Enabling new signing key

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(User doc for enabling new keys)
 
 
(39 intermediate revisions by 12 users not shown)
Line 1: Line 1:
= The New Fedora Signing Key =
+
{{Admon/note | Background and Progress Reporting | The Fedora Project recently re-signed all of its packages [[New_signing_key | with a new key]]. Background details regarding the key change and a progress report are found [https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html here].  This page exists to help users make the transition to the newly signed content, and receive further updates for Fedora 8 and Fedora 9.}}
  
The Fedora Project recently re-signed all of its packages with a new key. The story regarding the key can be found [[https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html here]]. The release engineering team can be reached in #fedora-devel (irc.freenode.org) or emailed [mailto:rel-eng@fedoraproject.org rel-eng@fedoraproject.org] for more information.
+
== What is happening? ==
 +
All of the existing Fedora 8 and Fedora 9 released packages and updates are to be re-signed with new GPG keys. The newly signed content will be placed in new directories on the mirrors, and new <code>fedora-release</code> packages will be issued to the old locations signed with the old key that reference these new locations and the new GPG keys.
  
= Enabling the New Signing Key =
+
== Why? ==
 +
Fedora treats the security and trust of its users very carefully, and we want Fedora users to have zero doubt that the packages they receive are in fact from Fedora.  Since we cannot in good faith continue to use the previously used GPG signing key, we have created new keys.  The transition <code>fedora-release</code> packages and <code>PackageKit</code> updates are signed with the old key, so that existing users can install them automatically given pre-existing trust in the old key.  These should be the last packages ever signed with the old keys.
  
Users will need to accept the new signing key the first time updates are downloaded. To accept the key, press 'y' when prompted whether or not to import the signing key by PackageKit.
+
== When? ==
 +
The re-signing is happening in to phases.  Phase 1 consists of re-signing all of the published Fedora 8 and Fedora 9 updates and testing updates, as well as the pending updates.  Phase 2 consists of re-signing all the release packages for Fedora 8 and Fedora 9.  Phase 1 is now complete, and Phase 2 is progressing.  In order to get important updates to users, we are enabling the Fedora 8 and Fedora 9 update flow now that Phase 1 is done.
 +
 
 +
== How? ==
 +
A page detailing the steps involved with re-signing all the Fedora 8 and 9 content exists [[New_signing_key | here]].  We are making every effort to keep end user interaction to a bare minimum, and hopefully it can be a completely seamless process for end users.
 +
 
 +
== What do I have to do? ==
 +
Apply the next set of updates you see available.  Then apply any further updates you see, verifying and importing the new GPG key along the way as prompted by your update software.  That's it.
 +
{{admon/tip | Checking key fingerprints | Key fingerprints can be checked against [https://fedoraproject.org/keys https://fedoraproject.org/keys].}}
 +
 
 +
== What if something goes wrong? ==
 +
If your update software fails along the way, here are some manual steps you can take to update yourself.
 +
 
 +
=== Install new fedora-release ===
 +
 
 +
==== Fedora 8 ====
 +
# Download the updated and signed [http://kojipkgs.fedoraproject.org/packages/fedora-release/8/6.transition/data/signed/4f2a6fd2/noarch/fedora-release-8-6.transition.noarch.rpm fedora-release package].
 +
# Verify that the package sha1sum matches 9a684ad36f4c1f49df7c569d5990d00f7da2cb9c: <pre>sha1sum fedora-release-8-6.transition.noarch.rpm</pre>
 +
# Install the package via rpm: <pre>su -c 'rpm -Uvh fedora-release-8-6.transition.noarch.rpm'</pre>
 +
# Move on to [[#Import_the_new_key | importing the new key]].
 +
 
 +
==== Fedora 9 ====
 +
# Download the updated and signed [http://kojipkgs.fedoraproject.org/packages/fedora-release/9/5.transition/data/signed/4f2a6fd2/noarch/fedora-release-9-5.transition.noarch.rpm fedora-release package].
 +
# Verify that the package sha1sum matches 259165485c16d39904200b069873967e3eb5fa6e: <pre>sha1sum fedora-release-9-5.transition.noarch.rpm</pre>
 +
# Install the package via rpm: <pre>su -c 'rpm -Uvh fedora-release-9-5.transition.noarch.rpm'</pre>
 +
# Move on to [[#Import_the_new_key | importing the new key]].
 +
 
 +
=== Import the new key ===
 +
# Verify and import the new GPG key to your GPG keyring as per [https://fedoraproject.org/keys https://fedoraproject.org/keys].
 +
# Import the key into the RPM database: <pre>su -c 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-and-9'</pre>
 +
# Use your update tool to get and install any new updates from the new location
 +
 
 +
=== Old key on system ===
 +
There are still some dependancies on the old key. As soon as these are resolved, the old key and old repo configuration will be purged from installed Fedora machines using an updated rpm and fedora-release package.
 +
 
 +
=== Known Issues ===
 +
In all cases it is best to use the manual processes listed above for making the transition.  Here is a living list of known issues that may happen during the transition:
 +
* PackageKit may fail to import the new key.  To resolve the problem, use the manual steps above.
 +
* PackageKit may not notify you of any new updates after installing the first set.  To resolve the problem, run Update System manually, or restart your system.
 +
* Some mirrors may have broken dependencies when updating to content in the new repo.  This unfortunately happens from time to time, and we'll be working hard to resolve any such occurrences with further update pushes. To resolve the problem, select a subset of updates to apply, such as only the security related updates.
 +
** If you receive an error relating to <code>yum-utils</code>, resolve the problem by excluding <code>yum</code> packages, using this command: <pre>su -c 'yum update --exclude yum --exclude yum-utils'</pre>
 +
** You can work around this problem in general by using this command: <pre>su -c 'yum --skip-broken update'</pre>
 +
* You may see one or both of the following warnings.  You can safely ignore these warnings.  These repositories and corresponding files on your system are ''no longer required'' for getting new updates, and can be left alone. (The \ indicates a line break.)
 +
<pre>
 +
warning: /etc/yum.repos.d/fedora-updates.repo created as \
 +
/etc/yum.repos.d/fedora-updates.repo.rpmnew
 +
</pre>
 +
<pre>
 +
warning: /etc/yum.repos.d/fedora.repo created as \
 +
/etc/yum.repos.d/fedora.repo.rpmnew
 +
</pre>
 +
* Having the yum plugin protectbase (yum-protectbase) installed and enabled for the Fedora repos (old key) may prevent updates being available from the new key repos.  You can check if you have it installed with <code>rpm -q yum-protectbase</code>.  It may be best to disable the protectbase plugin for the old key repos by editing the .repo files in /etc/yum.repos.d and changing <code>protect=yes</code> to <code>protect=no</code>.  Alternately, check for updates without protectbase enabled:
 +
<pre>su -c 'yum --skip-broken --disableplugin=protectbase update'</pre>
 +
 
 +
== Questions? ==
 +
As questions come up throughout the Fedora community they will be posted and answered here.  The [[Talk:Enabling_new_signing_key | discussion tab]] is also available for questions or comments.
 +
 
 +
== Contact ==
 +
If you wish to contact those involved with this process, you can find us on IRC on freenode network, #fedora-admin channel.
 +
 
 +
[[Category:Documentation]]

Latest revision as of 20:34, 3 October 2008

Note.png
Background and Progress Reporting
The Fedora Project recently re-signed all of its packages with a new key. Background details regarding the key change and a progress report are found here. This page exists to help users make the transition to the newly signed content, and receive further updates for Fedora 8 and Fedora 9.

Contents

[edit] What is happening?

All of the existing Fedora 8 and Fedora 9 released packages and updates are to be re-signed with new GPG keys. The newly signed content will be placed in new directories on the mirrors, and new fedora-release packages will be issued to the old locations signed with the old key that reference these new locations and the new GPG keys.

[edit] Why?

Fedora treats the security and trust of its users very carefully, and we want Fedora users to have zero doubt that the packages they receive are in fact from Fedora. Since we cannot in good faith continue to use the previously used GPG signing key, we have created new keys. The transition fedora-release packages and PackageKit updates are signed with the old key, so that existing users can install them automatically given pre-existing trust in the old key. These should be the last packages ever signed with the old keys.

[edit] When?

The re-signing is happening in to phases. Phase 1 consists of re-signing all of the published Fedora 8 and Fedora 9 updates and testing updates, as well as the pending updates. Phase 2 consists of re-signing all the release packages for Fedora 8 and Fedora 9. Phase 1 is now complete, and Phase 2 is progressing. In order to get important updates to users, we are enabling the Fedora 8 and Fedora 9 update flow now that Phase 1 is done.

[edit] How?

A page detailing the steps involved with re-signing all the Fedora 8 and 9 content exists here. We are making every effort to keep end user interaction to a bare minimum, and hopefully it can be a completely seamless process for end users.

[edit] What do I have to do?

Apply the next set of updates you see available. Then apply any further updates you see, verifying and importing the new GPG key along the way as prompted by your update software. That's it.

Idea.png
Checking key fingerprints
Key fingerprints can be checked against https://fedoraproject.org/keys.

[edit] What if something goes wrong?

If your update software fails along the way, here are some manual steps you can take to update yourself.

[edit] Install new fedora-release

[edit] Fedora 8

  1. Download the updated and signed fedora-release package.
  2. Verify that the package sha1sum matches 9a684ad36f4c1f49df7c569d5990d00f7da2cb9c:
    sha1sum fedora-release-8-6.transition.noarch.rpm
  3. Install the package via rpm:
    su -c 'rpm -Uvh fedora-release-8-6.transition.noarch.rpm'
  4. Move on to importing the new key.

[edit] Fedora 9

  1. Download the updated and signed fedora-release package.
  2. Verify that the package sha1sum matches 259165485c16d39904200b069873967e3eb5fa6e:
    sha1sum fedora-release-9-5.transition.noarch.rpm
  3. Install the package via rpm:
    su -c 'rpm -Uvh fedora-release-9-5.transition.noarch.rpm'
  4. Move on to importing the new key.

[edit] Import the new key

  1. Verify and import the new GPG key to your GPG keyring as per https://fedoraproject.org/keys.
  2. Import the key into the RPM database:
    su -c 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-and-9'
  3. Use your update tool to get and install any new updates from the new location

[edit] Old key on system

There are still some dependancies on the old key. As soon as these are resolved, the old key and old repo configuration will be purged from installed Fedora machines using an updated rpm and fedora-release package.

[edit] Known Issues

In all cases it is best to use the manual processes listed above for making the transition. Here is a living list of known issues that may happen during the transition:

  • PackageKit may fail to import the new key. To resolve the problem, use the manual steps above.
  • PackageKit may not notify you of any new updates after installing the first set. To resolve the problem, run Update System manually, or restart your system.
  • Some mirrors may have broken dependencies when updating to content in the new repo. This unfortunately happens from time to time, and we'll be working hard to resolve any such occurrences with further update pushes. To resolve the problem, select a subset of updates to apply, such as only the security related updates.
    • If you receive an error relating to yum-utils, resolve the problem by excluding yum packages, using this command:
      su -c 'yum update --exclude yum --exclude yum-utils'
    • You can work around this problem in general by using this command:
      su -c 'yum --skip-broken update'
  • You may see one or both of the following warnings. You can safely ignore these warnings. These repositories and corresponding files on your system are no longer required for getting new updates, and can be left alone. (The \ indicates a line break.)
warning: /etc/yum.repos.d/fedora-updates.repo created as \
/etc/yum.repos.d/fedora-updates.repo.rpmnew
warning: /etc/yum.repos.d/fedora.repo created as \
/etc/yum.repos.d/fedora.repo.rpmnew
  • Having the yum plugin protectbase (yum-protectbase) installed and enabled for the Fedora repos (old key) may prevent updates being available from the new key repos. You can check if you have it installed with rpm -q yum-protectbase. It may be best to disable the protectbase plugin for the old key repos by editing the .repo files in /etc/yum.repos.d and changing protect=yes to protect=no. Alternately, check for updates without protectbase enabled:
su -c 'yum --skip-broken --disableplugin=protectbase update'

[edit] Questions?

As questions come up throughout the Fedora community they will be posted and answered here. The discussion tab is also available for questions or comments.

[edit] Contact

If you wish to contact those involved with this process, you can find us on IRC on freenode network, #fedora-admin channel.