Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Debian build verify with packaging key #91

Open
ehelms opened this issue Aug 25, 2021 · 0 comments
Open

Fix Debian build verify with packaging key #91

ehelms opened this issue Aug 25, 2021 · 0 comments

Comments

@ehelms
Copy link
Member

ehelms commented Aug 25, 2021

From discussion on some commented out code in our Debian scripts (#85 (comment)):

I took a stab at it and I think it should be something like this

GPG_KEYSERVER=pgp.mit.edu
GPG_KEYS="1AA043B8 C8B9E30B0DBCAB595E98DF5C965467189B776908"

# Download sources
wget https://downloads.theforeman.org/${project}/${project}-${VERSION}.tar.bz2 https://downloads.theforeman.org/${project}/${project}-${VERSION}.tar.bz2.sig

# Verify with packaging key
tmp_keyring="$(mktemp)"
gpg2 --no-default-keyring --keyserver $GPG_KEYSERVER --keyring $tmp_keyring --recv-keys $GPG_KEYS
if gpg2 --no-default-keyring --keyring $tmp_keyring --verify ${project}-${VERSION}.tar.bz2.sig ; then
  rm $tmp_keyring
  true # ok
else
  rm $tmp_keyring
  exit 2
fi

And I did have some issues with pgp.mit.edu, but that's where we upload it:
https://github.com/theforeman/theforeman-rel-eng/blob/7d8f8c69f935c7912088dd5137520ddeb165d219/upload_gpg#L15

And yes, we should also specify the long key for the old key since short keys are vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant