linbit-keyring, new LINBIT Package and Repository Signing Key

Lars Ellenberg lars.ellenberg at linbit.com
Thu Nov 21 12:12:31 CET 2024 

On Fri, Oct 25, 2024 at 12:47:19PM +0200, Roland Kammerer wrote:
> Dear DRBD users,
> 
> this is meant for our customers as well as FLOSS users that use any of
> our public repos (except the Ubuntu PPA).
> 
> The short version: There is now a linbit-keyring package with our old
> key and our new key and we will start using the new one on November the
> 15th to sign repo meta data. As the keyring contains both keys you can
> install that package now and change your repo config (if necessary),
> then you don't even notice the upcoming changes.
> 
> Details are described here[1], if there are any questions, please ask.
> 
> [1] https://kb.linbit.com/linbit-keyring-software-package
> 
> Regards, rck

We now completely switched to our new signing key.
That means all new packages and all repository meta data
is now signed with the new key.
Old packages still signed with the old key will stay that way,
we will not "re-sign" old packages.

To make it easier for search engines, and users of those,
here are the finger prints and typical "error messages" that
users of linbit package repositories may see from apt/yum/dnf.

Some may mistake this for linbit "expired" gpg keys,
because the symptoms or messages may feel similar.

You can install the linbit keyring package from here:
# rpm -Uhv https://packages.linbit.com/public/linbit-keyring.rpm
or
# wget https://packages.linbit.com/public/linbit-keyring.deb
# dpkg -i ./linbit-keyring.deb

See also our KB article linked above.

The key we used since 2008:
>-----------------------------------
pub   dsa1024 2008-11-13 [SC]
      32A746AD3ACFB7EB9A188D1953B3B037282B6E23
uid           [ unknown] LINBIT Package and Repository Signing Key (2024)
uid           [ unknown] LINBIT Package and Repository Signing Key (2023)
uid           [ unknown] LINBIT Package and Repository Signing Key (2022)
uid           [ unknown] LINBIT Package and Repository Signing Key (2021)
uid           [ unknown] LINBIT Package and Repository Signing Key (2020)
uid           [ unknown] LINBIT Package and Repository Signing Key (2019)
uid           [ unknown] LINBIT Package and Repository Signing Key (2018)
uid           [ unknown] LINBIT Package and Repository Signing Key (2017)
uid           [ unknown] LINBIT Package and Repository Signing Key (2016)
uid           [ unknown] LINBIT Package and Repository Signing Key (2015)
uid           [ unknown] LINBIT Package and Repository Signing Key (2014)
uid           [ unknown] LINBIT Package and Repository Signing Key (2013)
uid           [ unknown] LINBIT Package and Repository Signing Key (2012)
uid           [ unknown] LINBIT Package and Repository Signing Key (2011)
uid           [ unknown] LINBIT Package and Repository Signing Key (2010)
uid           [ unknown] LINBIT Package and Repository Signing Key (2009)
sub   elg2048 2008-11-13 [E]
>-----------------------------------

The key we created in 2024:
>-----------------------------------
pub   rsa4096 2024-06-14 [SC]
      4E5385546726D13CB649872CFC05A31DB826FE48
uid           [ unknown] LINBIT Package and Repository Signing Key
>-----------------------------------

If you have a linbit repo file that contains a
gpgkey=https://packages.linbit.com/package-signing-pubkey.asc
gpgcheck=1
repo_gpgcheck=1

You may now be asked
>-----------------------------------
Importing GPG key 0xB826FE48:
 Userid     : "LINBIT Package and Repository Signing Key"
 Fingerprint: 4E53 8554 6726 D13C B649 872C FC05 A31D B826 FE48
 From       : https://packages.linbit.com/package-signing-pubkey.asc
Is this ok [y/N]: y
>-----------------------------------

If you instead have a repo file that says
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linbit
gpgcheck=1
repo_gpgcheck=1
>-----------------------------------
Importing GPG key 0xB826FE48:
 Userid     : "LINBIT Package and Repository Signing Key"
 Fingerprint: 4E53 8554 6726 D13C B649 872C FC05 A31D B826 FE48
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-linbit
Is this ok [y/N]: y
>-----------------------------------

If you are on Debian based distros,
the typical error message may look like this:
>-----------------------------------
  The following signatures couldn't be verified
  because the public key is not available: NO_PUBKEY FC05A31DB826FE48
>-----------------------------------

Then double check that the (latest) linbit-keyring is installed
(see wget/dpkg -i above), and if it is installed, check that
/etc/apt/trusted.gpg.d/linbit-keyring.gpg actually contains the relevant key(s):
# gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/linbit-keyring.gpg --list-keys
and if it does not, maybe re-install the linbit-keyring,
or check if it was installed as
/etc/apt/trusted.gpg.d/linbit-keyring.gpg.dpkg-dist
for some reason, and move it in place from there,
or check for explicit / duplicate imports of the keys,
and get rid of them first.
# apt-key list 
# apt-key del 32A746AD3ACFB7EB9A188D1953B3B037282B6E23
# apt-key del 4E5385546726D13CB649872CFC05A31DB826FE48
# apt install --reinstall ./linbit-keyring.deb


    Lars

More information about the drbd-user mailing list