From bbf03df29a72401601384d972701df91a4c01f12 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Jun 03 2022 16:38:39 +0000 Subject: security: use gpgv to verify CHECKSUM signatures The `gpgv` command is designed to simply verify OpenPGP signatures. It takes a keyring as an option and then any number of signed files and verifies the signatures based on the keys in the given keyring. Using `gpgv` allows the instructions to be simplified and avoids the following confusing output from the currently recommended method: gpg: WARNING: This key is not certified with a trusted signature! gpg:          There is no indication that the signature belongs to the owner. The `gpgv` command expects the --keyring argument to be an un-armored keyblock. This means dropping the ascii-armor from fedora.gpg (which is more in line with the .gpg extension anyway). For users who still wish to pull fedora.gpg and import it to their keyring, the un-armored keyblock works just as well. The updated instructions are: $ curl -O https://getfedora.org/static/fedora.gpg $ gpgv --keyring ./fedora.gpg *-CHECKSUM The output from gpgv is: $ gpgv --keyring ./fedora.gpg *-CHECKSUM gpgv: Signature made Fri 19 Mar 2021 10:10:28 AM EDT gpgv: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39 gpgv: Good signature from "Fedora (34) " Users no longer have to fiddle with marking the Fedora keys as trusted in gpg nor do we have to explain why the large "WARNING" from gpg is okay to ignore¹. ¹ https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/MPSGTW42RP4U75ZHUAHDMFIP6TTUW23Y/ Signed-off-by: Todd Zullinger --- diff --git a/sites/getfedora.org/site/security/index.html b/sites/getfedora.org/site/security/index.html index 97875b1..268e2cf 100644 --- a/sites/getfedora.org/site/security/index.html +++ b/sites/getfedora.org/site/security/index.html @@ -35,14 +35,14 @@

{% trans trimmed %} First, import Fedora's GPG key(s): - 

$ curl https://getfedora.org/static/fedora.gpg | gpg --import
+ 
$ curl -O https://getfedora.org/static/fedora.gpg
Note that you can verify the details of these keys below. {% endtrans %}

{% trans trimmed %} Now, verify that the CHECKSUM file is valid: - 

$ gpg --verify-files *-CHECKSUM
+ 
$ gpgv --keyring ./fedora.gpg *-CHECKSUM
The CHECKSUM file should have a good signature from one of the keys described below. {% endtrans %}

diff --git a/sites/getfedora.org/util/gpg_checker.py b/sites/getfedora.org/util/gpg_checker.py index c05595b..c61d612 100644 --- a/sites/getfedora.org/util/gpg_checker.py +++ b/sites/getfedora.org/util/gpg_checker.py @@ -54,8 +54,8 @@ def generate_gpg_bundle(): print('Could not open key file {0}: {1}'.format(path, e)) raise - armor = gpg.export_keys(current_fingerprints, armor=True) - return armor + keyring = gpg.export_keys(current_fingerprints, armor=False) + return keyring def check_gpg_keys(): ''' diff --git a/sites/static/js/coreos-download.js b/sites/static/js/coreos-download.js index 206e248..af09b3e 100644 --- a/sites/static/js/coreos-download.js +++ b/sites/static/js/coreos-download.js @@ -901,7 +901,7 @@ var coreos_download_app = new Vue({ $(p).html("Import Fedora's GPG keys"); code = document.createElement('code'); pre = document.createElement('pre'); - $(code).html("curl https://getfedora.org/static/fedora.gpg | gpg --import") + $(code).html("curl -O https://getfedora.org/static/fedora.gpg") .appendTo(pre); $(p).appendTo(li); $(pre).appendTo(li); @@ -913,7 +913,7 @@ var coreos_download_app = new Vue({ $(p).html("Verify the signature is valid"); code = document.createElement('code'); pre = document.createElement('pre'); - $(code).html("gpg --verify " + getFilename(displayDownloads.signature) + " " + getFilename(displayDownloads.location)) + $(code).html("gpgv --keyring ./fedora.gpg " + getFilename(displayDownloads.signature) + " " + getFilename(displayDownloads.location)) .appendTo(pre); $(p).appendTo(li); $(pre).appendTo(li);