Univention Bugzilla – Bug 51250
Create Univention Corporate Server 5.x archive signing key
Last modified: 2021-06-28 12:58:52 CEST
UCS-4.x uses: # gpg --list-key 6B8BFD3C pub rsa4096/0x36602BA86B8BFD3C 2014-06-30 [SC] [verfällt: 2021-06-28] 6B6E7E3259A9F44F1452D1BE36602BA86B8BFD3C uid [ unbekannt ] Univention Corporate Server 4.x <packages@univention.de> sub rsa4096/0x89A34EE2C6A83019 2014-06-30 [E] [verfällt: 2021-06-28] We should create a new key for UCS-5, which must be shipped already with UCS-4 in ucs/base/univention-archive-key/ to allow upgrades from UCS-4 to UCS-5. The key should be published to http://updates.software-univention.de/ too. univention-archive-key-ucs-3x.gpg can be removed as it is expired.
min 4k RSA valid min 5 years for expected UCS major maintenance perios: +1 year overlap + 1 year until UCS-5 → 7 year from now. <https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=10>
cd /etc/archive-keys ( umask 0027 ; makepasswd --chars 40 > ucs5.0.txt ) chmod 0440 ucs5.0.txt echo allow-loopback-pinentry >> ~/.gnupg/gpg-agent.conf # https://www.gnupg.org/documentation//manuals/gnupg/Unattended-GPG-key-generation.html cat >>ucs5.0.batch <<__EOF__ Key-Type: RSA Key-Length: 4096 Key-Usage: cert,sign Name-Real: Univention Corporate Server 5.x Name-Email: packages@univention.de Expire-Date: 7y Preferences: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed # %pubring /root/.gnupg/pubring.gpg # %secring /root/.gnupg/secring.gpg %commit %echo done __EOF__ # /usr/bin/gpg -vvvvv --pinentry-mode loopback --batch --passphrase-file /etc/archive-keys/ucs5.0.txt --generate-key ucs5.0.batch gpg: using character set 'utf-8' gpg: Die Eigenbeglaubigung wird geschrieben gpg: RSA/SHA256 Signatur von: "0xD293E501A055F562 [?]" gpg: schreiben des öffentlichen Schlüssels nach '/root/.gnupg/pubring.gpg' gpg: verwende Vertrauensmodell pgp gpg: Schlüssel 0x292A41AFF510AADA: Als vertrauenswürdiger Schlüssel akzeptiert gpg: Schlüssel 0x2D3B68C377EE285B: Als vertrauenswürdiger Schlüssel akzeptiert gpg: Schlüssel 0xC6FBE47850CD0C60: Als vertrauenswürdiger Schlüssel akzeptiert gpg: Schlüssel 0xD293E501A055F562: Als vertrauenswürdiger Schlüssel akzeptiert gpg: Schlüssel 0xD293E501A055F562 ist als ultimativ vertrauenswürdig gekennzeichnet gpg: Schreiben nach '/root/.gnupg/openpgp-revocs.d/8321745BB32A82C75BBD4BC2D293E501A055F562.rev' gpg: RSA/SHA256 Signatur von: "0xD293E501A055F562 Univention Corporate Server 5.x <packages@univention.de>" gpg: Widerrufzertifikat wurde als '/root/.gnupg/openpgp-revocs.d/8321745BB32A82C75BBD4BC2D293E501A055F562.rev' gespeichert. gpg: done gpg --output univention-archive-key-ucs-5x.gpg --export 0xD293E501A055F562 install -m 0644 univention-archive-key-ucs-5x.gpg /var/univention/buildsystem2/mirror/ftp/univention-archive-key-ucs-5x.gpg install -m 0644 univention-archive-key-ucs-5x.gpg /var/univention/buildsystem2/mirror/testing/univention-archive-key-ucs-5x.gpg install -m 0644 univention-archive-key-ucs-5x.gpg /var/univention/buildsystem2/test_mirror/ftp/univention-archive-key-ucs-5x.gpg [4.4-4] df5ea6532c Bug #51250: Add univention-archive-key-ucs-5x.gpg base/univention-archive-key/debian/changelog | 6 ++++++ base/univention-archive-key/debian/control | 2 +- .../debian/univention-archive-key.install | 2 +- .../debian/univention-archive-key.postinst | 4 ++-- .../univention-archive-key-ucs-3x.gpg | Bin 1716 -> 0 bytes .../univention-archive-key-ucs-5x.gpg | Bin 0 -> 1185 bytes 6 files changed, 10 insertions(+), 4 deletions(-) Package: univention-archive-key Version: 9.0.0-2A~4.4.0.202005081833 Branch: ucs_4.4-0 Scope: errata4.4-4 [4.4-4] 825ae84440 Bug #51250: univention-archive-key 9.0.0-2A~4.4.0.202005081833 doc/errata/staging/univention-archive-key.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) QA: apt install -t apt univention-archive-key apt-key list ... pub rsa4096 2020-05-08 [SC] [expires: 2027-05-07] 8321 745B B32A 82C7 5BBD 4BC2 D293 E501 A055 F562 uid [ unknown] Univention Corporate Server 5.x <packages@univention.de>
As discussed: Key need should be installed in /etc/apt/trusted.gpg.d/ instead to make them work without calling `apt-key add`, which does not work in early boot-strap due to `gnupg[12]` not being installed.
[4.4-4] e425ce21f5 Bug #51250 key: Install keys to /etc/apt/trusted.gpg.d/ base/univention-archive-key/debian/changelog | 6 ++++++ .../debian/ucslint.overrides | 3 +++ .../debian/univention-archive-key.install | 4 ++-- .../debian/univention-archive-key.postinst | 25 +++++++++++++++++++--- 4 files changed, 33 insertions(+), 5 deletions(-) Package: univention-archive-key Version: 9.0.0-3A~4.4.0.202005130936 Branch: ucs_4.4-0 Scope: errata4.4-4 [4.4-4] 443e4b5a2c Bug #51250: univention-archive-key 9.0.0-3A~4.4.0.202005130936 doc/errata/staging/univention-archive-key.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) QA: apt-key # diff apt-key.before apt-key.after 1,15d0 < /etc/apt/trusted.gpg < -------------------- < pub dsa1024 2011-10-05 [SC] [expired: 2018-10-03] < 3550 FB4C C61F DB88 D334 E31A 1DD6 7AFB 2CBD A4B0 < uid [ expired] Univention Corporate Server 3.x Archive Key <packages@univention.de> < < pub rsa4096 2014-06-30 [SC] [expires: 2021-06-28] < 6B6E 7E32 59A9 F44F 1452 D1BE 3660 2BA8 6B8B FD3C < uid [ unknown] Univention Corporate Server 4.x <packages@univention.de> < sub rsa4096 2014-06-30 [E] [expires: 2021-06-28] < < pub rsa4096 2020-05-08 [SC] [expires: 2027-05-07] < 8321 745B B32A 82C7 5BBD 4BC2 D293 E501 A055 F562 < uid [ unknown] Univention Corporate Server 5.x <packages@univention.de> < 72a58,70 > > /etc/apt/trusted.gpg.d/univention-archive-key-ucs-4x.gpg > -------------------------------------------------------- > pub rsa4096 2014-06-30 [SC] [expires: 2021-06-28] > 6B6E 7E32 59A9 F44F 1452 D1BE 3660 2BA8 6B8B FD3C > uid [ unknown] Univention Corporate Server 4.x <packages@univention.de> > sub rsa4096 2014-06-30 [E] [expires: 2021-06-28] > > /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg > -------------------------------------------------------- > pub rsa4096 2020-05-08 [SC] [expires: 2027-05-07] > 8321 745B B32A 82C7 5BBD 4BC2 D293 E501 A055 F562 > uid [ unknown] Univention Corporate Server 5.x <packages@univention.de>
Verified: * UCS-5 Key properties and generation process * package update & apt-key list * UCS-3 key removed * UCS-4 key migrated from trusted.gpg to trusted.gpg.d * UCS-5 key installed * Advisory
* Key backup confirmed too.
<http://errata.software-univention.de/ucs/4.4/605.html>