Project:Infrastructure/Updating Expired Gentoo Keys

From Gentoo Wiki
Jump to:navigation Jump to:search

Gentoo is using OpenPGP keys for a number of services, most notably to provide authenticity verification for various downloads, including stages and the gentoo.git repository. Our OpenPGP keys have expiration dates set. This guarantees that even if we lose access to both the primary keys and their respective revocation certificates, the now-orphaned keys will not remain valid forever. However, this also implies that our users need to periodically update the keys for them to remain valid.

How are the keys kept up-to-date?

There are currently two mechanisms employed to keep the syncing keys up-to-date:

  1. The sec-keys/openpgp-keys-gentoo-release is periodically bumped to deploy updated keys.
  2. Portage automatically pulls key updates from the Gentoo servers while syncing.

The first mechanism is more permanent but it requires that the update is performed before the keys expire. The second mechanism works on top of expired keys but requires HTTPS access to gentoo.org, and therefore may not work behind strict firewalls.

How to update the keys manually?

If the keys on the system have expired already and it is not possible to automatically update them via Portage, the recommended approach is to manually update the keys for the next sync, then upgrade the key package.

The keys can be updated using one of the following methods:

  1. The /usr/share/openpgp-keys/gentoo-release.asc can be transferred from another, up-to-date Gentoo system. This assumes that an automated update was possible on another system and the file can be securely copied.
  2. An equivalent file can be downloaded from the Gentoo servers over HTTPS. Note that this approach uses a different security model:
    root #wget -O /usr/share/openpgp-keys/gentoo-release.asc https://qa-reports.gentoo.org/output/service-keys.gpg
  3. The keys can be updated manually using GnuPG (or another OpenPGP client).
    user $gpg --import /usr/share/openpgp-keys/gentoo-release.asc
    user $gpg --keyserver hkps://keys.gentoo.org --refresh-keys A13D0EF1914E7A72 DB6B8C1F96D8BF6D
    user $gpg -a --export A13D0EF1914E7A72 DB6B8C1F96D8BF6D > /tmp/gentoo-release.asc
    root #cp /tmp/gentoo-release.asc /usr/share/openpgp-keys/gentoo-release.asc
    Most notably, this approach can also be used to fetch and update the keys on another system for the purpose of transferring them to the affected Gentoo installation.

Once the file is replaced, it should be possible to sync the Gentoo repository and update the key package:

root #emerge --sync
root #emerge -1v sec-keys/openpgp-keys-gentoo-release