ANN PackageCloud signing key migration

54 views
Skip to first unread message

mkli...@pivotal.io

unread,
Oct 17, 2018, 3:49:59 AM10/17/18
to rabbitm...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear RabbitMQ community,

One of the services we use to distribute release artifacts, PackageCloud,
is
undergoing an important transition: the signing key they use to sign
uploaded
packages changes.

If you use PackageCloud to install RabbitMQ or Erlang, please
read on as your installation will be affected [2]. If you don't use
PackageCloud,
feel free to skip this thread.

Note that for a reason unknown to our team PackageCloud hasn't posted
anything
publicly about the migration but there is a privately available set of
migration recommendations and information on the migration deadline.
Hopefully this will change in the near future.

## Signing Keys? What signing keys?

PackageCloud signs every package uploaded to it. When their repository is
set up,
the script adds a public (signing) key to the system so that downloaded
packages
can be verified for authenticity of publisher.

This is a common industry practice; team RabbitMQ uses our own signing key
[1]
on other services.


## Why does the key change?

PackageCloud used to sign every package with a single key. GPG keys have
expiration
dates and at some point the key was guaranteed to change. Expired keys have
to
be replaced, which means they also have to be marked as trusted on the
installer
(user) end.

For example, Team RabbitMQ's signing key had to change in May 2016 because
the original key was about to expire [2].

It's arguably not the
most forward thinking strategy to use a single key for your entire service
as well.
PackageCloud are a small team and we assume it was a solution that made
most sense
for a young service.

Now they are migrating to a key-per-repository, which is a much more secure
option.


## What does this mean for PackageCloud users?

On December 1st, 2018 (GMT) team RabbitMQ will switch our PackageCloud
account
to use a new GPG key. This means that all installations that don't have its
public
key added to the system as trusted will be affected: installations will
begin to fail.

To avoid this, those who install packages from PackageCloud must
proactively import
the new public keys [3][4] into their systems. This is best done by
re-running PackageCloud's setup scripts but can also be done manually with
tools such as apt-key.

Adding a new key alongside the currently trusted key will not affect
installations. With
both old and new public key trusted your environment should not have any
service
interruptions before and after the migration date, December 1st.


## More options

Our team is investigating producing a separate package that would install
all relevant
signing keys. PackageCloud recommends including this functionality into our
main packages but decided a separate package would be a better option for
us. When/if we have
something to announce, this thread will be updated.


## Questions

If you have any questions please post the in this thread.

Cheers.

1. http://www.rabbitmq.com/signatures.html
2. http://www.rabbitmq.com/news.html
3. https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey
4. https://packagecloud.io/rabbitmq/erlang/gpgkey
5. https://packagecloud.io/rabbitmq/rabbitmq-server/install
6. https://packagecloud.io/rabbitmq/erlang/install
-----BEGIN PGP SIGNATURE-----
Version: FlowCrypt 6.0.2 Gmail Encryption
Comment: Seamlessly send and receive encrypted email

wsFcBAEBCgAQBQJbxumbCRAsDaRfT5REiQAAG3oP/0sfp+g9SGh1Gg+bIpLK
zhKhx9iaYYGglfodNIjuvO5vUjUWAznswfV50VVZr/1zZcZugQJR9l8ekl1Z
qu04yIFfkv18X/P5w+SLM8IGG25BxJbN+ZmRIfrm8gjaDH08P6Xn1IIloxEx
nDtchoqZj5PcX628IhCi8eSaN/fvxpSIAr4GHra10K4hEmJ7QSIanAM+PBXE
bpKtDwZ8hibMh4Z4jluxCgLjh/JbROU8+LN2WoIaHK2ePkLIbDKy8SbWnWSJ
uOJZ7S9oKWwWYMh0Vc+B34dhkqo78zHJIBa8ADhrEOIjNqpuXcdTp2oul4b0
lzkME+TmraPnVJm80eCERFTTX8mwT9XKylHBxIC/G/GQFvhg+e1kMqL5tz99
Vzf80fWholhzhTYk4h2KWxBpCUHmP3CbVuDOsfPv6HbqnMG5vK01v/fM2/hj
EgeBUFJwjZqW3oRWllrsqQAaTCZutZ1mdCEL86KfC9xRNyF2OKQzI0T1eaZt
ZoeaO+mT859bEo+K5q0CEjLpLtP1Rluaq+Vr19uBfR2B8DFGWoYOpApkmjAH
YCCwbJl9LnfvVJ8Aef39beO8+juX/YROxRTU//7KdcXniQmO8Q4fPucZ5cl1
FCldR5v6Y+c+nuX/JWZShJaM5z/Zs0TcMUHfm+/rgKkiMSzInLJ3rqMYorPk
BWrv
=zaik
-----END PGP SIGNATURE-----

Michael Klishin

unread,
Oct 17, 2018, 9:40:12 AM10/17/18
to rabbitmq-users
Here's an announcement post from PackageCloud [1].

Reply all
Reply to author
Forward
0 new messages