Bug 51250 - Create Univention Corporate Server 5.x archive signing key
Create Univention Corporate Server 5.x archive signing key
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: General
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-4-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks: 47040 51603
  Show dependency treegraph
 
Reported: 2020-05-08 11:50 CEST by Philipp Hahn
Modified: 2021-06-28 12:58 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2020-05-08 11:50:48 CEST
UCS-4.x uses:
# gpg --list-key 6B8BFD3C
pub   rsa4096/0x36602BA86B8BFD3C 2014-06-30 [SC] [verfällt: 2021-06-28]
      6B6E7E3259A9F44F1452D1BE36602BA86B8BFD3C
uid                [ unbekannt ] Univention Corporate Server 4.x <packages@univention.de>
sub   rsa4096/0x89A34EE2C6A83019 2014-06-30 [E] [verfällt: 2021-06-28]

We should create a new key for UCS-5, which must be shipped already with UCS-4 in ucs/base/univention-archive-key/ to allow upgrades from UCS-4 to UCS-5.

The key should be published to http://updates.software-univention.de/ too.

univention-archive-key-ucs-3x.gpg can be removed as it is expired.
Comment 1 Philipp Hahn univentionstaff 2020-05-08 11:55:36 CEST
min 4k RSA
valid min 5 years for expected UCS major maintenance perios: +1 year overlap + 1 year until UCS-5 → 7 year from now.

<https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=10>
Comment 2 Philipp Hahn univentionstaff 2020-05-08 18:53:02 CEST
cd /etc/archive-keys
( umask 0027 ; makepasswd --chars 40 > ucs5.0.txt )
chmod 0440 ucs5.0.txt

echo allow-loopback-pinentry >> ~/.gnupg/gpg-agent.conf

# https://www.gnupg.org/documentation//manuals/gnupg/Unattended-GPG-key-generation.html
cat >>ucs5.0.batch <<__EOF__
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert,sign
Name-Real: Univention Corporate Server 5.x
Name-Email: packages@univention.de
Expire-Date: 7y
Preferences: SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
# %pubring /root/.gnupg/pubring.gpg
# %secring /root/.gnupg/secring.gpg
%commit
%echo done
__EOF__

# /usr/bin/gpg -vvvvv --pinentry-mode loopback --batch --passphrase-file /etc/archive-keys/ucs5.0.txt --generate-key ucs5.0.batch
gpg: using character set 'utf-8'
gpg: Die Eigenbeglaubigung wird geschrieben
gpg: RSA/SHA256 Signatur von: "0xD293E501A055F562 [?]"
gpg: schreiben des öffentlichen Schlüssels nach '/root/.gnupg/pubring.gpg'
gpg: verwende Vertrauensmodell pgp
gpg: Schlüssel 0x292A41AFF510AADA: Als vertrauenswürdiger Schlüssel akzeptiert
gpg: Schlüssel 0x2D3B68C377EE285B: Als vertrauenswürdiger Schlüssel akzeptiert
gpg: Schlüssel 0xC6FBE47850CD0C60: Als vertrauenswürdiger Schlüssel akzeptiert
gpg: Schlüssel 0xD293E501A055F562: Als vertrauenswürdiger Schlüssel akzeptiert
gpg: Schlüssel 0xD293E501A055F562 ist als ultimativ vertrauenswürdig gekennzeichnet
gpg: Schreiben nach '/root/.gnupg/openpgp-revocs.d/8321745BB32A82C75BBD4BC2D293E501A055F562.rev'
gpg: RSA/SHA256 Signatur von: "0xD293E501A055F562 Univention Corporate Server 5.x <packages@univention.de>"
gpg: Widerrufzertifikat wurde als '/root/.gnupg/openpgp-revocs.d/8321745BB32A82C75BBD4BC2D293E501A055F562.rev' gespeichert.
gpg: done

gpg --output univention-archive-key-ucs-5x.gpg --export 0xD293E501A055F562

install -m 0644 univention-archive-key-ucs-5x.gpg /var/univention/buildsystem2/mirror/ftp/univention-archive-key-ucs-5x.gpg
install -m 0644 univention-archive-key-ucs-5x.gpg /var/univention/buildsystem2/mirror/testing/univention-archive-key-ucs-5x.gpg
install -m 0644 univention-archive-key-ucs-5x.gpg /var/univention/buildsystem2/test_mirror/ftp/univention-archive-key-ucs-5x.gpg

[4.4-4] df5ea6532c Bug #51250: Add univention-archive-key-ucs-5x.gpg
 base/univention-archive-key/debian/changelog             |   6 ++++++
 base/univention-archive-key/debian/control               |   2 +-
 .../debian/univention-archive-key.install                |   2 +-
 .../debian/univention-archive-key.postinst               |   4 ++--
 .../univention-archive-key-ucs-3x.gpg                    | Bin 1716 -> 0 bytes
 .../univention-archive-key-ucs-5x.gpg                    | Bin 0 -> 1185 bytes
 6 files changed, 10 insertions(+), 4 deletions(-)

Package: univention-archive-key
Version: 9.0.0-2A~4.4.0.202005081833
Branch: ucs_4.4-0
Scope: errata4.4-4

[4.4-4] 825ae84440 Bug #51250: univention-archive-key 9.0.0-2A~4.4.0.202005081833
 doc/errata/staging/univention-archive-key.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

QA:
 apt install -t apt univention-archive-key
 apt-key list
...
pub   rsa4096 2020-05-08 [SC] [expires: 2027-05-07]
      8321 745B B32A 82C7 5BBD  4BC2 D293 E501 A055 F562
uid           [ unknown] Univention Corporate Server 5.x <packages@univention.de>
Comment 3 Philipp Hahn univentionstaff 2020-05-13 09:10:17 CEST
As discussed: Key need should be installed in /etc/apt/trusted.gpg.d/ instead to make them work without calling `apt-key add`, which does not work in early boot-strap due to `gnupg[12]` not being installed.
Comment 4 Philipp Hahn univentionstaff 2020-05-13 09:39:47 CEST
[4.4-4] e425ce21f5 Bug #51250 key: Install keys to /etc/apt/trusted.gpg.d/
 base/univention-archive-key/debian/changelog       |  6 ++++++
 .../debian/ucslint.overrides                       |  3 +++
 .../debian/univention-archive-key.install          |  4 ++--
 .../debian/univention-archive-key.postinst         | 25 +++++++++++++++++++---
 4 files changed, 33 insertions(+), 5 deletions(-)

Package: univention-archive-key
Version: 9.0.0-3A~4.4.0.202005130936
Branch: ucs_4.4-0
Scope: errata4.4-4

[4.4-4] 443e4b5a2c Bug #51250: univention-archive-key 9.0.0-3A~4.4.0.202005130936
 doc/errata/staging/univention-archive-key.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

QA: apt-key
# diff apt-key.before apt-key.after 
1,15d0
< /etc/apt/trusted.gpg
< --------------------
< pub   dsa1024 2011-10-05 [SC] [expired: 2018-10-03]
<       3550 FB4C C61F DB88 D334  E31A 1DD6 7AFB 2CBD A4B0
< uid           [ expired] Univention Corporate Server 3.x Archive Key <packages@univention.de>
< 
< pub   rsa4096 2014-06-30 [SC] [expires: 2021-06-28]
<       6B6E 7E32 59A9 F44F 1452  D1BE 3660 2BA8 6B8B FD3C
< uid           [ unknown] Univention Corporate Server 4.x <packages@univention.de>
< sub   rsa4096 2014-06-30 [E] [expires: 2021-06-28]
< 
< pub   rsa4096 2020-05-08 [SC] [expires: 2027-05-07]
<       8321 745B B32A 82C7 5BBD  4BC2 D293 E501 A055 F562
< uid           [ unknown] Univention Corporate Server 5.x <packages@univention.de>
< 
72a58,70
> 
> /etc/apt/trusted.gpg.d/univention-archive-key-ucs-4x.gpg
> --------------------------------------------------------
> pub   rsa4096 2014-06-30 [SC] [expires: 2021-06-28]
>       6B6E 7E32 59A9 F44F 1452  D1BE 3660 2BA8 6B8B FD3C
> uid           [ unknown] Univention Corporate Server 4.x <packages@univention.de>
> sub   rsa4096 2014-06-30 [E] [expires: 2021-06-28]
> 
> /etc/apt/trusted.gpg.d/univention-archive-key-ucs-5x.gpg
> --------------------------------------------------------
> pub   rsa4096 2020-05-08 [SC] [expires: 2027-05-07]
>       8321 745B B32A 82C7 5BBD  4BC2 D293 E501 A055 F562
> uid           [ unknown] Univention Corporate Server 5.x <packages@univention.de>
Comment 5 Arvid Requate univentionstaff 2020-05-13 13:42:40 CEST
Verified:
* UCS-5 Key properties and generation process
* package update & apt-key list
* UCS-3 key removed
* UCS-4 key migrated from trusted.gpg to trusted.gpg.d
* UCS-5 key installed
* Advisory
Comment 6 Arvid Requate univentionstaff 2020-05-13 13:44:38 CEST
* Key backup confirmed too.
Comment 7 Arvid Requate univentionstaff 2020-05-20 12:30:07 CEST
<http://errata.software-univention.de/ucs/4.4/605.html>