Update xCAT Security Key to use RSA and stronger SHA-2 family hash: SHA512, SHA384, SHA256, and SHA224

[neo954]

The issue is against the latest xcat-core build xcat-dep-ubuntu-201806200437.tar.bz2, and xcat-dep build 20180620.0615-core-debs-snap.tar.bz2.

Command apt-get complained the GPG signatures were invalid: F75B1BF678B644FDF3AACFC860A3E9ACC6565BC9. See details below

# apt-get update
Get:1 file:/install/xcat/xcat-core bionic InRelease [1,928 B]
Get:2 file:/install/xcat/xcat-dep bionic InRelease [1,935 B]
Get:1 file:/install/xcat/xcat-core bionic InRelease [1,928 B]
Get:2 file:/install/xcat/xcat-dep bionic InRelease [1,935 B]
Err:1 file:/install/xcat/xcat-core bionic InRelease
  The following signatures were invalid: F75B1BF678B644FDF3AACFC860A3E9ACC6565BC9
Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic InRelease
Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease
Hit:5 http://archive.ubuntu.com/ubuntu bionic InRelease
Err:2 file:/install/xcat/xcat-dep bionic InRelease
  The following signatures were invalid: F75B1BF678B644FDF3AACFC860A3E9ACC6565BC9
Hit:6 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:7 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease
Get:8 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Hit:9 http://ports.ubuntu.com/ubuntu-ports bionic-security InRelease
Reading package lists... Done
W: GPG error: file:/install/xcat/xcat-core bionic InRelease: The following signatures were invalid: F75B1BF678B644FDF3AACFC860A3E9ACC6565BC9
E: The repository 'file:/install/xcat/xcat-core bionic InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: file:/install/xcat/xcat-dep bionic InRelease: The following signatures were invalid: F75B1BF678B644FDF3AACFC860A3E9ACC6565BC9
E: The repository 'file:/install/xcat/xcat-dep bionic InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Further investigation is needed on this issue.

[immarvin]

related with this ticket #1414?

[neo954]

I did a quick search on Google. It turns out this is a well known problem [1]. It seems Debian has been completely removed SHA-1 support on January 1, 2017 [2][3]. xCAT is already one year and half late for this transition. Clearly, xCAT need to update the xCAT Security Key used for package and repository signing, and use SHA-256 and/or SHA-512 [4][5] instead.

[1] https://groups.google.com/forum/#!topic/help-cfengine/pJRYrGeKfCA
[2] https://wiki.debian.org/Teams/Apt/Sha1Removal
[3] https://lists.debian.org/deity/2016/11/msg00008.html
[4] https://wiki.debian.org/Keysigning
[5] https://debian-administration.org/users/dkg/weblog/48

Yes, this problem is duplicated with issue #1414. It is a shame that we knew this problem two years ago and did nothing. And we marked issue #1414 as a low priority issue. Now, it is urgent. Thus I marked this issue as high priority.

[neo954]

And also, all DSA keys need to be migrated to RSA.

[neo954]

The exported public key of the xCAT Automatic Signing Key [1] on xcat.org need to be updated as well.
[1] http://xcat.org/files/xcat/repos/apt/apt.key

[neo954]

For now, use the following command to import the public key.

wget https://github.com/xcat2/xcat2-task-management/files/2126676/apt.key.txt -O - | apt-get add

[neo954]

As suggested in the article [1] of debian administration blog. We may also consider revoke the old xCAT Security Key C6565BC9 tens of days later.

[1] https://debian-administration.org/users/dkg/weblog/48

[immarvin]

hi @neo954 , can this ticket be closed now?

[neo954]

The latest daily build looks good now. I will close this issue.