From be51da074872d958145735144ce666a91fd7b349 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 13 Feb 2014 02:55:54 -0800 Subject: updated key refresh post --- .../about-us/news/2014/repository-key-refresh.haml | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/pages/about-us/news/2014/repository-key-refresh.haml b/pages/about-us/news/2014/repository-key-refresh.haml index db624da..6032351 100644 --- a/pages/about-us/news/2014/repository-key-refresh.haml +++ b/pages/about-us/news/2014/repository-key-refresh.haml @@ -8,7 +8,7 @@ %h3 option 1 - blindly upgrade -%p You can just ignore the warnings about the packages being unauthenticated. This will upgrade your leap-keyring package, which includes the updated key. +%p You can just ignore the warnings about the packages being unauthenticated. This will upgrade your leap-keyring package, which includes the updated key. This is potentially dangerious and should be avoided. %pre apt-get update --allow-unauthenticated @@ -16,14 +16,14 @@ %h3 option 2 - re-add key without checking fingerprint -%p You can simply re-import the key to your apt keyring: +%p You can simply re-import the key to your apt keyring. This method is less dangerious, but requires you to trust the certificate authority system (which never a good idea). %pre curl https://dl.bitmask.net/apt.key | apt-key add - %h3 option 3 - update the key from keyserver -%p With this method, we update the key by pulling it from a keyserver and then importing to apt-key. We use the long key-id to ensure that we grab a key with exactly the same fingerprint (the short key-id is easily forged, but the long key id is very hard to replicate). +%p With this method, we update the key by pulling it from a keyserver and then importing to apt-key. This method is the most secure (so long as you follow all the steps and actually verify the fingerprint). %p Find the long key-id of the current LEAP archive signing key: @@ -36,8 +36,22 @@ pub 4096R/0x1E34A1828E207901 2013-02-06 [expired: 2014-02-06] uid LEAP archive signing key -%P Now, grab that specific key-id from a keyserver, and import it into apt-key: +%p Now, grab that specific key-id from a keyserver, and verify the fingerprint: %pre gpg --recv-key 0x1E34A1828E207901 + gpg --fingerprint 0x1E34A1828E207901 + +%p You should see this as output: + +%pre + pub 4096R/8E207901 2013-02-06 [expires: 2015-02-07] + Key fingerprint = 1E45 3B2C E87B EE2F 7DFE 9966 1E34 A182 8E20 7901 + uid LEAP archive signing key + +%p Make sure that the fingerprint in this output matches the long key-id you listed with apt-key. Without this step, it would be very easy for an attacker to feed you a bogus key. + +%p Finally, import the key into apt-key: + +%pre gpg --armor --export 0x1E34A1828E207901 | sudo apt-key add - -- cgit v1.2.3