CFEngine repo GPG key expired?

[Riccardo Murri]

Hi all,

apparently the GPG key used to sign CFEngine packages in the APT
repository has just expired::

# apt-key list
...
pub 1024D/58B41EDF 2014-05-19 [expired: 2015-05-19]
uid CFEngine AS <con...@cfengine.com>

However, I cannot download a new one neither from a keyserver nor from
the web page::

# apt-key adv --keyserver pgp.mit.edu --recv-keys 58B41EDF
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring
--homedir /tmp/tmp.XJa3xZEkV3 --no-auto-check-trustdb --trust-model always
--keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg
--keyserver pgp.mit.edu --recv-keys 58B41EDF
gpg: requesting key 58B41EDF from hkp server pgp.mit.edu
gpg: key 58B41EDF: "CFEngine AS <con...@cfengine.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

# wget -qO- http://cfengine.com/pub/gpg.key | apt-key add - --verbose
OK
# apt-key list
...
pub 1024D/58B41EDF 2014-05-19 [expired: 2015-05-19]
uid CFEngine AS <con...@cfengine.com>

Am I doing something wrong?

Thanks,
Riccardo

[Brian Bennett]

You're not doing anything wrong. The key has expired.

I might also add, that upon reviewing this again, retrieving the key over HTTP is unsafe. So this is a plea for cfengine to publish the key only over HTTPS, and include the key fingerprint on a web page served over HTTPS.

Having both the key and the repo served entirely over HTTP makes it trivial to MITM the entire system.

--
Brian Bennett
Looking for CFEngine training?
http://www.verticalsysadmin.com/

> --
> You received this message because you are subscribed to the Google Groups "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
> To post to this group, send email to help-c...@googlegroups.com.
> Visit this group at http://groups.google.com/group/help-cfengine.
> For more options, visit https://groups.google.com/d/optout.

[Aleksey Tsalolikhin]

Hear hear.  

Reminds me of "Downloading Software Safely Is Nearly Impossible" which is an amusing chronicle of an attempt to live securely in an insecure world: https://noncombatant.org/2014/03/03/downloading-software-safely-is-nearly-impossible/

--

Need CFEngine training?  Email trai...@verticalsysadmin.com

[Dimitrios Apostolou]

New key can be imported from the known location:

http://cfengine.com/pub/gpg.key


Repos and latest packages were resigned with it. Apologies for the
slow response.


Dimitris

[Dimitrios Apostolou]

On Tue, May 19, 2015 at 7:15 PM, Brian Bennett
<brian....@verticalsysadmin.com> wrote:
> Having both the key and the repo served entirely over HTTP makes it trivial to MITM the entire system.

You are right, it should be published via HTTPS. Unfortunately the
following link

https://cfengine.com/pub/gpg.key

redirects to

https://cfengine.package-repos.s3.amazonaws.com/pub/gpg.key

which doesn't validate despite having wildcard certificate. This boils
down to a bad choice on our side, using a bucket name with a dot
"cfengine.package-repos". I've opened an internal ticket to see how we
can handle it.


Regards,
Dimitris

[Mark Pace]

Hi Dimitrios.  Any update here?  I cannot download CF from the apt repos right now.  This is causing a decent amount of grief...


Thanks,
pace

[Dimitrios Apostolou]

Hi Mark, can you be more specific on the kind of error you are facing?
If you import the new key everything should be OK.


Dimitris

[Marco Marongiu]

May I suggest that you can make a Debian package for the key as well? Key changes would become as trivial as keeping that package up to date.

Just my two cents, ciao!
-- bronto

[Dimitrios Apostolou]

Good idea! This way we'd eliminate all manual steps of importing the
new key, as we would publish the new key in a deb package, signed by
the old key.

Are other projects using this pattern?


Dimitris

[Marco Marongiu]

Many. Debian itself andDebian-multimedia are the first two examples that come to mind

-- M