-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] RPM signing requires the master secret key, not subkey #2041
Comments
I believe we should avoid signing anything with master key. It is recommended to always use sub-keys which can be revoked in case of security issues (like private key being leaked). |
I want to avoid but at this point signing with subkey just straight not run on RPM. |
This ticket seems mentions the issue spawned back in 2007 and only a few years ago has an update in 4.12.90 of fedora release of rpm. https://bugzilla.redhat.com/show_bug.cgi?id=227632 As of now the common version of rpm shipped within AL2/CentOS7 and more is 4.11.x. |
I found that rockylinux8 is using higher version of rpm, will test it.
|
Rockylinux8 also supplies gnupg 2.2.20, which requires additional setup to import secret keys:
|
We also need to sign as SHA256 not SHA1 anymore. |
Test shows if we sign with subkey then verify with Therefore, we cannot afford to sign with subkey if we still want to support CentOS7/AL2. Thanks. |
@peterzhuamazon Can we also look in to option of creating separate master key just for RPM signing to reduce the blast radius in case of key leak? |
See description for latest update as we are using master secret key to sign rpm. |
Here is the master and sub public key:
When signing RPM, if I use the
sub secret key
to sign, it will require to be verified by thesub public key
.(keypair C2EE2AF6
542C03B4
)However, this is not possible to be verified by RPM:
As we can see when using
rpm --import
RPM will only treat the master public key as the one to verify:Since our subkey is
C2EE2AF6542C03B4
and master key is39D319879310D3FC
, RPM cannot match its signature fromc2ee2af6542c03b4
with the current master key39D319879310D3FC
.If we sign RPM with the
master secret key
:Verification would complete without any issues, as both the keyID recorded on .rpm and the gpg list (master) is
39d319879310d3fc
:Note: When we sign the rpms with master secret key, both master public key and sub public key can verify rpm.
This is not the case for
detached signature (.sig)
when we sign withgpg
directly.I wonder whether this is issue from my side, or RPM requires to use master key to sign.
Thanks.
Update 20220427:
Update 20220428:
The text was updated successfully, but these errors were encountered: