Opened 3 years ago

Closed 3 years ago

#19737 closed defect (fixed)

gpg/gk.gpg and gpg/torbutton.gpg are expired since 2016-07-19

Reported by: dcf Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-gitian, TorBrowserTeam201607R
Cc: boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm at bd20a2aa5a157eb7d8afd87811c9ebbe0127b654. make alpha gives:

object c1254f115537fc415d8c1ef22624b7a171afb4fe
type commit
tag 0.2.9.3
tagger Georg Koppen <gk@torproject.org> 1464122038 +0000

Tagging 0.2.9.3
gpg: Signature made Tue 24 May 2016 01:34:06 PM PDT using RSA key ID 24690903
gpg: Good signature from "Georg Koppen <gk@torproject.org>"
gpg:                 aka "Georg Koppen <georg@getfoxyproxy.org>"
gpg:                 aka "Georg Koppen <groeg@vfemail.net>"
gpg: Note: This key has expired!
Primary key fingerprint: 35CD 74C2 4A9B 15A1 9E1A  81A1 9437 3AA9 4B7C 3223
     Subkey fingerprint: 02FE 378C 9F67 963E 916F  5BE9 BBB9 7AC9 2469 0903
error: could not verify the tag '0.2.9.3'
tor-launcher: verification of tag 0.2.9.3 against branches/tor-browser-bundle/gitian/gpg/torbutton.gpg failed!

Child Tickets

Change History (10)

comment:1 Changed 3 years ago by dcf

Summary: gpg/gk.gpg is expired since 2016-07-19gpg/gk.gpg and gpg/torbutton.gpg are expired since 2016-07-19

comment:2 Changed 3 years ago by gk

Keywords: tbb-gitian added

*Sigh*. I guess there is no good solution for this kind of issue. :( We could do the same as the Qubes folks and create one never expiring key for the git tags. But that would be another key to handle properly and we would need to deal with the issue that more than one of us should be able to tag things for official builds. And then there is the revocation issue in case things go wrong...

I think what we could do is make sure that at least the latest release in every series is always buildable. If one wants to build older Tor Browser versions it is fine to me if this is not working out of the box due to issues with signed git tags (one could easily work around by setting VERIFY_TAGS to 0).

comment:3 Changed 3 years ago by dcf

I worked around it by copying gk's current key on top of gpg/gk.gpg and gpg/torbutton.gpg.

I tried using --trust-model always but that doesn't work because "this trust model still does not allow the use of expired, revoked, or disabled keys."

Maybe it would work to migrate to using gpgv, because it "assumes that all keys in the keyring are trustworthy ... it does not check for expired or revoked keys."

comment:4 Changed 3 years ago by boklm

Cc: boklm added

comment:5 in reply to:  3 Changed 3 years ago by boklm

Keywords: TorBrowserTeam201607R added
Status: newneeds_review

Replying to dcf:

Maybe it would work to migrate to using gpgv, because it "assumes that all keys in the keyring are trustworthy ... it does not check for expired or revoked keys."

I tried doing that, however it seems the exit status from the gpg command is not enough for git to accept the signature. In addition to that, it is using the --status-fd=1 argument and check that the output contains a GOODSIG line. In the case of gpgv and a signature made using an expired key, the --status-fd=1 output is the same as with gpg, and we have an EXPKEYSIG line instead of a GOODSIG line, so git does not accept it. According to gpg documentation, EXPKEYSIG means "The signature with the keyid is good, but the signature was made by an expired key".

I attached a patch which adds a gpg wrapper which replace the EXPKEYSIG by a GOODSIG, and sets the exit status to 0, when the output contains an EXPKEYSIG line and no REVKEYSIG, BADSIG, ERRSIG line.

In addition to that, we should probably remove the obsolete sub-keys from the keyring files, so they cannot be used.

comment:6 Changed 3 years ago by boklm

I attached a new version of the patch which a little more simple. We are now using gpgv so we don't have to replace the gpg exit status, and simply replace the EXPKEYSIG lines with GOODSIG.

comment:7 Changed 3 years ago by serene

Confirming that applying boklm's patch seems to have fixed the gpg expiry issues at least on my end when I try to build.

comment:8 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

We used this for 6.0.3 and 6.5a2 + 6.5a2-hardened (adcf907e1d54de5b9fcca736ca28b69d70c738fbm 7923b2184b46d4f9b861db256f28e00ee47d390d and c6458e49f9dd51708e22c84f26195c50d0ff2d0b).

Note: See TracTickets for help on using tickets.