Enabling new signing key

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Vast overhaul to make suitable as landing page for users.)
Line 1: Line 1:
 +
The Fedora Project recently re-signed all of its packages [[New_signing_key | with a new key]]. Background details regarding the key change are found [https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html here].  This page exists to aide users in the transition to the newly signed content and further updates for Fedora 8 and Fedora 9.
 +
 +
== What is happening? ==
 +
All of the existing Fedora 8 and Fedora 9 released packages and updates are to be re-signed with new GPG keys.  The newly signed content will be placed in new directories on the mirrors and new fedora-release packages will be issued to the old locations signed with the old key that reference these new locations and the new GPG keys.
 +
 +
== Why? ==
 +
Fedora treats the security and trust of its users very carefully.  As such we would like to have zero doubt that the packages we offer are in fact from Fedora.  Since we cannot in good faith continue to use the previously used GPG signing key, we have created new keys.  The transition fedora-release packages (and PackageKit updates) are signed with the old key so that existing users can install them automatically given pre-existing trust in the old key.  These should be the last packages ever signed with the old keys.
 +
 +
== When? ==
 +
The resigning is happening in to phases.  Phase 1 consists of resigning all of the published Fedora 8 and Fedora 9 updates and testing updates, as well as the pending updates.  Phase 2 consists of resigning all the release packages for Fedora 8 and Fedora 9.  Phase 1 is now complete and Phase 2 is progressing.  In order to get important updates to users, we are enabling the Fedora 8 and Fedora 9 update flow now that Phase 1 is done.
 +
 +
== How? ==
 +
A page detailing the steps involved with resigning all the Fedora 8 and 9 content exists [[New_signing_key | here]].  Efforts are being made to keep end user interaction to a bare minimum and hopefully it can be a completely seamless process to end users.
 +
 +
== What do I have to do? ==
 +
Apply the next set of updates you see available.  Then apply any further updates you see, verifying and importing the new GPG key along the way as prompted by your update software.  That's it.
 
{{admon/tip | Checking key fingerprints | Key fingerprints can be checked against [https://fedoraproject.org/keys https://fedoraproject.org/keys].}}
 
{{admon/tip | Checking key fingerprints | Key fingerprints can be checked against [https://fedoraproject.org/keys https://fedoraproject.org/keys].}}
  
The Fedora Project recently re-signed all of its packages [[New_signing_key | with a new key]]. Background details regarding the key change are found [https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html here].  Contact the release engineering team via IRC in #fedora-devel (irc.freenode.org) or via email to [mailto:rel-eng@lists.fedoraproject.org rel-eng@lists.fedoraproject.org] for more information.
+
== What if something goes wrong? ==
 +
If your update software fails along the way here are some manual steps you can take to update yourself.
 +
=== Install new fedora-release ===
 +
==== Fedora 8 ====
 +
# Download the updated and signed [http://kojipkgs.fedoraproject.org/packages/fedora-release/8/6.transition/data/signed/4f2a6fd2/noarch/fedora-release-8-6.transition.noarch.rpm fedora-release package].
 +
# Verify that the package sha1sum matches 9a684ad36f4c1f49df7c569d5990d00f7da2cb9c
 +
# Install the package via rpm
 +
 
 +
==== Fedora 9 ====
 +
# Download the updated and signed [http://kojipkgs.fedoraproject.org/packages/fedora-release/9/5.transition/data/signed/4f2a6fd2/noarch/fedora-release-9-5.transition.noarch.rpm fedora-release package].
 +
# Verify that the package sha1sum matches 259165485c16d39904200b069873967e3eb5fa6e
 +
# Install the package via rpm
  
We are in the final stages of testing on new builds of the ''fedora-release'', ''PackageKit'', ''gnome-packagekit'' and ''unique'' (new dependency for ''gnome-packagekit'') packages. After we complete this testing, we will push updates to their appropriate locations and make them available for download. Users who perform a system update will receive these packages.
+
=== Import the new key ===
 +
# Verify and import the new GPG key (/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-and-9) per [ https://fedoraproject.org/keys https://fedoraproject.org/keys ].
 +
# Use your update tool to get and install any new updates from the new location
  
Once these initial packages are installed, the next update attempt will point to the new repositories utilizing the new signing keyUsers must accept the new signing key the first time updates are downloaded.  PackageKit prompts you whether or not to import the signing key.  To accept the key, press ''y'' at the prompt.
+
== Questions? ==
 +
As questions come up throughout the Fedora community they will be posted and answered hereThe discussion tab is also available for questions or comments.
  
{{admon/note | Key switching | The new builds of the packages listed above are initially signed with the old key.  When they are updated, the new key is imported, the old key is removed from the system, and a new ''rpmdb'' is installed using the new signing key.}}
+
== Contact ==
 +
If you wish to contact those involved with this process, you can find us on IRC on freenode network, #fedora-admin channel.

Revision as of 23:00, 9 September 2008

The Fedora Project recently re-signed all of its packages with a new key. Background details regarding the key change are found here. This page exists to aide users in the transition to the newly signed content and further updates for Fedora 8 and Fedora 9.

Contents

What is happening?

All of the existing Fedora 8 and Fedora 9 released packages and updates are to be re-signed with new GPG keys. The newly signed content will be placed in new directories on the mirrors and new fedora-release packages will be issued to the old locations signed with the old key that reference these new locations and the new GPG keys.

Why?

Fedora treats the security and trust of its users very carefully. As such we would like to have zero doubt that the packages we offer are in fact from Fedora. Since we cannot in good faith continue to use the previously used GPG signing key, we have created new keys. The transition fedora-release packages (and PackageKit updates) are signed with the old key so that existing users can install them automatically given pre-existing trust in the old key. These should be the last packages ever signed with the old keys.

When?

The resigning is happening in to phases. Phase 1 consists of resigning all of the published Fedora 8 and Fedora 9 updates and testing updates, as well as the pending updates. Phase 2 consists of resigning all the release packages for Fedora 8 and Fedora 9. Phase 1 is now complete and Phase 2 is progressing. In order to get important updates to users, we are enabling the Fedora 8 and Fedora 9 update flow now that Phase 1 is done.

How?

A page detailing the steps involved with resigning all the Fedora 8 and 9 content exists here. Efforts are being made to keep end user interaction to a bare minimum and hopefully it can be a completely seamless process to end users.

What do I have to do?

Apply the next set of updates you see available. Then apply any further updates you see, verifying and importing the new GPG key along the way as prompted by your update software. That's it.

Idea.png
Checking key fingerprints
Key fingerprints can be checked against https://fedoraproject.org/keys.

What if something goes wrong?

If your update software fails along the way here are some manual steps you can take to update yourself.

Install new fedora-release

Fedora 8

  1. Download the updated and signed fedora-release package.
  2. Verify that the package sha1sum matches 9a684ad36f4c1f49df7c569d5990d00f7da2cb9c
  3. Install the package via rpm

Fedora 9

  1. Download the updated and signed fedora-release package.
  2. Verify that the package sha1sum matches 259165485c16d39904200b069873967e3eb5fa6e
  3. Install the package via rpm

Import the new key

  1. Verify and import the new GPG key (/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-and-9) per [ https://fedoraproject.org/keys https://fedoraproject.org/keys ].
  2. Use your update tool to get and install any new updates from the new location

Questions?

As questions come up throughout the Fedora community they will be posted and answered here. The discussion tab is also available for questions or comments.

Contact

If you wish to contact those involved with this process, you can find us on IRC on freenode network, #fedora-admin channel.