Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update release key expiry to 2027 #1046

Merged
merged 1 commit into from
May 27, 2024
Merged

Update release key expiry to 2027 #1046

merged 1 commit into from
May 27, 2024

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented May 24, 2024
edited
Loading

Status

Ready for review

Description of Changes

The release signing key's expiry has been extended 3 years, now expiring in 2027.

Fixes #1045.
Refs freedomofpress/securedrop#7162.

Testing

  • Copy the armored PGP key out of the .sources file and unindent it (and remove the . on the second line) and save it to a file, pubkey.asc.
  • Run sq inspect pubkey.asc, see output like:
    Fingerprint: 2359E6538C0613E652955E6C188EDD3B7B22E6A3
Public-key algo: RSA
Public-key size: 4096 bits
  Creation time: 2021-05-10 17:00:29 UTC
Expiration time: 2027-05-24 13:19:23 UTC (creation time + 6years 13days 8h 18m 54s)
      Key flags: certification, signing

         Subkey: 427C6B139395903BE9A252C66275A4BA4C71447A
Public-key algo: RSA
Public-key size: 4096 bits
  Creation time: 2021-05-10 17:00:29 UTC
Expiration time: 2027-05-24 13:21:06 UTC (creation time + 6years 13days 8h 20m 37s)
      Key flags: transport encryption, data-at-rest encryption

         UserID: SecureDrop Release Signing Key <[email protected]>
  • bonus: run sq toolbox packet dump pubkey.asc, see that 2 new, SHA512 signatures were added on 2024-05-24, setting the expiry to 6 years since key creation (i.e. 2027)

Can also diff the .sources file with freedomofpress/securedrop-client#2036 so verification only needs to be done once.

Deployment

Any special considerations for deployment?

This PR only supports fresh installs. No work has been done towards #953 - if we do backport this to 4.1 instances, we will handle that work then.

@legoktm
Update release key expiry to 2027
783cefe 
The release signing key's expiry has been extended 3 years,
now expiring in 2027.

Fixes #1045.
Refs <freedomofpress/securedrop#7162>.
zenmonkeykstop
zenmonkeykstop approved these changes May 27, 2024
View reviewed changes
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - okay to approve with the ws-ci failure as it's a libxconf flake and the changed file isn't being used in CI anyway.

@zenmonkeykstop zenmonkeykstop added this pull request to the merge queue May 27, 2024
Merged via the queue into main with commit 5847dc0 May 27, 2024
6 of 7 checks passed
@legoktm legoktm deleted the signing-key-2027 branch May 28, 2024 15:25
@rocodes rocodes mentioned this pull request Jun 26, 2024
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zenmonkeykstop zenmonkeykstop zenmonkeykstop approved these changes

Assignees

@zenmonkeykstop zenmonkeykstop

Labels
sprint goal
Projects
SecureDrop dev cycle
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update pubkey to 2027 expiry in securedrop-workstation package
2 participants
@legoktm @zenmonkeykstop