We want to have a full chain of trust for our debian packages. Therefore the Suse Open Build Service (OBS) service signs them. We publish the key alongside the repository.
However, one can do better and do the validation right on apt-get install arangodb. Here’s how:
First we will install pgpdump, so we can inspect our key:
|
1 2 |
apt-get install pgpdump |
We download the key and inspect it:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
wget http://www.arangodb.com/repositories/arangodb2/Debian_8.0/Release.key pgpdump Release.key Old: Public Key Packet(tag 6)(269 bytes) Ver 4 - new Public key creation time - Wed Nov 12 14:09:28 CET 2014 Pub alg - RSA Encrypt or Sign(pub 1) RSA n(2048 bits) - ... RSA e(17 bits) - ... Old: User ID Packet(tag 13)(76 bytes) User ID - home:fceller:version2 OBS Project <home:fceller:version2@build.opensuse.org> Old: Signature Packet(tag 2)(318 bytes) Ver 4 - new Sig type - Positive certification of a User ID and Public Key packet(0x13). Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - SHA1(hash 2) Hashed Sub: signature creation time(sub 2)(4 bytes) Time - Wed Nov 12 14:09:28 CET 2014 Hashed Sub: key flags(sub 27)(1 bytes) Flag - This key may be used to certify other keys Flag - This key may be used to sign data Hashed Sub: key expiration time(sub 9)(4 bytes) Time - Fri Jan 20 14:09:28 CET 2017 Hashed Sub: preferred symmetric algorithms(sub 11)(5 bytes) Sym alg - AES with 256-bit key(sym 9) Sym alg - AES with 192-bit key(sym 8) Sym alg - AES with 128-bit key(sym 7) Sym alg - CAST5(sym 3) Sym alg - Triple-DES(sym 2) Hashed Sub: preferred hash algorithms(sub 21)(5 bytes) Hash alg - SHA256(hash 8) Hash alg - SHA1(hash 2) Hash alg - SHA384(hash 9) Hash alg - SHA512(hash 10) Hash alg - SHA224(hash 11) Hashed Sub: preferred compression algorithms(sub 22)(3 bytes) Comp alg - ZLIB <RFC1950>(comp 2) Comp alg - BZip2(comp 3) Comp alg - ZIP <RFC1951>(comp 1) Hashed Sub: features(sub 30)(1 bytes) Flag - Modification detection (packets 18 and 19) Hashed Sub: key server preferences(sub 23)(1 bytes) Flag - No-modify Sub: issuer key ID(sub 16)(8 bytes) Key ID - 0x358D849C89A14917 Hash left 2 bytes - e2 d6 RSA m^d mod n(2048 bits) - ... -> PKCS-1 Old: Signature Packet(tag 2)(70 bytes) Ver 4 - new Sig type - Positive certification of a User ID and Public Key packet(0x13). Pub alg - DSA Digital Signature Algorithm(pub 17) Hash alg - SHA1(hash 2) Hashed Sub: signature creation time(sub 2)(4 bytes) Time - Wed Nov 12 14:09:28 CET 2014 Sub: issuer key ID(sub 16)(8 bytes) Key ID - 0x3B3011B76B9D6523 Hash left 2 bytes - cc b6 DSA r(158 bits) - ... DSA s(158 bits) - ... -> hash(DSA q bits) |
The next thing to do is to cut’n’paste the key into the submit a key form over at the keyserver. We now want to search the key so we get to know its fingerprint. We search for a unique property from the dump above, home:fceller:version2 is a good choice. We put it into the string search field, and check the Show PGP Fingerprints hook:
|
1 2 3 4 5 6 7 8 9 10 11 |
Search results for 'version2 home fceller' Type bits/keyID cr. time exp time key expir pub 2048R/89A14917 2014-11-12 Fingerprint=C605 15C5 EC94 954D 9B5A 0302 358D 849C 89A1 4917 uid home:fceller:version2 OBS Project <home:fceller:version2@build.opensuse.org> sig sig3 89A14917 2014-11-12 __________ 2017-01-20 [selfsig] sig sig3 6B9D6523 2014-11-12 __________ __________ openSUSE Build Service <buildservice@opensuse.org> |
Now users can add these keys to their installation using the Fingerprint (without blanks) like this:
|
1 2 |
apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys C60515C5EC94954D9B5A0302358D849C89A14917 |
and the chain of trust for installing ArangoDB packages is closed, on apt-get install arangodb the package is going to be verified.
