All of lore.kernel.org
 help / color / mirror / Atom feed
* [ANNOUNCE] GPG key update
@ 2024-04-18  8:23 Carlos Maiolino
  2024-04-18 18:02 ` Carlos E. R.
  0 siblings, 1 reply; 3+ messages in thread
From: Carlos Maiolino @ 2024-04-18  8:23 UTC (permalink / raw)
  To: linux-xfs

Hi,
I didn't mean to send such email, but more than one person already asked me about it, so, sharing it
for a broader audience.


TL;DR;

I started to use a new key to sign stuff two months ago, if you had any key mismatch problem, update
your keyring. My apologies for any trouble.


== Long Version ==

Because my smartcard does not accept ed25519 keys, I added a few new subkeys to the very same certify
GPG key, so I can make my keys safer.

Once my key got updated in kernel keyring I started using it for signing stuff.

I made the foolish assumption that automated packaging systems were querying the kernel keyring or
the public key repos (aka keys.openpgp.org) when trying to verify the signatures.

These new sub-keys belongs to the very same certify key as the another keys, which are still valid.
Nothing got revoked.

My certify (or master key) is still the same: 4020459E58C1A52511F5399113F703E6C11CF6F0
With a new extra subkey added under it: 0C1D891C50A732E0680F7B644675A111E50B5FA6

The kernel keyring has been updated in February with these new keys, so again, my apologies for any
unnecessary trouble, I assumed two months were enough for systems who relies on GPG signatures to
update their databases.

Below is the commit that updated the kernel's gpg database:

commit d3b3885a394fd3144c43bba98596665b42024e19
Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Date:   Tue Feb 27 14:54:51 2024 -0500

    Periodic update from keyservers
    
    Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>


And directly from the kernel.org's database:

pgpkeys $ gpg --show-keys --with-subkey-fingerprint keys/13F703E6C11CF6F0.asc 
pub   ed25519 2022-05-27 [C]
      4020459E58C1A52511F5399113F703E6C11CF6F0
uid                      Carlos Eduardo Maiolino <carlos@maiolino.me>
uid                      Carlos Eduardo Maiolino <cmaiolino@redhat.com>
uid                      Carlos Eduardo Maiolino <cem@kernel.org>
sub   ed25519 2022-05-27 [A]
      36C5DFE1ECA79D1D444FDD904E5621A566959599
sub   ed25519 2022-05-27 [S]
      FA406E206AFF7873897C6864B45618C36A24FD23 <-- Old key still valid
sub   cv25519 2022-05-27 [E]
      5AE98D09B21AFBDE62EE571EE01E05EA81B10D5C
sub   nistp384 2024-02-15 [A]
      D3DF1E315DBCB4EDF392D6ED2BE8B50768C99F00
sub   nistp384 2024-02-15 [S]
      0C1D891C50A732E0680F7B644675A111E50B5FA6  <-- New key
sub   nistp384 2024-02-15 [E]
      C79922EE45DEA3F58B99B4701201F4FA234EEFD8

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [ANNOUNCE] GPG key update
  2024-04-18  8:23 [ANNOUNCE] GPG key update Carlos Maiolino
@ 2024-04-18 18:02 ` Carlos E. R.
  2024-04-19  6:29   ` Carlos Maiolino
  0 siblings, 1 reply; 3+ messages in thread
From: Carlos E. R. @ 2024-04-18 18:02 UTC (permalink / raw)
  To: Linux-XFS mailing list


[-- Attachment #1.1: Type: text/plain, Size: 2736 bytes --]

On 2024-04-18 10:23, Carlos Maiolino wrote:
> Hi,
> I didn't mean to send such email, but more than one person already asked me about it, so, sharing it
> for a broader audience.
> 
> 
> TL;DR;
> 
> I started to use a new key to sign stuff two months ago, if you had any key mismatch problem, update
> your keyring. My apologies for any trouble.
> 
> 
> == Long Version ==

...

> My certify (or master key) is still the same: 4020459E58C1A52511F5399113F703E6C11CF6F0
> With a new extra subkey added under it: 0C1D891C50A732E0680F7B644675A111E50B5FA6

I only wanted to point out that the network of GPG keyservers is broken, 
since the attack they suffered a few years back.

For instance, Thunderbird internal key manager finds your keys ID above, 
apparently using "vks://keys.openpgp.org, hkps://keys.mailvelope.com".

However, kleopatra (Plasma key manager) doesn't (using 
hkp://keys.gnupg.net or hkps://hkps.pool.sks-keyservers.net, not clear 
which).


That is, keys are not propagated through all the servers as they were in 
the past.
> And directly from the kernel.org's database:
> 
> pgpkeys $ man gp --with-subkey-fingerprint keys/13F703E6C11CF6F0.asc
> pub   ed25519 2022-05-27 [C]
>        4020459E58C1A52511F5399113F703E6C11CF6F0
> uid                      Carlos Eduardo Maiolino <carlos@maiolino.me>
> uid                      Carlos Eduardo Maiolino <cmaiolino@redhat.com>
> uid                      Carlos Eduardo Maiolino <cem@kernel.org>
> sub   ed25519 2022-05-27 [A]
>        36C5DFE1ECA79D1D444FDD904E5621A566959599
> sub   ed25519 2022-05-27 [S]
>        FA406E206AFF7873897C6864B45618C36A24FD23 <-- Old key still valid
> sub   cv25519 2022-05-27 [E]
>        5AE98D09B21AFBDE62EE571EE01E05EA81B10D5C
> sub   nistp384 2024-02-15 [A]
>        D3DF1E315DBCB4EDF392D6ED2BE8B50768C99F00
> sub   nistp384 2024-02-15 [S]
>        0C1D891C50A732E0680F7B644675A111E50B5FA6  <-- New key
> sub   nistp384 2024-02-15 [E]
>        C79922EE45DEA3F58B99B4701201F4FA234EEFD8


Information obtained once I changed the keyserver:

cer@Telcontar:~> gpg --list-keys \
    4020459E58C1A52511F5399113F703E6C11CF6F0
pub   ed25519 2022-05-27 [C]
       4020459E58C1A52511F5399113F703E6C11CF6F0
uid           [  full  ] Carlos Eduardo Maiolino <carlos@maiolino.me>
uid           [  full  ] Carlos Eduardo Maiolino <cem@kernel.org>
uid           [  full  ] Carlos Eduardo Maiolino <cmaiolino@redhat.com>
sub   ed25519 2022-05-27 [A]
sub   ed25519 2022-05-27 [S]
sub   nistp384 2024-02-15 [A]
sub   nistp384 2024-02-15 [S]
sub   nistp384 2024-02-15 [E]
sub   cv25519 2022-05-27 [E]



-- 
Cheers / Saludos,

		Carlos E. R.
		(from 15.5 x86_64 at Telcontar)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [ANNOUNCE] GPG key update
  2024-04-18 18:02 ` Carlos E. R.
@ 2024-04-19  6:29   ` Carlos Maiolino
  0 siblings, 0 replies; 3+ messages in thread
From: Carlos Maiolino @ 2024-04-19  6:29 UTC (permalink / raw)
  To: Carlos E. R.; +Cc: Linux-XFS mailing list

On Thu, Apr 18, 2024 at 08:02:09PM +0200, Carlos E. R. wrote:
> On 2024-04-18 10:23, Carlos Maiolino wrote:
> > Hi,
> > I didn't mean to send such email, but more than one person already asked me about it, so, sharing it
> > for a broader audience.
> > 
> > 
> > TL;DR;
> > 
> > I started to use a new key to sign stuff two months ago, if you had any key mismatch problem, update
> > your keyring. My apologies for any trouble.
> > 
> > 
> > == Long Version ==
> 
> ...
> 
> > My certify (or master key) is still the same: 4020459E58C1A52511F5399113F703E6C11CF6F0
> > With a new extra subkey added under it: 0C1D891C50A732E0680F7B644675A111E50B5FA6
> 
> I only wanted to point out that the network of GPG keyservers is broken,
> since the attack they suffered a few years back.

> 
> For instance, Thunderbird internal key manager finds your keys ID above,
> apparently using "vks://keys.openpgp.org, hkps://keys.mailvelope.com".
> 
> However, kleopatra (Plasma key manager) doesn't (using hkp://keys.gnupg.net
> or hkps://hkps.pool.sks-keyservers.net, not clear which).
> 
> 
> That is, keys are not propagated through all the servers as they were in the
> past.

You listed several reasons why kernel.org keeps its own repository with maintainers keys :)
There are even instructions on how to automatically update the keys based on kernel.org repository:
https://korg.docs.kernel.org/pgpkeys.html#automatically-refreshing-keys
So, everybody relying on maintainers keys  can keep their keyring updated.


> > And directly from the kernel.org's database:
> > 
> > pgpkeys $ man gp --with-subkey-fingerprint keys/13F703E6C11CF6F0.asc
> > pub   ed25519 2022-05-27 [C]
> >        4020459E58C1A52511F5399113F703E6C11CF6F0
> > uid                      Carlos Eduardo Maiolino <carlos@maiolino.me>
> > uid                      Carlos Eduardo Maiolino <cmaiolino@redhat.com>
> > uid                      Carlos Eduardo Maiolino <cem@kernel.org>
> > sub   ed25519 2022-05-27 [A]
> >        36C5DFE1ECA79D1D444FDD904E5621A566959599
> > sub   ed25519 2022-05-27 [S]
> >        FA406E206AFF7873897C6864B45618C36A24FD23 <-- Old key still valid
> > sub   cv25519 2022-05-27 [E]
> >        5AE98D09B21AFBDE62EE571EE01E05EA81B10D5C
> > sub   nistp384 2024-02-15 [A]
> >        D3DF1E315DBCB4EDF392D6ED2BE8B50768C99F00
> > sub   nistp384 2024-02-15 [S]
> >        0C1D891C50A732E0680F7B644675A111E50B5FA6  <-- New key
> > sub   nistp384 2024-02-15 [E]
> >        C79922EE45DEA3F58B99B4701201F4FA234EEFD8
> 
> 
> Information obtained once I changed the keyserver:
> 
> cer@Telcontar:~> gpg --list-keys \
>    4020459E58C1A52511F5399113F703E6C11CF6F0
> pub   ed25519 2022-05-27 [C]
>       4020459E58C1A52511F5399113F703E6C11CF6F0
> uid           [  full  ] Carlos Eduardo Maiolino <carlos@maiolino.me>
> uid           [  full  ] Carlos Eduardo Maiolino <cem@kernel.org>
> uid           [  full  ] Carlos Eduardo Maiolino <cmaiolino@redhat.com>
> sub   ed25519 2022-05-27 [A]
> sub   ed25519 2022-05-27 [S]
> sub   nistp384 2024-02-15 [A]
> sub   nistp384 2024-02-15 [S]
> sub   nistp384 2024-02-15 [E]
> sub   cv25519 2022-05-27 [E]
> 
> 
> 
> -- 
> Cheers / Saludos,
> 
> 		Carlos E. R.
> 		(from 15.5 x86_64 at Telcontar)
> 




^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-04-19  6:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-18  8:23 [ANNOUNCE] GPG key update Carlos Maiolino
2024-04-18 18:02 ` Carlos E. R.
2024-04-19  6:29   ` Carlos Maiolino

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.