opensearch-build
opensearch-build copied to clipboard
opensearch-project
[Renew Key] Upcoming expiration of our current sub public key (expire on 20240512)
This is a reminder that the new sub public key that we extended in #2136 will expire on 20240512.
We need to take action to extend the key again before that.
Guide: https://github.com/opensearch-project/opensearch-build/issues/2040#issuecomment-1125449385
- Upload the key to the production S3 bucket while work with project-website on it.
- Upload to keyserver: https://github.com/opensearch-project/opensearch-build/issues/2040#issuecomment-1132261924.
- Build a release and sign and specifically test rpm on rockylinux9/almalinux9.
- Update on https://opensearch.org/verify-signatures.html.
- Make sure the key will expire in exactly one year on 20250512.
- Create a new issue for the next year.
Thanks.
We need to update the cert for another year now. Since 2.14.0 will release on 05/14, which is right after the expiration.
The renewed key has been created and uploaded to bucket, not yet switch.
- Next renew: https://github.com/opensearch-project/opensearch-build/issues/4669
The key able to verify old artifacts:
% gpg --verify opensearch-2.0.0-rc1-linux-x64.tar.gz.sig
gpg: Signature made Tue 03 May 2022 05:30:55 PM UTC using RSA key ID 542C03B4
gpg: Good signature from "OpenSearch project <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
Subkey fingerprint: 2187 3199 B103 0FCD 49DA 83F8 C2EE 2AF6 542C 03B4
(base)
Yum can install on a rockylinux9:
113 MB/s | 799 MB 00:07
OpenSearch 2.x 77 kB/s | 4.2 kB 00:00
Importing GPG key 0x9310D3FC:
Userid : "OpenSearch project <[email protected]>"
Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
From : <>
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Update changelog:
- https://github.com/opensearch-project/project-website/pull/2833
Next Year:
- https://github.com/opensearch-project/opensearch-build/issues/4669
We have switched the key on our website to the renewed one now: https://opensearch.org/verify-signatures.html#Pgp
pub rsa4096 2021-05-11 [SC]
C5B7498965EFD1C2924BA9D539D319879310D3FC
uid [ unknown] OpenSearch project <[email protected]>
sub rsa2048 2021-05-11 [S] [expires: 2025-05-12]
Thanks.
Could you please extend the key to more years? Because now every year we have to do steps in https://github.com/opensearch-project/opensearch-build/issues/3124#issuecomment-1533756275
Yum can install on a rockylinux9:
113 MB/s | 799 MB 00:07 OpenSearch 2.x 77 kB/s | 4.2 kB 00:00 Importing GPG key 0x9310D3FC: Userid : "OpenSearch project <[email protected]>" Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC From : <> Is this ok [y/N]: y Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction
Depends on how your repo file looks like. There are still signatures out there which are not updated.
[ TEST 2024-08-20 14:49 ]
root@db:~ # curl -fsSLO https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo.sig
[ TEST 2024-08-20 14:49 ]
root@db:~ # curl -fsSLO https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo
[ TEST 2024-08-20 14:49 ]
root@db:~ # gpg --verify opensearch-2.x.repo.sig opensearch-2.x.repo
gpg: Signature made Sat 07 May 2022 12:57:51 AM CEST
gpg: using RSA key C2EE2AF6542C03B4
gpg: Good signature from "OpenSearch project <[email protected]>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
Subkey fingerprint: 2187 3199 B103 0FCD 49DA 83F8 C2EE 2AF6 542C 03B4
Ignoring the sig file and continuing as documented ( https://opensearch.org/docs/latest/install-and-configure/install-opensearch/rpm/#install-opensearch-from-a-yum-repository ) will also not help
[ TEST 2024-08-20 14:50 ]
root@db:~ # sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo -o /etc/yum.repos.d/opensearch-2.x.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 242 100 242 0 0 2847 0 --:--:-- --:--:-- --:--:-- 2847
[ TEST 2024-08-20 14:54 ]
root@db:~ # dnf update --assumeno --disablerepo=* --enablerepo=opensearch-2.x
OpenSearch 2.x 2.4 kB/s | 498 B 00:00
OpenSearch 2.x 91 kB/s | 4.2 kB 00:00
Importing GPG key 0x9310D3FC:
Userid : "OpenSearch project <[email protected]>"
Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
From : https://artifacts.opensearch.org/publickeys/opensearch.pgp
OpenSearch 2.x 3.5 kB/s | 498 B 00:00
Error: Failed to download metadata for repo 'opensearch-2.x': repomd.xml GPG signature verification error: Bad GPG signature
Workarround is to disable repo gpg-check within the repo file ( repo_gpgcheck=0 ).
It might also be necessary to find the previous rpm imported key and remove it if it is the old one.
The current new key should definitly show something like this
# rpm -qa gpg-pubkey* | \grep 9310d3fc
gpg-pubkey-9310d3fc-609af0ea
# gpg --import-options import-show --import --dry-run <(rpm -qi gpg-pubkey-9310d3fc-609af0ea)
pub rsa4096 2021-05-11 [SC]
C5B7498965EFD1C2924BA9D539D319879310D3FC
uid OpenSearch project <[email protected]>
sub rsa2048 2021-05-11 [S] [expires: 2025-05-12]
gpg: Total number processed: 1
The older key has no subkey and will print something like this when checking gpg --import-options import-show --import --dry-run <(rpm -qi gpg-pubkey-9310d3fc-609af0ea)
pub rsa4096 2021-05-11 [SC]
C5B7498965EFD1C2924BA9D539D319879310D3FC
uid OpenSearch project <[email protected]>
gpg: Total number processed: 1
way nicer https://github.com/opensearch-project/opensearch-build/issues/3527#issuecomment-1553341927