Opened 4 months ago

Closed 4 months ago

#31079 closed defect (fixed)

Update Mozilla gpg key

Reported by: boklm Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm, TorBrowserTeam201907R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The build of tbb-8.5.4-build1 fails with the error:

Error: File SHA512SUMS-60.8.0esr-build1 is not signed with a valid key

We need to update the key in keyring/firefox.gpg to add the new subkey.

Child Tickets

Change History (5)

comment:1 Changed 4 months ago by boklm

Keywords: TorBrowserTeam201907R added; TorBrowserTeam201907 removed
Status: newneeds_review

There is a patch for review in branch bug_31079:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_31079&id=702bb68507a94fb3aaf2a145188428a0f72a1de0

At the same time as we add the new subkey F1A6668FBB7D572E, we remove the expired subkeys that we don't need anymore.

This is the diff from the output of ./tools/keyring/list-all-keyrings:

--- tmp/bug_31079.before        2019-07-04 02:07:25.307000000 +0200
+++ tmp/bug_31079.after 2019-07-04 02:07:16.883000000 +0200
@@ -20,8 +20,7 @@
 pub   rsa4096/61B7B526D98F0353 2015-07-17 [SC]
       14F26682D0916CDD81E37B6D61B7B526D98F0353
 uid                 [ unknown] Mozilla Software Releases <release@mozilla.com>
-sub   rsa4096/1C69C4E55E9905DB 2015-07-17 [S] [expired: 2017-07-16]
-sub   rsa4096/BBBEBDBB24C6F355 2017-06-22 [S] [expired: 2019-06-22]
+sub   rsa4096/F1A6668FBB7D572E 2019-05-30 [S] [expires: 2021-05-29]
 
 ./keyring/goptlib.gpg
 ---------------------

comment:2 Changed 4 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks! Looks good and I merged the fix to master (commit 702bb68507a94fb3aaf2a145188428a0f72a1de0) and cherry-picked it to maint-8.5 (commit 94aa3c732f00da573c45ff5236096f090439d5dc).

comment:3 Changed 4 months ago by boklm

Resolution: fixed
Status: closedreopened

As I updated the keyring/firefox.gpg keyring using gpg 2.1 and the tools/keyring/drop-expired-sub-keys script, it seems it converted it to the keybox format, which is only compatible with gnupg >= 2.1. This makes it incompatible with the gpg version from Debian oldstable.

comment:4 Changed 4 months ago by boklm

Status: reopenedneeds_review

comment:5 Changed 4 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Merged to master (commit 142841696c055fff8b16e143cfe35609a6f0b223) and cherry-picked to maint-8.5 (commit cbe1fe2419c0f18b25a79e8d9eec0288af60f826), thanks!

Note: See TracTickets for help on using tickets.