I2P_Developers/i2p.keyring.i2p
3
0
Fork 1
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Change key install method #1

New Issue
Open
opened 2025-04-21 14:17:28 -04:00 by idk · 9 comments
idk commented 2025-04-21 14:17:28 -04:00
Owner
Copy Link

anonymousmaybe on IRC has mentioned a couple times that the way we're installing the repo public key is now deprecated.

He's provided a couple links on why and what the improved method is, need to find them again. Any help appreciated.

Unclear how urgent this is and what the timeline should be for fixing this.

anonymousmaybe on IRC has mentioned a couple times that the way we're installing the repo public key is now deprecated. He's provided a couple links on why and what the improved method is, need to find them again. Any help appreciated. Unclear how urgent this is and what the timeline should be for fixing this.
zzz was assigned by idk 2025-04-21 14:17:28 -04:00
idk commented 2025-04-21 14:17:28 -04:00
Author
Owner
Copy Link

This i think can be considered fully implemented, Thanks guys

This i think can be considered fully implemented, Thanks guys <f>
idk commented 2025-04-21 14:17:28 -04:00
Author
Owner
Copy Link

Fixed the MR so it handles <buster,bionic using trusted.gpg.d instead by checking /etc/debian_version numerically and for codenames. Everything gets created successfully and the symlink works, but I'm on sid. Going to try it on a Bionic VM.

Edit: Seems to be working in the VM too.

Fixed the MR so it handles <buster,bionic using `trusted.gpg.d` instead by checking /etc/debian_version numerically and for codenames. Everything gets created successfully and the symlink works, but I'm on sid. Going to try it on a Bionic VM. Edit: Seems to be working in the VM too.
idk commented 2025-04-21 14:17:29 -04:00
Author
Owner
Copy Link

I test Current and LTS Ubuntu's and Debian Stable and Sid, where I'm using [signed-by=] for everything now and it's been working perfectly so far. But that conveniently draws the line exactly where signed-by= is supported, so older ones will still need to use trusted.gpg.d, I can add a check in the script to handle that, no biggie.

There doesn't appear to be an "official" naming sheme for /usr/share/keyrings I could find, at least not one that anyone is using. Right now I have keys for a couple repositories in there and some of them are .asc and some of them are .gpg. There seems to be a sort of fuzzy, broad convention that you are supposed to name it $software-$tagorqualifier-$keyring.gpg like i2p-archive-keyring.gpg. Element(the Matrix chat client), for instance, uses riot-im-archive-keyring.gpg. When we update the keyring package to use an updated key, all we have to do is replace this file, no grepping or anything.

Security theater? Maybe. It doesn't change the fact that the package manager runs as ~root and the maintainer has permission to run scripts as the package manager at many phases while the package is being managed. There are many opportunities for a malicious maintainer that this doesn't fix. I could just move the keys I control as an attacker into trusted.gpg.d. So it definitely doesn't protect against a malicious maintainer. But, in a situation where the attacker can sign packages, but cannot necessarily upload them to the server, which is conceivable in a PPA scenario for instance where additional authentication measures may be in place for uploaders, I think making a key valid only for a single source may be a meaningful way of making an attack more difficult. It's may also possibly be helpful for users who use many third-party repositories if a GPG key gets compromised from one repository at the same time as the server of another repository. Maybe the scenarios it will really help in are a little contrived, but A) I don't think that's a good reason not to do it and B) it may not be possible to change apt without changing the way that current users of apt use it. This is easy, and it might help, even if the scenarios it really stands a chance in on it's own are pretty narrow and contrived.

I test Current and LTS Ubuntu's and Debian Stable and Sid, where I'm using [signed-by=] for everything now and it's been working perfectly so far. But that conveniently draws the line exactly where signed-by= is supported, so older ones will still need to use trusted.gpg.d, I can add a check in the script to handle that, no biggie. There doesn't appear to be an "official" naming sheme for /usr/share/keyrings I could find, at least not one that anyone is using. Right now I have keys for a couple repositories in there and some of them are `.asc` and some of them are `.gpg`. There seems to be a sort of fuzzy, broad convention that you are supposed to name it `$software-$tagorqualifier-$keyring.gpg` like `i2p-archive-keyring.gpg`. Element(the Matrix chat client), for instance, uses `riot-im-archive-keyring.gpg`. When we update the keyring package to use an updated key, all we have to do is replace this file, no grepping or anything. Security theater? Maybe. It doesn't change the fact that the package manager runs as ~root and the maintainer has permission to run scripts as the package manager at many phases while the package is being managed. There are many opportunities for a malicious maintainer that this doesn't fix. I could just move the keys I control as an attacker into trusted.gpg.d. So it definitely doesn't protect against a malicious maintainer. But, in a situation where the attacker can sign packages, but cannot necessarily upload them to the server, which is conceivable in a PPA scenario for instance where additional authentication measures may be in place for uploaders, I think making a key valid only for a single source may be a meaningful way of making an attack more difficult. It's may also possibly be helpful for users who use many third-party repositories if a GPG key gets compromised from one repository at the same time as the server of another repository. Maybe the scenarios it will really help in are a little contrived, but A) I don't think that's a good reason not to do it and B) it may not be possible to change apt without changing the way that current users of apt use it. This is easy, and it might help, even if the scenarios it really stands a chance in on it's own are pretty narrow and contrived.
idk commented 2025-04-21 14:17:29 -04:00
Author
Owner
Copy Link

reminder @idk you promised to bring over the rest of the mtn history into github

As you noted in the i2p.www MR, our package (maint-script) already creates the files:
KEYRING=/usr/share/keyrings/i2p-archive-keyring.gpg
REMOVED_KEYS=/usr/share/keyrings/i2p-archive-removed-keys.gpg

Nobody's really made a list of what we have to do here. All we have is pointers to forums and blog posts. This seems to be the best guide:

https://blog.jak-linux.org/2021/06/20/migrating-away-apt-key/

So this is for bionic and newer, bullseye and newer.

Todo list:

  • Replace 'apt-key add' in maint-script with 'mv' to /etc/apt/trusted.sources.d
  • Replace 'apt-key del' in maint-script with 'del' from /etc/apt/trusted.sources.d
  • That fixes the deprecation, maybe we're done here?
  • BUT, MAYBE, (for bionic+, bullseye+ only) we DONT install it in /etc/apt/trusted.sources.d, we add a "signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg" param to /etc/apt/sources.list.d/SOMEFILE and then that's sufficient?
  • I'm not sure what the naming scheme is for files in /usr/share/keyrings/, would we have to grep them all? fixup this file on-the-fly for the signed-by if necessary in maint-script?
  • The blog linked above says that signed-by is mostly security theater. True?

@idk claims "very straightforward" above and "pretty much ready to go" in the i2p.www MR but I don't agree. At least I don't know enough to agree yet.

reminder @idk you promised to bring over the rest of the mtn history into github As you noted in the i2p.www MR, our package (maint-script) already creates the files: KEYRING=/usr/share/keyrings/i2p-archive-keyring.gpg REMOVED_KEYS=/usr/share/keyrings/i2p-archive-removed-keys.gpg Nobody's really made a list of what we have to do here. All we have is pointers to forums and blog posts. This seems to be the best guide: https://blog.jak-linux.org/2021/06/20/migrating-away-apt-key/ So this is for bionic and newer, bullseye and newer. Todo list: - Replace 'apt-key add' in maint-script with 'mv' to /etc/apt/trusted.sources.d - Replace 'apt-key del' in maint-script with 'del' from /etc/apt/trusted.sources.d - That fixes the deprecation, maybe we're done here? - BUT, MAYBE, (for bionic+, bullseye+ only) we DONT install it in /etc/apt/trusted.sources.d, we add a "signed-by=/usr/share/keyrings/i2p-archive-keyring.gpg" param to /etc/apt/sources.list.d/SOMEFILE and then that's sufficient? - I'm not sure what the naming scheme is for files in /usr/share/keyrings/, would we have to grep them all? fixup this file on-the-fly for the signed-by if necessary in maint-script? - The blog linked above says that signed-by is mostly security theater. True? @idk claims "very straightforward" above and "pretty much ready to go" in the i2p.www MR but I don't agree. At least I don't know enough to agree yet.
idk commented 2025-04-21 14:17:29 -04:00
Author
Owner
Copy Link

If it's only since bullseye that's going to make it more complicated

If it's only since bullseye that's going to make it more complicated
idk commented 2025-04-21 14:17:29 -04:00
Author
Owner
Copy Link

https://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302

New signed-by method:

APT signing keys should be stored in folder /usr/share/keyrings/ instead of /etc/apt/trusted.gpg.d.

By using /usr/share/keyrings/ these keys as far as I understand aren’t used for anything - unless a file in folder /etc/apt/sources.list.d/ with file extension .list or in ifle /etc/apt/sources.list uses them by referring the path to these keys by using [signed-by=/usr/share/keyrings/keyname.gpg]. The advantage is that once the sources.list file is removed, it doesn’t matter if the APT signing key is still lingering on the disk since it would effectively do nothing except waste a totally negligible amount of space not worth mentioning.

This is possible since Debian 11 bullseye.

Old trusted.gpg.d method:

The disadvantage of the old method, placing APT signing keys in folder /etc/apt/trusted.gpg.d that all keys there are being used to verify all repositories. For example docker.gpg has no business to sign packages.debian.org.

This hopefully can be added as well for the more understanding of the advantage for doing this step.

https://forums.whonix.org/t/apt-repository-signing-keys-per-apt-sources-list-signed-by/12302 > New signed-by method: > > APT signing keys should be stored in folder /usr/share/keyrings/ instead of /etc/apt/trusted.gpg.d. > > By using /usr/share/keyrings/ these keys as far as I understand aren’t used for anything - unless a file in folder /etc/apt/sources.list.d/ with file extension .list or in ifle /etc/apt/sources.list uses them by referring the path to these keys by using [signed-by=/usr/share/keyrings/keyname.gpg]. The advantage is that once the sources.list file is removed, it doesn’t matter if the APT signing key is still lingering on the disk since it would effectively do nothing except waste a totally negligible amount of space not worth mentioning. > > This is possible since Debian 11 bullseye. > > Old trusted.gpg.d method: > > The disadvantage of the old method, placing APT signing keys in folder /etc/apt/trusted.gpg.d that all keys there are being used to verify all repositories. For example docker.gpg has no business to sign packages.debian.org. This hopefully can be added as well for the more understanding of the advantage for doing this step.
idk commented 2025-04-21 14:17:30 -04:00
Author
Owner
Copy Link

Set due date as a reminder, not a real due date, remains low priority

Set due date as a reminder, not a real due date, remains low priority
idk commented 2025-04-21 14:17:30 -04:00
Author
Owner
Copy Link

Yup, fixing it is very straightforward, it's just a matter of implementing a few tiny new recommendations. I've got the required changes as an MR over here: http://7qeve4v2chmjdqlwpa3vl7aojf3nodbku7vepnjwrsxljzqipz6a.b32.i2p/i2p-hackers/i2p.www/-/merge_requests/15 ready to merge, I was just waiting to go over it once with @anonymousmaybe.

Urgency is probably low, apt-key does continue to work as does /etc/apt/trusted.gpg.d and a number of other old apt key management procedures.

The advantage of the method prescribed by @anonymousmaybe, as far as I can tell, is that the key listed in the /etc/apt/sources.list.d/i2p.list file deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.asc] https://deb.i2p2.de/ sid main signed-by= entry is only trusted to sign packages that come from https://deb.i2p2.de/ which ought to be a security improvement fin some setups.

Yup, fixing it is very straightforward, it's just a matter of implementing a few tiny new recommendations. I've got the required changes as an MR over here: http://7qeve4v2chmjdqlwpa3vl7aojf3nodbku7vepnjwrsxljzqipz6a.b32.i2p/i2p-hackers/i2p.www/-/merge_requests/15 ready to merge, I was just waiting to go over it once with @anonymousmaybe. Urgency is probably low, apt-key does continue to work as does `/etc/apt/trusted.gpg.d` and a number of other old apt key management procedures. The advantage of the method prescribed by @anonymousmaybe, as far as I can tell, is that the key listed in the `/etc/apt/sources.list.d/i2p.list` file `deb [signed-by=/usr/share/keyrings/i2p-archive-keyring.asc] https://deb.i2p2.de/ sid main` `signed-by=` entry is only trusted to sign packages that come from `https://deb.i2p2.de/` which ought to be a security improvement fin some setups.
idk commented 2025-04-21 14:17:30 -04:00
Author
Owner
Copy Link

CC @idk

CC @idk
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
echelon idk zzz
No Assignees zzz
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: I2P_Developers/i2p.keyring.i2p#1
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?