#7167 Publish Fedora GPG keys in DNS
Closed: Fixed 2 years ago Opened 2 years ago by msehnout.

  • Describe what you need us to do:

To publish GPG keys, that are installed in the /etc/pki/rpm-gpg directory in the DNS system and sign them with DNSSEC.

This method is described in RFC 7929: https://tools.ietf.org/html/rfc7929
There is also a PR for dnf, which could use it for automatic key verification and revocation: https://github.com/rpm-software-management/dnf/pull/1085
Finally, my master's thesis describes this topic in detail and it is available online:
https://www.vutbr.cz/en/students/final-thesis?zp_id=110044

  • When do you need this? (YYYY/MM/DD)

No specific date.

  • When is this no longer needed or useful? (YYYY/MM/DD)

N/A

  • If we cannot complete your request, what is the impact?

We will continue to verify keys by hand or just skip the question from dnf :)


I think this is something we want to do... might be a nice task for someone new to infrastructure.
Just look at our dns git repo on batcave01 to see how things are setup and how we would add this in there.

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

2 years ago

The referenced Github PR has been merged and as far as I know, it should go to Fedora 29. It would be nice to have the keys in place for final release.

Is there any update on this issue?

I'm afraid no one has had time to work on it yet.

Is there a short attention span HOWTO we could follow?

Basically we just need to convert those gpg pub keys from /etc/pki/rpm-gpg to entries in our (already existant) _openpgpkey.fedoraproject.org zone?

I wonder if @nb or @pwouters might have a few cycles to do this?

On 10/04/2018 08:24 PM, Kevin Fenzi wrote:

kevin added a new comment to an issue you are following:
``
I'm afraid no one has had time to work on it yet.

Is there a short attention span HOWTO we could follow?

Basically we just need to convert those gpg pub keys from /etc/pki/rpm-gpg to entries in our (already existant) _openpgpkey.fedoraproject.org zone?

I wonder if @nb or @pwouters might have a few cycles to do this?
``

To reply, visit the link below or just reply to this email
https://pagure.io/fedora-infrastructure/issue/7167

Yes I will pick this up tomorrow and put them in.

Paul

When I was testing the system I used --export-options export-dane option for the gpg2 utility. It will generate the hash for the domain name, so you can just include the exported file into the zone.

Reference:
https://github.com/msehnout/dnf-testing/tree/master/keyring
https://github.com/msehnout/dnf-testing/blob/master/configuration/example-com-server/packager-gpg-key

ok. I added f27/f28/f29/f30. Or should we just add all of them?

Can you take a look and confirm that looks ok?

I've tested keys for f28 and f27 by comparing them with those, that are installed in my system and they look good to me.

I use this utility: https://pagure.io/email2domain

$ rpm -qi gpg-pubkey | rg fedora-28 -A 30
Packager    : Fedora 28 (28) <fedora-28@fedoraproject.org>
Summary     : gpg(Fedora 28 (28) <fedora-28@fedoraproject.org>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.14.1 (NSS-3)

mQINBFmSAVYBEADakUeJgNnAP2CE3vw+iI0Um9XvuBP6NdESRiJIEPgXhKWM058J
PZDkpRETS4pbB3xUyPLoogoO76lheBEOPEAGp5mb/7vEcwlYqjtuetFi9hcsbNPx
DeOLQ9KR7Xs2idU+DlCJW1WyU9UiLoyZpQgAqF7Y50MoxPKJtfDuM52YkulYLU+M
leRtxJzHYcXArU3x3Czz1FnemVtol3/1/BvmGQPIyj2HdG4vxWbiX79AUSlchh+M
...
z/K+HoibAxvo7VcpxD+N38LaPtrx/ERMxeYBJvMgSqGaC3MXj36/qv0zTyyTItYX
9JfbOrikoJa+aKQGmTWLrcuKaYl6Jzsq3vRTbNRRi4SpXwTwMyuW4pU=
=fo1W
-----END PGP PUBLIC KEY BLOCK-----
$ dig (./email2domain.py fedora-28@fedoraproject.org) OPENPGPKEY 

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-10.P2.fc28 <<>> a327f2e5b9b6030b56c7a3e1b2e247d92b794b70d8a86c1c06a6f872._openpgpkey.fedoraproject.org OPENPGPKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62914
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a327f2e5b9b6030b56c7a3e1b2e247d92b794b70d8a86c1c06a6f872._openpgpkey.fedoraproject.org.    IN OPENPGPKEY

;; ANSWER SECTION:
a327f2e5b9b6030b56c7a3e1b2e247d92b794b70d8a86c1c06a6f872._openpgpkey.fedoraproject.org. 85816 IN OPENPGPKEY mQINBFmSAVYBEADakUeJgNnAP2CE3vw+iI0Um9XvuBP6NdESRiJIEPgX hKWM058JPZDkpRETS4pbB3xUyPLoogoO76lheBEOPEAGp5mb/7vEcwlY qjtuetFi9hcsbNPxDeOLQ9KR7Xs2idU+DlCJW1WyU9UiLoyZpQgAqF7Y 
...
s750lCw/4K3jHnrQWxL7VfwLw0H1xlxnVqIXlL3HeOIn9EoaygxV2gJt PjB/Gwr2z/K+HoibAxvo7VcpxD+N38LaPtrx/ERMxeYBJvMgSqGaC3MX j36/qv0zTyyTItYX9JfbOrikoJa+aKQGmTWLrcuKaYl6Jzsq3vRTbNRR i4SpXwTwMyuW4pU=

;; Query time: 30 msec
;; SERVER: 10.38.5.26#53(10.38.5.26)
;; WHEN: Wed Oct 10 11:24:15 CEST 2018
;; MSG SIZE  rcvd: 1272

The key for Fedora 29 is also available, but the one for Fedora 30 is missing:

$ dig (./email2domain.py fedora-30@fedoraproject.org) OPENPGPKEY 

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-10.P2.fc28 <<>> f0bc8d866cf882c9b6b705c6873073fba115e4391bb1c767ed3b8e3f._openpgpkey.fedoraproject.org OPENPGPKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21010
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;f0bc8d866cf882c9b6b705c6873073fba115e4391bb1c767ed3b8e3f._openpgpkey.fedoraproject.org.    IN OPENPGPKEY

;; AUTHORITY SECTION:
_openpgpkey.fedoraproject.org. 10424 IN SOA ns04.fedoraproject.org. hostmaster.fedoraproject.org. 2018100901 3600 600 1000000 10800

;; Query time: 30 msec
;; SERVER: 10.38.5.26#53(10.38.5.26)
;; WHEN: Wed Oct 10 11:27:12 CEST 2018
;; MSG SIZE  rcvd: 167

@kevin can you run successful query for Fedora 30 key?

Pardon me if I'm confusing different issues. Is this the same thing as gpg2's 'export-pka' option? If so, I recently saw a question about it on the gnupg-users list and Werner said "Please don't use this anymore." as it would be removed from a future gpg2 release (in favor of WKD [Web Key Directory], which looks easier to implement).

For some reason the f30 key address is "fedora-30-primary@fedoraproject.org", I'm not sure why.

WKD is something different than this I am pretty sure.

I'm going to mark this done. Please open a new ticket if there's anything further to do.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata