Univention Bugzilla – Bug 53526
App Center verifies all.tar.gz with univention-archive-key-ucs-4x.gpg
Last modified: 2021-07-21 10:49:43 CEST
Always. We should update the verification method.
b5ebfe92c1c02d7391af3e1087fc0128ac316284 Bug #53526: YAML f324ab043e027aa8d7f190027889588e7431dd57 Bug #53526: Changelog 85a7115f3f78aa4253fe0352defd3ca03f32a7f8 Bug #53526: Handle broken signature verification in all.tar files 47ede168743aba78b47c18784c27da9f2e493387 Bug #53526: Use apt-key verify to verify App Center cache files When verifying the signature of the App Center, we switched from a rather complicated gpg call to a straight forward `apt-key verify`. This call uses the keys /etc/apt/trusted.gpg.d/univention-archive-key-ucs-*.gpg (among others). Therefore, we are not bound to one hard coded key (as we were before: univention-archive-key-ucs-4x.gpg), but we can update the key on our server when signing an all.tar.gz - as long as the key is also present on all UCS systems that will download this archive. Furthermore, we improved the error handling. Prior to this fix, a verification error would have aborted the "univention-app update" call, but left all files intact. Therefore, the wrongly signed archive would not be extracted, but also not considered on the next "univention-app update". So, if the signature failed due to a missing key, you could have added that key, but the signature verification would not run a second time, leaving your cache empty. We now delete files that could not be verified. This will not only increase security (should we ever try to extract an archive without signature check) but force the App Center to re-download the file on the next "univention-app update" run. There was another place where we verified a file apart from all.tar.gz: We also verified index.json.gz in one specific method. However, this method was never used, so we removed it to not having to handle errors. Consequently, the index.json is not downloaded at all. Package: univention-appcenter Version: 9.0.2-54A~5.0.0.202106301148 Branch: ucs_5.0-0 Scope: errata5.0-0
Question - why is index.json.gz no longer necessary? Question - apt-key does not check the expiry date, so the appcenter does not care about expired key, right? Question - do we want to backport this to UCS 4.4? TODO - jenkins test OK - yaml OK - changelog OK - univention-app update with valid keys OK - univention-app update fails with missings keys -> apt-key list /etc/apt/trusted.gpg.d/univention-archive-key-ucs-3x.gpg -------------------------------------------------------- pub dsa1024 2011-10-05 [SC] [verfallen: 2018-10-03] 3550 FB4C C61F DB88 D334 E31A 1DD6 7AFB 2CBD A4B0 uid [ verfallen ] Univention Corporate Server 3.x Archive Key <packages@univention.de> -> rm -rf /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/ -> univention-app update Filling the App Center file cache from our local archive /usr/share/univention-appcenter/archives/appcenter.software-univention.de/4.4/all.tar.gz! Downloading "https://appcenter.software-univention.de/meta-inf/app-categories.ini"... Downloading "https://appcenter.software-univention.de/meta-inf/rating.ini"... Downloading "https://appcenter.software-univention.de/meta-inf/license_types.ini"... Downloading "https://appcenter.software-univention.de/meta-inf/ucs.ini"... Downloading "https://appcenter.software-univention.de/meta-inf/suggestions.json"... Downloading "https://appcenter.software-univention.de/meta-inf/5.0/all.tar.gpg"... Downloading "https://appcenter.software-univention.de/meta-inf/4.4/all.tar.gpg"... Downloading "http://appcenter.software-univention.de/meta-inf/4.4/all.tar.zsync"... gpgv: Signatur vom Sa 26 Jun 2021 00:00:00 CEST gpgv: mittels RSA-Schlüssel 36602BA86B8BFD3C gpgv: Signatur kann nicht geprüft werden: No public key Signature verification for /var/cache/univention-appcenter/appcenter.software-univention.de/4.4/.all.tar failed -> univention-app list # no wekan OK - appcenter/index/verify=no is respected -> apt-key list /etc/apt/trusted.gpg.d/univention-archive-key-ucs-3x.gpg -------------------------------------------------------- pub dsa1024 2011-10-05 [SC] [verfallen: 2018-10-03] 3550 FB4C C61F DB88 D334 E31A 1DD6 7AFB 2CBD A4B0 uid [ verfallen ] Univention Corporate Server 3.x Archive Key <packages@univention.de> -> ucr set appcenter/index/verify=no Create appcenter/index/verify -> univention-app update Downloading "https://appcenter.software-univention.de/meta-inf/app-categories.ini"... Downloading "https://appcenter.software-univention.de/meta-inf/rating.ini"... Downloading "https://appcenter.software-univention.de/meta-inf/license_types.ini"... Downloading "https://appcenter.software-univention.de/meta-inf/ucs.ini"... Downloading "https://appcenter.software-univention.de/meta-inf/suggestions.json"... Downloading "http://appcenter.software-univention.de/meta-inf/5.0/all.tar.zsync"... Downloading "http://appcenter.software-univention.de/meta-inf/4.4/all.tar.zsync"... Downloading "http://appcenter.software-univention.de/meta-inf/4.3/all.tar.zsync"... File: /usr/share/univention-portal/apps.json File: /usr/share/univention-management-console/modules/apps.xml Multifile: /etc/apache2/sites-available/default-ssl.conf Multifile: /etc/apache2/sites-available/000-default.conf File: /usr/share/univention-management-console/i18n/de/apps.mo -> univention-app list ... Wekan Name: Wekan Latest version: 5.27 Installations: wekan ... OK - re-download the file on the next "univention-app update" run.
(In reply to Felix Botner from comment #2) > Question - why is index.json.gz no longer necessary? index.json.gz held a checksum for docker images. We removed that check a while ago and let docker do the check (cannot find the bug, though) > Question - apt-key does not check the expiry date, so the appcenter does not > care about expired key, right? Right. We did not check the expiry date prior to this bug and do not do it now. > Question - do we want to backport this to UCS 4.4? We don't need to. This bug is to be able to change the signing key in the future. We have to take ucs-4x.gpg for all the UCS 4 systems out there anyway. At some point, we can switch to the UCS 5 key, because all UCS 5 systems (> 5.0-0 errata 43) now have this patch.
not sure if there is a direct connection, but 80_docker.59_app_center_signature now fails (for the last 3 weeks) please fix this test
(In reply to Felix Botner from comment #4) > not sure if there is a direct connection, but > > 80_docker.59_app_center_signature > > now fails (for the last 3 weeks) > > please fix this test Fixed with 8cf82934 ucs-test (10.0.6-16)
OK
<https://errata.software-univention.de/#/?erratum=5.0x51>