-
-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new gpg project key #3863
Comments
Type of keyRedHat's how to sign rpms with GPG documentation is very poor and does not cover the types of keys or the use of subkeys at all: it only says generate a gpg key pair on the machine. I wanted to use an As for subkeys, Pitfalls with RPM and GPG states that Your key cannot have any sub-keys.
Is this still relevant in 2023? Who knows. Can we use Fun read: It's a cluster of RPM bugs: Not just one bug, or two bugs. A nest of the critters. RPM fails (failed?) to validate signed packages, didn't understand v4 GPG signatures but didn't notice it didn't understand them, didn't understand some key sizes and types but didn't notice it didn't understand that, and also choked on subkeys! Size of keyHopefully, all the package validation tools can handle 4096 bits nowadays - that was not always the case! Expiry10 years to avoid having to go through this pain again. Result:Using a
Use the "old" key to sign it with "ultimate trust":
Upload to key servers and
|
The MS Windows installer is now signed using a brand new key, generated as before using makecert.exe -r -pe -n "CN=Xpra,[email protected]" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv xpra-ca.pvk xpra-ca.cer
certutil.exe -user -addstore Root xpra-ca.cer
makecert.exe -pe -n "CN=Xpra,[email protected]" -a sha256 -cy end -sky signature -ic xpra-ca.cer -iv xpra-ca.pvk -sv xpra.pvk xpra.cer And this new signing key expires in 2040:
And the certificate files are now here:
certutil.exe -user -addstore Root xpra-ca.cer (I couldn't figure out how to make it trust this CA only for installing software, either from the GUI or the command line) |
For Debian / Ubuntu distributions using the old wget -qO - https://xpra.org/xpra-2023.asc | sudo apt-key add - If using the new sudo wget -O "/usr/share/keyrings/xpra.asc" https://xpra.org/xpra-2023.asc |
This still does not work. |
I believe the command should be:
But can confirm that this did work for me! Huzzah! |
reported in #3861, this is the cut & paste solution (as root): bash -c '{ : \
&& wget -O "/usr/share/keyrings/xpra.asc" https://xpra.org/xpra-2023.asc \
&& wget -O "/etc/apt/sources.list.d/xpra-beta.sources" https://raw.githubusercontent.com/Xpra-org/xpra/master/packaging/repos/bookworm/xpra-beta.sources \
&& apt-get update \
&& pkg=("xpra" "xpra-html5") \
&& { [[ $HOSTTYPE != aarch64 ]] && pkg+=("xpra-x11"); true; `### x86_64 only`; } \
&& apt-get install -y --no-install-recommends "${pkg[@]}" \
&& rm -f /var/lib/apt/lists/xpra*; }' Edited by maintainer: please don't do that! |
I am not sure if one should be "lightly" meddling with the internals of apt-get - nor if we should recommend it 😕 The "average Joe's" way is documented in https://github.com/Xpra-org/xpra/wiki/Download (I am just now updating it a little bit to match the transient nature of this ticket) |
The described way at https://github.com/Xpra-org/xpra/wiki/Download doesnt work on kali (pub key error), see #3861. The only work-around atm seems to be to use the -beta branch. Would it make sense to describe on the webpage that the default branch is not working and that only the -beta branch works for the time being? |
I agree that it could be beneficial to inform users on the webpage about the current status of the default branch. However, I will defer this to @totaam for a final decision. It's possible that he is on the brink of deploying a stable version, signed with the new key - making all of these obsolete. That said, I do have some reservations about suggesting complex or potentially hazardous commands in a visible issue. We're all responsible for our own terminals - that goes without saying. A little caution can also go a long way, especially when dealing with "potentially dangerous commands" on an elevated terminal, and dealing with "you-shouldn't-care" esoterics. |
I have been on the brink of deploying the new GPG key to all the repos for a while. This will finally include the stable repo since the deployment to the beta one seems have gone well. (ignoring "it doesn't work" type of messages which are unactionable) So, to get there, I still need to:
To do that, I have to first test as many combinations as possible (including 5.0 beta) on as many platforms as possible, with as many browsers as possible. Each one of these steps can take many days. For a start, doing a full build from a single branch takes multiple days - even on the new hardware VPO has provided - and when things go wrong, and they invariably do, then I have to start again. I'm also keenly aware that a number of other projects / organizations are relying on the xpra repositories. The constant stream of complaints about the GPG key was an eye opener. This is making me seriously re-consider the way this project is managed and in particular, my role in it. |
🕯️ 🕯️ 🕯️ 🕯️ 🕯️ 🕯️ 🕯️ 🕯️ 🕯️ 🕯️ It could be. If your labor is only appreciated by words, and "projects / organizations" are not willing to step in (but are willing to "cash in") ... maybe you should not torture yourself. 🥲 |
Uh. OSS Maintainer burnout sucks. I'm sorry. Just letting you know that I love this project and promote it wherever I go. Please find a maintainable pace for yourself. From my perspective -- as long as there is a documented way for me to install xpra from the repos, I'm good. I don't care if I have to switch approaches every so often as things change. It's free software, that's the price of doing business. Also, thanks for jumping on getting these fixes in etc. It really is appreciated. Also, I don't know if it helps, but is there a way we could push testing down to the community - at least some? |
It's all live: |
This works on Ubuntu, and I can confirm it in 22.04:
|
I'm just an individual occasionally using xpra at home, but if there were an obvious way to do it, I'd buy you a coffee occasionally. Put it on the xpra.org webpage? If you've got a budget, you might also put a little thermometer indicating how much you need. Edit: I'm only just seeing the "sponshorship" link below. I'm not going to buy you a coffee through this Microsoft platform though... |
@DiagonalArg What's wrong with "this Microsoft platform"? AFAICT, they don't take a cut. |
I assume @totaam qualifies as an individual, even though https://github.com/Xpra-org/xpra itself is an org. |
Additionally, I have no interest in linking my identity and interests for Microsoft. |
Seeing how many problems we have with the old expired GPG key: #3846, #3848, #3858, #3861
The best thing to do is probably to start with a brand new project key, instead of using my personal one.
This is going to be a pain, trying to figure out which distributions support what types of keys and subkeys is going to take time too.
(ie: Debian discarding the whole key if there is a
SHA1
signature in it instead of ignoring that signature.. why, oh why)The text was updated successfully, but these errors were encountered: