Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qubes templates build command gpg error: Signature by [key] was created after the --not-after date. #8520

Open
adrelanos opened this issue Sep 17, 2023 · 9 comments
Open

Qubes templates build command gpg error: Signature by [key] was created after the --not-after date. #8520

adrelanos opened this issue Sep 17, 2023 · 9 comments
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: Whonix This issue impacts Qubes-Whonix needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information.

Comments

@adrelanos
Copy link
Member

quote QubesOS/updates-status#566 (comment) @fepitre

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Build-template r4.2 whonix-gateway-17 202309150833 -----BEGIN PGP SIGNATURE-----
iQKTBAEBCAB9FiEEbpebKKbzfEO+MK+hy41Qu3e7PEgFAmUEF2tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDZF OTc5QjI4QTZGMzdDNDNCRTMwQUZBMUNCOEQ1MEJCNzdCQjNDNDgACgkQy41Qu3e7 PEgjJw//Vem9ff/a8isIUM37m2MI9SJNzvuK/NDla/ma3r6JnalewKjGLS6zc/Gh 2DXkNhOJgC3RpbwE6vfb2/tbOkNumu5BQ7g4yt+E8ay3qHHIw916RmbDVNdIM3MA uG7o86KUDA3G1ouz0JXFI6yxppMbWFuM7UuQb2Hhji2bVD53Mmx/8OgdK3X52vYN joYptgHwM+LEyZID1xDMK9fMl+OvPAaaOTHx57tg5z8VhBM6JPknTjfZp5m0Qx8p PgJMvmvos/28H5H1QFZkWrY1BGQVpavUqWOAhRev6RpQRyIO1li2Wh9pbLN7LPJO +66RiYLsgGOixVYOJ/QUIwL26NXgZYrpQuzafn2kBZ9LqtD6F9YmNayC9ZO1JiHT 1M9O8Nhd612pyNdRwbeECUITCuqZ3GgLsbWXELxxV/nTkr/vAjLOG3xqOVslnVMc KcQGkqjuSz2n1f5v0hCTMBJ3Ha2V/1pWWt9oX4iQv00Ss03FL33aMMZwiuWLNGcP GtZaFflkykGyL7aO9YXeuxgFc20aDIS3CZZ4HjkPbU8nxQOaQRI4xcEZqkpIT4+z vmjSXXzei6Qhk+0Tn9pA7i3IMLyoUopSuz9aTl9ilB3Hq15KbIi2mjCfcfGo/ASE mU82aGFkAR4aQjvyAMb0gSXP1L175J6GqD23EK76IvQTcpyt3i0= =HoSa -----END PGP SIGNATURE-----

"Signature by 6E97.....48 was created after the --not-after date." Are you sure you used the key allowed here: https://github.com/QubesOS/qubes-release-configs/blob/main/R4.2/qubes-os-r4.2-templates-community.yml#L99?

I didn't touch my gpg config and I don't mix other keys into that VM. So this issue is surprising.
@adrelanos adrelanos added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug labels Sep 17, 2023
@adrelanos
Copy link
Member Author

Downloaded the text and verified.

gpg: Signature made Fri 15 Sep 2023 04:35:55 AM EDT
gpg:                using RSA key 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Good signature from "Patrick Schleizer <[email protected]>" [ultimate]
gpg:                 aka "Patrick Schleizer <[email protected]>" [ultimate]
gpg:                 aka "Patrick Schleizer <[email protected]>" [ultimate]

How to reproduce the issue?

Maybe a timezone issue...

@marmarek
Copy link
Member

I'd rather guess it's Whonix's time randomization - the signature has timestamp of 4:35, but was posted on github at 4:33, which suggests time travel...

@adrelanos
Copy link
Member Author

Possible to add a sanity test to the template-github command?

I'd rather guess it's Whonix's time randomization - the signature has timestamp of 4:35, but was posted on github at 4:33, which suggests time travel...

If that's the case, that shouldn't matter?

@marmarek
Copy link
Member

Gpg signature has timestamp when it was made, signatures made in the future are invalid (similar to certificates issues in the future - we see that from time to time on Whonix and LetsEncrypt certificates, but also on Debian release files for Debian fasttrack - this also fails semi-frequently due to wrong time in Whonix...). Gpg in default settings may not verify it, but we use sequoia which is much stricter.

@andrewdavidwong andrewdavidwong changed the title Qubes templates build command gpg issue Signature was created after the --not-after date Qubes templates build command gpg error: Signature by [key] was created after the --not-after date. Sep 18, 2023
@andrewdavidwong andrewdavidwong added C: infrastructure needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Sep 18, 2023
@DemiMarie
Copy link

Is there anything to be done on the Qubes side? This seems like a Whonix problem that needs to be worked around in Whonix.

@adrelanos
Copy link
Member Author

Is there anything to be done on the Qubes side? This seems like a Whonix problem that needs to be worked around in Whonix.

Possible to add a sanity test to the template-github command?

@marmarek
Copy link
Member

marmarek commented Dec 1, 2023

@adrelanos this happened again

Possible to add a sanity test to the template-github command?

What should it do? VM in which you run template-github has wrong time so checking against local time is pointless.
Generally, this all feels like a Whonix bug - yet another issue caused by such aggressive time randomization (next to apt seeing InRelease signed in the future). I don't think adding workarounds for that left and right is the way to go, better fix the root issue and either drastically reduce time range in which clock is randomized (AFAIR you proposed somewhere to have it just +/-1sec, with randomized nanoseconds?) or add an easy opt-out option (or even make it opt-in...).

@andrewdavidwong andrewdavidwong added C: Whonix This issue impacts Qubes-Whonix affects-4.2 This issue affects Qubes OS 4.2. and removed C: infrastructure labels Dec 2, 2023
@marmarek
Copy link
Member

marmarek commented Dec 2, 2023

@adrelanos this happened again

I'm going to post new command now similar to retry the build.

@adrelanos
Copy link
Member Author

@adrelanos this happened again

Possible to add a sanity test to the template-github command?

What should it do? VM in which you run template-github has wrong time so checking against local time is pointless.

Only the remote side could check it and reject.

Generally, this all feels like a Whonix bug - yet another issue caused by such aggressive time randomization (next to apt seeing InRelease signed in the future). I don't think adding workarounds for that left and right is the way to go, better fix the root issue and either drastically reduce time range in which clock is randomized

https://forums.whonix.org/t/boot-clock-randomization-bootclockrandomization/2200/17

(AFAIR you proposed somewhere to have it just +/-1sec, with randomized nanoseconds?)

For Qubes Templates only that was reduced to +/-1sec indeed already.
https://forums.whonix.org/t/whonix-ws-16-template-fails-to-update-due-to-timing-issue/12739/35

or add an easy opt-out option

Opt-out is easy and documented here:
https://www.kicksecure.com/wiki/Boot_Clock_Randomization

(or even make it opt-in...).

@rocodes rocodes mentioned this issue Dec 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: Whonix This issue impacts Qubes-Whonix needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marmarek @adrelanos @DemiMarie @andrewdavidwong