@nickgnazzo's GPG rollup #1604

nopdotcom · 2019-07-20T21:36:51Z

I snagged this from @nickgnazzo in #1597. See the comment for a detailed changelog. A great job debugging what was going on with our whole GPG architecture.

I did make one minor change: the PuTTY release key didn't match the one on the website byte-for-byte.

I don't have access to the Markdown source to the comment; I tried to get everything but links into the following:

Summary of changes made:

Change GPG keyserver to hkps://gpg.mozilla.org
- For whatever reason, this keyserver doesn't seem affected by the key poisoning attack (yet). I think using this keyserver is likely only a temporary workaround. It might not be part of the SKS Keyserver Pool, but could still be vulnerable to the poisoning attack.
- Unfortunately, using the new keys.openpgp.org (which has some mitigations against the SKS Keyserver attack) won't work yet. There's an issue causing gpg2 to fail to refresh keys when no "user ID" information is available. The problem here's two-fold, keys.openpgp.org requires email verification in order to allow publishing keys with their email address attached, and gpg2 refuses to process keys that have no user ID when refreshing. So by default, if you don't opt-in/verify your email address with OpenPGP, they won't publish the email associated with a public key (so when you run gpg2 refresh, you get the public keys without any user ID info), and then gpg2 refuses to process/import the keys. Meaning in order for this to work, you either have to wait for every key owner in Streisand's keyring to verfiy their email/identity with OpenPGP, or wait for GnuPG to fix the issue with the gpg2 client (or some other workaround I haven't thought of). The people running the OpenPGP keyserver are "working with" the GnuPG maintainers to address the problem (they mention it here).
  - If you try using keys.openpgp.org yourself, you'll likely see this error somewhere when Streisand runs gpg2 refresh: gpg: key XXXXXXXXXXXXXXXX: no user ID
Add Mozilla Keyserver Root CA to dirmngr (using "hkp-cacert" option)
- Since we want to use hkps, we have to tell dirmngr to trust Mozilla's Root CA to verify TLS. This is currently an Amazon Root CA, which is cross-signed by Starfield. So I just pointed dirmngr to the Starfield PEM file located in /etc/ssl/certs which should be available by default.
- Modify GPG Key ID used to verify Tor download signatures
  - Apparently the Key ID used to sign Tor downloads has changed recently. From what I can tell, the old key ID used by Streisand was C3C07136 (which seems to be Georg Koppen's pubkey), but they have switched to using the pubkey with user ID "The Tor Browser Developers" (D9FF06E2). Both of these key IDs are on Tor's signing keys page.
  - I needed to make this change for the "Verify" step of the Download/Mirror Tor Browser task to work. Otherwise, the signatures would technically show as "Good", but Streisand was looking for the old key ID in the verification command output to test if the verify worked, and thought it was failing.
Modify GPG Key ID used to verify OpenVPN download signatures
- Same deal as the Tor GPG change I mentioned above, the OpenVPN signing key in Streisand seems to also be outdated. I changed this from AF131CAE to 5ACFEAC6 within Streisand's variables and that made the verification pass for me.
- Source of new key ID can be found on OpenVPN's page. It is technically a subkey of the key found on that page (I was able to find the new subkey 5ACFEAC6 in a few keyservers).
- This seems like it's being tracked in a few other issues on Streisand's Github.
Add new PuTTY Signing Key to Streisand's "Bootstrap GPG Keys"
- Since the new Key ID used for PuTTY signatures is a new standalone key (and not a subkey of the current master key), I had to add it to Streisand's "Bootstrap GPG Key" setup tasks in order to get the PuTTY verification to work. Since it's not a subkey of the current signing key, it won't be downloaded when we run gpg refresh.
- These keys live under playbooks/roles/gpg/files/ and are imported using the variable streisand_bootstrap_gpg_keys (referenced by another task).
Modify PuTTY Key ID used to verify PuTTY download signatures
- Change key ID from B43434E4 to 4AE8DA82 within Streisand variables.
  - Source of new key ID can be found here
  - Seems this is being tracked in another issue.

@nickgnazzo

curl -o [email protected] \ https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2018.asc This above key was double-checked with the keyservers. (It generally matches the key in @nickgnazzo's patch, but is not bit-for-bit identical.)

nickolasclarke

Lgtm

@nickgnazzo

* Move to Mozilla GPG Keyserver, fix a few GPG verifications * Refresh PuTTY GPG release key from website curl -o [email protected] \ https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2018.asc This above key was double-checked with the keyservers. (It generally matches the key in @nickgnazzo's patch, but is not bit-for-bit identical.)

nickgnazzo and others added 2 commits July 20, 2019 16:08

Move to Mozilla GPG Keyserver, fix a few GPG verifications

34fc42e

nopdotcom requested review from alimakki, CorbanR and jlund July 21, 2019 00:04

nickolasclarke approved these changes Jul 21, 2019

View reviewed changes

nopdotcom merged commit e3a80d3 into StreisandEffect:master Jul 21, 2019

nopdotcom deleted the nickgnazzo-gpg-rollup branch July 21, 2019 02:56

This was referenced Jul 21, 2019

Server creation blocked by GPG key import #1597

Closed

Problem in install #1406

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

@nickgnazzo's GPG rollup #1604

@nickgnazzo's GPG rollup #1604

nopdotcom commented Jul 20, 2019

nickolasclarke left a comment

@nickgnazzo's GPG rollup #1604

@nickgnazzo's GPG rollup #1604

Conversation

nopdotcom commented Jul 20, 2019

nickolasclarke left a comment

Choose a reason for hiding this comment