Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a keyring package #16

Merged
merged 1 commit into from
Feb 20, 2023
Merged

Add a keyring package #16

merged 1 commit into from
Feb 20, 2023

Conversation

erikjohnston
Copy link
Member

@erikjohnston erikjohnston commented Feb 17, 2023
edited
Loading

Step 1 of matrix-org/synapse#10389

This just uses dpkg-deb to build the deb, rather than the standard tooling, mainly for simplicity.

This does not update the key expiry time, just packaging up the existing public key.

@erikjohnston erikjohnston marked this pull request as ready for review February 20, 2023 10:33
@erikjohnston erikjohnston requested a review from a team February 20, 2023 10:34
DMRobertson
DMRobertson reviewed Feb 20, 2023
View reviewed changes
Copy link
Contributor

@DMRobertson DMRobertson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable. I don't fully understand the machinery, but this seems to do what Rich describes here: matrix-org/synapse#10389 (comment)

When this process is complete, does this mean that anyone who has trusted our current GPG key will automatically trust our future GPG keys without manually verifying them? That sounds scary...

@erikjohnston
Copy link
Member Author

When this process is complete, does this mean that anyone who has trusted our current GPG key will automatically trust our future GPG keys without manually verifying them? That sounds scary...

Only if we update the keyring package with a new key before the existing key has expired. I'd also propose that all new keys still have an expiry, and we just periodically bump the expiry and release a new keyring deb.

It's worth noting that this is not really different than today, if you install our debs then we can do anything and everything to your box (since installation happens as root). So if we go rogue / an attacker gets our private key and access to our package repository, this new keyring package does not open up any new avenues of attack.

richvdh
richvdh approved these changes Feb 20, 2023
View reviewed changes
Copy link
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm.

There was a suggestion that we could also check that the old (possibly compromised) key (C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61) isn't languishing in /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d. But maybe that's a later job.

@erikjohnston
Copy link
Member Author

There was a suggestion that we could also check that the old (possibly compromised) key (C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61) isn't languishing in /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d. But maybe that's a later job.

Yup, I'd prefer doing that as a separate step if we want it. TBH, I'm not quite sure what the mechanics for doing so are.

@erikjohnston erikjohnston merged commit c1409a7 into main Feb 20, 2023
@erikjohnston erikjohnston mentioned this pull request Feb 20, 2023
Merged
@DMRobertson DMRobertson mentioned this pull request Aug 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DMRobertson DMRobertson DMRobertson approved these changes

@richvdh richvdh richvdh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erikjohnston @richvdh @DMRobertson