Bug 283402

Summary:	Handbook contains incorrect instructions for GPG verification of install iso images.
Product:	[OLD] Docs on www.gentoo.org	Reporter:	rhywek
Component:	Installation Handbook	Assignee:	nm (RETIRED) <nightmorph>
Status:	RESOLVED FIXED
Severity:	normal	CC:	docs-team, klaas.decanniere
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description rhywek 2009-09-01 12:33:29 UTC

Handbook should be updated concerning the stage3 and iso gpg verification process. This is important, as failure during iso signature verification results in the lack of trust of users.

The instructions given by the handbook:

$ gpg --keyserver subkeys.pgp.net --recv-keys 17072058
$ gpg --verify <signature file> <downloaded iso>

It works well for very old 2007.0 iso image:

$ gpg --verify install-amd64-minimal-2007.0.iso.asc install-amd64-minimal-2007.0.iso
gpg: Signature made Thu May  3 00:02:20 2007 CEST using DSA key ID 17072058
gpg: Good signature from "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D99E AC73 79A8 50BC E47D  A5F2 9E64 38C8 1707 2058

But the same instructions for the autobuild iso images don't work:

$ gpg --verify install-amd64-minimal-20090813.iso.DIGESTS.asc install-amd64-minimal-20090813.iso
gpg: not a detached signature

After seeing this error message, reading the gpg man page and inspecting the asc file, I tried this command:

$ gpg --verify install-amd64-minimal-20090813.iso.DIGESTS.asc
gpg: Signature made Wed Aug 26 00:42:47 2009 CEST using RSA key ID 2D182910
gpg: Can't check signature: No public key

Now it complains about a missing public key. I tried to google for 2D182910, to see whether some Gentoo documentation mentions it, but without any luck. And most users are NOT going to import public keys not mentioned in official Gentoo documentation, as they need some trustworthy verification method. Using a public key, which is not mentioned in official Gentoo documentation is equivalent to skipping the gpg verification step - both result in using an untrusted iso image.

The handbook should be modified to import correct public keys of people signing the iso images and stage3 tarballs. Also, correct verification instructions should be given.

Reproducible: Always

Steps to Reproduce:
1. gpg --keyserver subkeys.pgp.net --recv-keys 17072058
2. Download install iso image and its asc file, e.g. install-amd64-minimal-20090813.iso.DIGESTS.asc and install-amd64-minimal-20090813.iso
3. gpg --verify install-amd64-minimal-20090813.iso.DIGESTS.asc install-amd64-minimal-20090813.iso

Actual Results:  
$ gpg --verify install-amd64-minimal-20090813.iso.DIGESTS.asc install-amd64-minimal-20090813.iso.DIGESTS
gpg: not a detached signature

Expected Results:  
The signature should be verified, just as it used to for older iso images, e.g. install-amd64-minimal-2007.0.iso.

# emerge --info
Portage 2.1.6.13 (default/linux/x86/10.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.30-gentoo-r4 i686)
=================================================================
System uname: Linux-2.6.30-gentoo-r4-i686-Intel-R-_Core-TM-2_Duo_CPU_E4500_@_2.20GHz-with-gentoo-1.12.11.1
Timestamp of tree: Tue, 01 Sep 2009 11:45:02 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.8-r1
dev-lang/python:     2.6.2-r1
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=core2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=core2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="ccache distlocks fixpackages nospinner parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://mirror.uni-c.dk/pub/gentoo/ ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ "
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X aac acl acpi alsa berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dts dvd dvdr eds emboss encode evo fam firefox flac gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg ldap libnotify mad mikmod mmx mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly nsplugin offensive ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3support quicktime readline reflection sdl session spell spl sse sse2 ssl ssse3 startup-notification svg sysfs tcpd thunar tiff truetype unicode usb vorbis win32codecs x264 x86 xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia vesa"
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 1 Robin Johnson archtester

2009-09-01 16:58:48 UTC

I just haven't gotten to updating the docs with the new key that was generated per bug 277319.

I do confirm that key 2D182910 IS 100% correct, and that it has been uploaded to the keyservers.

Comment 2 nm (RETIRED) gentoo-dev

2009-09-01 23:45:44 UTC

Reassigning to robbat2.

Robin, whatever changes you make to the installation handbooks, please be very careful not to add instructions that only apply to the autobuilds -- see bug 260403. Thanks.

Comment 3 Robin Johnson archtester

2009-09-02 01:32:05 UTC

nightmorph:
Can we just list both keys in the handbook?

I'm also making a new page in the releng project listing keys.

Comment 4 nm (RETIRED) gentoo-dev

2009-09-02 07:32:08 UTC

(In reply to comment #3)
> nightmorph:
> Can we just list both keys in the handbook?
> 
> I'm also making a new page in the releng project listing keys.
> 

We can't mix autobuild instructions/info with non-autobuild info; that's why the handbook rewrite has taken so long -- it has to be updated all at once.

However, if you can find a way to mention both keys, maybe in a table or some kinda tricky wording that doesn't mention "weekly", then be my guest. :)

Will the old key be used ever again, or is it only kept around to verify the 200X.x releases?

Comment 5 Robin Johnson archtester

2009-09-02 07:39:07 UTC

The releng site is updated:
http://www.gentoo.org/proj/en/releng/

And the keys have been mailed to the lists.

So all that's left is the handbook, which I see was actually already wrong for 2008.0, as we only shipped the .asc on the DIGESTS, not on the files directly.

New instructions in that file:

<pre caption="Verify the cryptographic signature">
$ <i>gpg --verify &lt;foo.DIGESTS.asc&gt;</i>
</pre>
<pre caption="Verify the checksum">
$ <i>sha1sum -c &lt;foo.DIGESTS.asc&gt;</i>
</pre>

The handbook should have similar, as well as listing the possible keys.

Comment 6 rhywek 2009-09-02 08:49:36 UTC

Thanks, that section is what the releng website really needed!

You just put the creation and expiration dates in wrong columns for the 0x2D182910 key, I guess.

I think the foo.DIGESTS file is not needed, as the checksum is calculated from foo.DIGESTS.asc directly, so foo.DIGESTS only creates confusion.

Comment 7 nm (RETIRED) gentoo-dev

2009-09-02 17:34:55 UTC

(In reply to comment #5)
> The releng site is updated:
> http://www.gentoo.org/proj/en/releng/
> 
> And the keys have been mailed to the lists.
> 
> So all that's left is the handbook, which I see was actually already wrong for
> 2008.0, as we only shipped the .asc on the DIGESTS, not on the files directly.
> 
> New instructions in that file:
> 
> <pre caption="Verify the cryptographic signature">
> $ <i>gpg --verify &lt;foo.DIGESTS.asc&gt;</i>
> </pre>
> <pre caption="Verify the checksum">
> $ <i>sha1sum -c &lt;foo.DIGESTS.asc&gt;</i>
> </pre>
> 
> The handbook should have similar, as well as listing the possible keys.
> 

Sounds good to me.

Comment 8 Robin Johnson archtester

2009-09-02 20:34:52 UTC

(In reply to comment #4)
> We can't mix autobuild instructions/info with non-autobuild info; that's why
> the handbook rewrite has taken so long -- it has to be updated all at once.
> 
> However, if you can find a way to mention both keys, maybe in a table or some
> kinda tricky wording that doesn't mention "weekly", then be my guest. :)
In the --recv instructions, just include BOTH keys on the commandline.

In the wording, simply state that there are one of two keys used.

> Will the old key be used ever again, or is it only kept around to verify the
> 200X.x releases?
The "old" key is going to be used for non-automated releases still.

Comment 9 Robin Johnson archtester

2009-09-02 20:37:26 UTC

(In reply to comment #6)
> You just put the creation and expiration dates in wrong columns for the
> 0x2D182910 key, I guess.
Err, I don't see that. The creation date lists 2009/08/25 with expiry in 2013/08/24.

> I think the foo.DIGESTS file is not needed, as the checksum is calculated from
> foo.DIGESTS.asc directly, so foo.DIGESTS only creates confusion.
It's there simply for users that might want it.

Comment 10 rhywek 2009-09-03 08:52:57 UTC

(In reply to comment #9)
> (In reply to comment #6)
> > You just put the creation and expiration dates in wrong columns for the
> > 0x2D182910 key, I guess.
> Err, I don't see that. The creation date lists 2009/08/25 with expiry in
> 2013/08/24.
> 
Yesterday the "Created" column was empty, "Expires" had "2009/08/25" in it, and "Revoked" contained "2013/08/24", but I see it's been fixed.

Comment 11 Robin Johnson archtester

2010-02-01 06:49:57 UTC

The releng page has been updated for a while, any remaining issues are handbook only.

Comment 12 nm (RETIRED) gentoo-dev

2010-05-24 21:07:42 UTC

*** Bug 297571 has been marked as a duplicate of this bug. ***

Comment 13 nm (RETIRED) gentoo-dev

2010-07-19 01:53:53 UTC

Fixed:

alpha
amd64
x86

Other arches on the way.

Comment 14 nm (RETIRED) gentoo-dev

2010-07-21 02:24:51 UTC

I fixed the rest of the handbooks to use the new releng key and verification process.