#11787 create EPEL 10 package signing key
Closed: Fixed a month ago by humaton. Opened 3 months ago by carlwgeorge.

  • Describe the issue

Each major version of EPEL has its own package signing key. Soon we'll begin work on EPEL 10, so we'll need a new key for it.

  • When do you need this? (YYYY/MM/DD)

Ideally by 2023-12-01, or as soon as possible after that.

  • When is this no longer needed or useful? (YYYY/MM/DD)

The EPEL 10 retirement date of 2035-05-31.

  • If we cannot complete your request, what is the impact?

It would prevent us from having signed packages in EPEL 10.


Do we want to rotate the key for every minor version like we do for every Fedora release?

What would be the justification for doing so? The current strategy of a new key for each major version of EPEL seems to be working well to me. From what I've seen in the configuration for various tools, it would be straightforward to use the same major version key for each minor version of EPEL 10. Rotating the key with each minor version would require enterprise users to accept a new key every six months.

Metadata Update from @phsmoura:
- Issue tagged with: low-gain, low-trouble, ops

3 months ago

None really, I just asked because of potential re-use with Fedora SOP and this is one of those early decisions that need to be made before we do anything that's hard to back out later. I'm fine with "key per major" continuing with EPEL 10.

@humaton you were going to do this?

Please let me know if you run into any problems and please make me an admin on it. ;)

Metadata Update from @kevin:
- Issue assigned to humaton

2 months ago

here are both keys:

https://humaton.fedorapeople.org/epel/

I am not sure where they should live? epel-release package? on the main branch or were?

Initially, they should be added to distribution-gpg-keys and https://fedoraproject.org/security

There are a few differences with this key compared to the EPEL 9 key.

  • filename
-RPM-GPG-KEY-EPEL-9
+RPM-GPG-KEY-epel-10
  • Name-Real
-Fedora
+EPEL
  • Name-Comment
-epel9
+10
  • Name-Email
-epel@fedoraproject.org
+epel-10@fedoraproject.org

Should we keep those fields consistent with the previous key?

The filename and the email address should rename consistent with previous keys. Otherwise certain formulaic expectations will break.

Name-Real should be Fedora EPEL (or if not, Name-Real and Name-Comment should revert back to the previous form).

I also wanted to ask if we actually need the RPM-GPG-KEY-epel-10-ima key. I've heard of IMA signatures, but I'm not sure how that relates to the package signing key. RHEL 9 has IMA signatures, but doesn't ship a separate GPG key for it in redhat-release. Fedora 38 and 39 have IMA keys in fedora-gpg-keys, in several formats (.cert, .der, and .pem).

IMHO we should do IMA signing for epel10 at least, we are reworking the sigul part of this right now, and we can discuss more once thats done.
I'm sure it will require some enrollment, but it might be quite nice to have epel packages covered by ima signatures.

Sorry about the mess with naming. I have recreated the GPG key because sigul was segfaulting on me while changing it. IMA key is the same just renamed.

This key looks good to me:

[root@f887fce26b82 /]# sq inspect RPM-GPG-KEY-EPEL-10
RPM-GPG-KEY-EPEL-10: OpenPGP Certificate.

    Fingerprint: 7D8D15CBFC4E62688591FB2633D98517E37ED158
Public-key algo: RSA
Public-key size: 4096 bits
  Creation time: 2023-12-12 13:27:05 UTC
      Key flags: certification, signing, transport encryption, data-at-rest encryption

         UserID: Fedora (epel10) <epel@fedoraproject.org>

The keys are created and people have access to them, once epel-release-10 gets created we can add it there.

Metadata Update from @humaton:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

Login to comment on this ticket.

Metadata
Boards 1
Ops Status: Backlog