Opened 4 years ago

Closed 4 years ago

Last modified 2 years ago

#12994 closed defect (fixed)

deb.torproject.org archive signing key expired

Reported by: TorAmateurDev Owned by:
Priority: Medium Milestone:
Component: Internal Services/Service - dist Version:
Severity: Keywords:
Cc: weasel, intrigeri Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hello, while trying to update Tor on Debian Wheezy I noticed that the gpg key used to sign the apt archive is now expired.

pub 2048R/886DDD89 2009-09-04 [expires: 2014-09-03]

Key fingerprint = A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89

uid deb.torproject.org archive signing key
sub 2048R/219EC810 2009-09-04 [expires: 2014-08-29]

Thank you.

Child Tickets

Change History (9)

comment:1 Changed 4 years ago by atagar

Component: - Select a componentService - dist

Think this is the right component. Just got a report on the lists too...

https://lists.torproject.org/pipermail/tor-relays/2014-August/005205.html

comment:2 Changed 4 years ago by arma

You need to fetch the key again.

comment:3 Changed 4 years ago by arma

Cc: weasel added

But that apparently isn't sufficient:

$ gpg --edit-key 886DDD89
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  2048R/886DDD89  created: 2009-09-04  expires: 2016-08-28  usage: SC
                     trust: unknown       validity: unknown
sub  2048R/219EC810  created: 2009-09-04  expired: 2014-08-29  usage: S
[ unknown] (1). deb.torproject.org archive signing key

It has a subkey still, and that subkey has expired.

comment:4 Changed 4 years ago by lucykrings

I have same problem :-( Subkey expired. It was fresh install.

pi@raspberry ~/debian-packages $ gpg -v --list-keys
gpg: using PGP trust model
/home/pi/.gnupg/pubring.gpg

----
gpg: NOTE: signature key 219EC810 expired Fri 29 Aug 2014 15:21:21 UTC
pub   2048R/886DDD89 2009-09-04 [expires: 2016-08-28]
uid                  deb.torproject.org archive signing key
sub   2048R/219EC810 2009-09-04 [expired: 2014-08-29]
Last edited 4 years ago by lucykrings (previous) (diff)

comment:5 Changed 4 years ago by arma

weasel is now aware of the issue, and says he'll get to it Sundayish.

comment:6 Changed 4 years ago by dawuud

I suggest adding a nagios alert set for a couple of weeks before the next key expiration date.
Nagios can be configured to run this service check once per day...
and it could even be something super simple like this:

#!/bin/bash

today_date=$(date +"%y%m%d")
warning_date=$(date -d 2015-08-31 +"%y%m%d")

if [ $today_date -ge $warning_date ];
then
 echo 'Warning: APT key exiperation will happen soon';
 exit -1 # or whatever nagios return code is appropriate
else
 echo 'OK'
 exit 0
fi

comment:7 in reply to:  5 Changed 4 years ago by manvvip

Replying to arma:

weasel is now aware of the issue, and says he'll get to it Sundayish.

Fingers crossed for Sundayish then :)

comment:8 Changed 4 years ago by intrigeri

Cc: intrigeri added

comment:9 Changed 4 years ago by weasel

Resolution: fixed
Status: newclosed

Expiration date updated.

If people want their copy of the key update via the deb.torproject.org-keyring package, they will have to apt-get update and upgrade before we either release the next set of debs or, if we don't do that any time soon, then no later than October 10th. (Right now the Release file is signed with the primary key. New releases will sign those files with the previously expired subkey.)

Of course users are always free to manually update their copy of the key from the keyserver network using

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Note: See TracTickets for help on using tickets.