fedora-web / websites

Clone
Source Code
GIT

#189 security: use gpgv to verify CHECKSUM signatures
Merged 2 years ago by darknao. Opened 2 years ago by tmz.
fedora-web/ tmz/websites master  into  master

file modified
+2 -2 
@@ -35,14 +35,14 @@ 
 

            <p>
 

              {% trans trimmed %}
 

              First, import Fedora's GPG key(s):
 

-             <pre><code>$ curl https://getfedora.org/static/fedora.gpg | gpg --import</code></pre>
 

+             <pre><code>$ curl -O https://getfedora.org/static/fedora.gpg</code></pre>
 

              Note that you can verify the details of these keys below.
 

              {% endtrans %}
 

            </p>
 

            <p>
 

              {% trans trimmed %}
 

              Now, verify that the CHECKSUM file is valid:
 

-             <pre><code>$ gpg --verify-files *-CHECKSUM</code></pre>
 

+             <pre><code>$ gpgv --keyring ./fedora.gpg *-CHECKSUM</code></pre>
 

              The CHECKSUM file should have a good signature from one of the keys described below.
 

              {% endtrans %}
 

            </p>

file modified
+2 -2 
@@ -54,8 +54,8 @@ 
 

              print('Could not open key file {0}: {1}'.format(path, e))
 

              raise
 

  

-     armor = gpg.export_keys(current_fingerprints, armor=True)
 

-     return armor
 

+     keyring = gpg.export_keys(current_fingerprints, armor=False)
 

+     return keyring
 

  

  def check_gpg_keys():
 

      '''

file modified
+2 -2 
@@ -901,7 +901,7 @@ 
 

                      $(p).html("Import Fedora's GPG keys");
 

                      code = document.createElement('code');
 

                      pre = document.createElement('pre');
 

-                     $(code).html("curl https://getfedora.org/static/fedora.gpg | gpg --import")
 

+                     $(code).html("curl -O https://getfedora.org/static/fedora.gpg")
 

                        .appendTo(pre);
 

                      $(p).appendTo(li);
 

                      $(pre).appendTo(li);
 
@@ -913,7 +913,7 @@ 
 

                      $(p).html("Verify the signature is valid");
 

                      code = document.createElement('code');
 

                      pre = document.createElement('pre');
 

-                     $(code).html("gpg --verify " + getFilename(displayDownloads.signature) + " " + getFilename(displayDownloads.location))
 

+                     $(code).html("gpgv --keyring ./fedora.gpg " + getFilename(displayDownloads.signature) + " " + getFilename(displayDownloads.location))
 

                        .appendTo(pre);
 

                      $(p).appendTo(li);
 

                      $(pre).appendTo(li);

The gpgv command is designed to simply verify OpenPGP signatures. It
takes a keyring as an option and then any number of signed files and
verifies the signatures based on the keys in the given keyring.

Using gpgv allows the instructions to be simplified and avoids the
following confusing output from the currently recommended method:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

The gpgv command expects the --keyring argument to be an un-armored
keyblock. This means dropping the ascii-armor from fedora.gpg (which is
more in line with the .gpg extension anyway). For users who still wish
to pull fedora.gpg and import it to their keyring, the un-armored
keyblock works just as well.

The updated instructions are:

$ curl -O https://getfedora.org/static/fedora.gpg
$ gpgv --keyring ./fedora.gpg *-CHECKSUM

The output from gpgv is:

$ gpgv --keyring ./fedora.gpg *-CHECKSUM
gpgv: Signature made Fri 19 Mar 2021 10:10:28 AM EDT
gpgv:                using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39
gpgv: Good signature from "Fedora (34) <fedora-34-primary@fedoraproject.org>"

Users no longer have to fiddle with marking the Fedora keys as trusted
in gpg nor do we have to explain why the large "WARNING" from gpg is
okay to ignore¹.

¹ https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/MPSGTW42RP4U75ZHUAHDMFIP6TTUW23Y/

Signed-off-by: Todd Zullinger tmz@pobox.com

I did not touch the old sites/getfedora.org/scripts/update-gpg-keys as I don't think it's used after 8f6ee1b (add f33 gpg key, auto-gen fedora.gpg, obsolete f30 key, 2020-09-30). If that's not correct, it's easy to fix.

LGTM.

@darknao, @thunderbirdtr Is this PR relevant anymore?

The instructions haven't changed, so IMO it's as relevant (or not) as it was when I filed it.

Looks good to me.
@tmz Can you do a rebase and fix conflicts?

rebased onto bbf03df
2 years ago

Sure thing, done.

While testing, I noticed that the GPG key list has been more or less broken since February 2021. I'll file a separate PR (#255) to fix that issue (some minor tag breakage and typos in the DNS OpenPGPKey bits).
Edited 2 years ago by tmz

Thanks!

Pull-Request has been merged by darknao
2 years ago
Metadata
None
No Tags
Changes Summary 3
+2 -2
file changed
sites/getfedora.org/site/security/index.html
+2 -2
file changed
sites/getfedora.org/util/gpg_checker.py
+2 -2
file changed
sites/static/js/coreos-download.js
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.