Release Engineering

Tasklist

FS#79495 - Netboot images (ipxe-arch) are being signed by revoked key

Attached to Project: Release Engineering
Opened by Stefan Benter (Beneter) - Sunday, 27 August 2023, 23:20 GMT
Last edited by David Runge (dvzrv) - Monday, 28 August 2023, 14:05 GMT
Task Type Bug Report
Category ArchISO
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The current Netboot images are being signed by a revoked key:

$ LANG=C gpg --verify ipxe-arch.efi.98364a887321.sig ipxe-arch.16e24bec1a7c.efi
gpg: Signature made Fri Jul 23 19:23:10 2021 CEST
gpg: using EDDSA key C7E7849466FE2358343588377258734B41C31549
gpg: issuer "dvzrv@archlinux.org"
gpg: Good signature from "David Runge <dvzrv@archlinux.org>" [unknown]
gpg: WARNING: This key has been revoked by its owner!
gpg: This could mean that the signature is forged.
gpg: reason for revocation: Key is no longer used
Primary key fingerprint: C7E7 8494 66FE 2358 3435 8837 7258 734B 41C3 1549

$ LANG=C gpg --verify ipxe-arch.pxe.08cdbb3d8f17.sig ipxe-arch.5ee66f360339.pxe
gpg: Signature made Sun Sep 5 22:37:43 2021 CEST
gpg: using EDDSA key C7E7849466FE2358343588377258734B41C31549
gpg: issuer "dvzrv@archlinux.org"
gpg: Good signature from "David Runge <dvzrv@archlinux.org>" [unknown]
gpg: WARNING: This key has been revoked by its owner!
gpg: This could mean that the signature is forged.
gpg: reason for revocation: Key is no longer used
Primary key fingerprint: C7E7 8494 66FE 2358 3435 8837 7258 734B 41C3 1549

$ LANG=C gpg --verify ipxe-arch.lkrn.612c3a5236b0.sig ipxe-arch.7db2ebf431ea.lkrn
gpg: Signature made Fri Jul 23 19:23:27 2021 CEST
gpg: using EDDSA key C7E7849466FE2358343588377258734B41C31549
gpg: issuer "dvzrv@archlinux.org"
gpg: Good signature from "David Runge <dvzrv@archlinux.org>" [unknown]
gpg: WARNING: This key has been revoked by its owner!
gpg: This could mean that the signature is forged.
gpg: reason for revocation: Key is no longer used
Primary key fingerprint: C7E7 8494 66FE 2358 3435 8837 7258 734B 41C3 1549
This task depends upon

Closed by  David Runge (dvzrv)
Monday, 28 August 2023, 14:05 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in archweb sources, will eventually be released to website
Comment by Stefan Benter (Beneter) - Sunday, 27 August 2023, 23:27 GMT
Sorry, my layer 8 adblocker has blocked your notification about the issue tracker being moved to Gitlab. Should I reopen there?
Comment by David Runge (dvzrv) - Monday, 28 August 2023, 10:18 GMT
@Beneter: Thanks for the ticket.

The signature is fine (but the key has been revoked for non-problematic reasons afterwards, being superseded by a new key).

Compare from your above output:

```
gpg: Signature made Fri Jul 23 19:23:27 2021 CEST
```

```
pacman-key --list-keys C7E7849466FE2358343588377258734B41C31549
gpg: Note: trustdb not writable
pub ed25519 2019-10-01 [SC] [revoked: 2022-05-09]
C7E7849466FE2358343588377258734B41C31549
uid [ revoked] David Runge <dvzrv@archlinux.org>
```

Either way, I can provide new signatures for the files in the coming days.
Comment by David Runge (dvzrv) - Monday, 28 August 2023, 10:50 GMT
New signatures can be found here and will eventually end up on the website: https://github.com/archlinux/archweb/pull/477

Loading...