME_PATH/hbsd-install-tmp
[*] Looking up version info with DNSSEC enabled.
hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
[*] Latest build: hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
[*] Latest build: hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
/SOME_PATH/hbsd-install-tmp/update.tar 728 MB
16 MBps 43s
[*] Verified hash:
b88500aa0c5bf3e92c2fc6a9aabff82b64688f14ba81d3288fd81189770f7c59
[+] Remote hash:
b88500aa0c5bf3e92c2fc6a9aabff82b64688f14ba81d3288fd81189770f7c59
[*] Checking validity of the public key
[*] Temp directory kept at: /SOME_PATH/hbsd-install-tmp
[*] Public key failed to validate.
Digging around, I track it down to script defined function
"check_pubkey_validity()" and this part:
${OPENSSL} verify \
${caopt} ${capath} \
${tmpdir}/pubkey.pem \
> /dev/null 2>&1
Checking from the command line using the expanded form with values
from variables:
"/usr/bin/openssl verify -CApath /usr/share/keys/hbsd-update/trusted
/root/hbsd-install-tmp/pubkey.pem"
Trying this and:
C = US, ST = Maryland, O = HardenedBSD, CN = updater.hardenedbsd.org,
emailAddress = co...@hardenedbsd.org
error 10 at 0 depth lookup: certificate has expired
error /root/hbsd-install-tmp/pubkey.pem: verification failed
Checking:
openssl x509 -in /root/hbsd-install-tmp/pubkey.pem -noout -text | grep
-i -e before -e after
Not Before: Nov 15 16:55:23 2022 GMT
Not After : Dec 15 16:55:23 2023 GMT
It looks like an expired cert. Is there anything I can do to resolve
this other than bypass the security check?
Thanks!
I was attempting to update a server when I encountered this...
rm -rf /SOME_PATH/hbsd-install-tmp
mkdir -p /SOME_PATH/hbsd-install-tmp
hbsd-update -V -n -T -t /SOME_PATH/hbsd-install-tmp
[*] Looking up version info with DNSSEC enabled.
hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
[*] Latest build: hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
[*] Latest build: hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
/SOME_PATH/hbsd-install-tmp/update.tar 728 MB
16 MBps 43s
[*] Verified hash:
b88500aa0c5bf3e92c2fc6a9aabff82b64688f14ba81d3288fd81189770f7c59
[+] Remote hash:
b88500aa0c5bf3e92c2fc6a9aabff82b64688f14ba81d3288fd81189770f7c59
[*] Checking validity of the public key
[*] Temp directory kept at: /SOME_PATH/hbsd-install-tmp
[*] Public key failed to validate.
Digging around, I track it down to script defined function
"check_pubkey_validity()" and this part:
${OPENSSL} verify \
${caopt} ${capath} \
${tmpdir}/pubkey.pem \
> /dev/null 2>&1
Checking from the command line using the expanded form with values
from variables:
"/usr/bin/openssl verify -CApath /usr/share/keys/hbsd-update/trusted
/root/hbsd-install-tmp/pubkey.pem"
Trying this and:
C = US, ST = Maryland, O = HardenedBSD, CN = updater.hardenedbsd.org,
emailAddress = co...@hardenedbsd.org
error 10 at 0 depth lookup: certificate has expired
error /root/hbsd-install-tmp/pubkey.pem: verification failed
Checking:
openssl x509 -in /root/hbsd-install-tmp/pubkey.pem -noout -text | grep
-i -e before -e after
Not Before: Nov 15 16:55:23 2022 GMT
Not After : Dec 15 16:55:23 2023 GMT
It looks like an expired cert. Is there anything I can do to resolve
this other than bypass the security check?
Thanks!
Shawn Webb
Dec 16, 2023, 4:49:34 PM12/16/23
to B.C. Cotman, us...@hardenedbsd.org
binary update servers. I'll do some digging and report back. Either
way, I'll need to publish a new build. Hold off on trying to update
for now--until I give the green light.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
B.C. Cotman
Dec 16, 2023, 4:51:19 PM12/16/23
to Shawn Webb, us...@hardenedbsd.org
On Sat, Dec 16, 2023 at 1:49 PM Shawn Webb <shawn...@hardenedbsd.org> wrote:
> I thought I had updated the cryptographic signing material on the
> binary update servers. I'll do some digging and report back. Either
> way, I'll need to publish a new build. Hold off on trying to update
> for now--until I give the green light.
Thanks!
> I thought I had updated the cryptographic signing material on the
> binary update servers. I'll do some digging and report back. Either
> way, I'll need to publish a new build. Hold off on trying to update
> for now--until I give the green light.
Holding off for now.
B.C. Cotman
Dec 16, 2023, 10:19:27 PM12/16/23
to Shawn Webb, us...@hardenedbsd.org
Thanks! I'll re-try tomorrow morning.
-Cot
-Cot
vv
Dec 17, 2023, 8:55:21 AM12/17/23
to Shawn Webb, us...@hardenedbsd.org
while we are on the topic of hbsd-update;
there's a documentation glitch in the hbsd-update man page:
-T option is claimed to prevent "download", it should say prevents being
*deleted*
and thank you for the -O option ;-)
Cheers, and enjoy as many festivity variants as you can!
---
there's a documentation glitch in the hbsd-update man page:
-T option is claimed to prevent "download", it should say prevents being
*deleted*
and thank you for the -O option ;-)
Cheers, and enjoy as many festivity variants as you can!
---
B.C. Cotman
Dec 17, 2023, 5:08:31 PM12/17/23
to Shawn Webb, us...@hardenedbsd.org
Flawless victory!
Worked great! No problems.
Thanks!
-Cot
Worked great! No problems.
Thanks!
-Cot
Reply all
Reply to author
Forward
0 new messages