[Renew Key] Upcoming expiration of our current sub public key (expire on 20240512)

[peterzhuamazon]

This is a reminder that the new sub public key that we extended in #2136 will expire on 20240512.

We need to take action to extend the key again before that.

Guide: #2040 (comment)

• Upload the key to the production S3 bucket while work with project-website on it.
• Upload to keyserver: [Question] Upcoming expiration of our current sub public key (expire on 20220511) #2040 (comment).
• Build a release and sign and specifically test rpm on rockylinux9/almalinux9.
• Update on https://opensearch.org/verify-signatures.html.
• Make sure the key will expire in exactly one year on 20250512.
• Create a new issue for the next year.

Thanks.

[peterzhuamazon]

We need to update the cert for another year now.
Since 2.14.0 will release on 05/14, which is right after the expiration.

[peterzhuamazon]

Also update this:
https://opensearch.org/verify-signatures.html

[peterzhuamazon]

The renewed key has been created and uploaded to bucket, not yet switch.

• Next renew: [Renew Key] Upcoming expiration of our current sub public key (expire on 20250512) #4669

[peterzhuamazon]

The key able to verify old artifacts:

% gpg --verify opensearch-2.0.0-rc1-linux-x64.tar.gz.sig
gpg: Signature made Tue 03 May 2022 05:30:55 PM UTC using RSA key ID 542C03B4
gpg: Good signature from "OpenSearch project <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C5B7 4989 65EF D1C2 924B  A9D5 39D3 1987 9310 D3FC
     Subkey fingerprint: 2187 3199 B103 0FCD 49DA  83F8 C2EE 2AF6 542C 03B4
(base)

[peterzhuamazon]

Yum can install on a rockylinux9:

113 MB/s | 799 MB     00:07
OpenSearch 2.x                                                                                                                                                                                                                                                                               77 kB/s | 4.2 kB     00:00
Importing GPG key 0x9310D3FC:
 Userid     : "OpenSearch project <[email protected]>"
 Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
 From       : <>
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction

[peterzhuamazon]

Update changelog:

• Update 2024 OpenSearch Project Public PGP Key Renewal Changelog project-website#2833

Next Year:

• [Renew Key] Upcoming expiration of our current sub public key (expire on 20250512) #4669

[peterzhuamazon]

Will upload keys to all the key servers once we live.

[peterzhuamazon]

We have switched the key on our website to the renewed one now: https://opensearch.org/verify-signatures.html#Pgp

pub   rsa4096 2021-05-11 [SC]
      C5B7498965EFD1C2924BA9D539D319879310D3FC
uid           [ unknown] OpenSearch project <[email protected]>
sub   rsa2048 2021-05-11 [S] [expires: 2025-05-12]

Thanks.

[nerijus]

Could you please extend the key to more years? Because now every year we have to do steps in #3124 (comment)

[flybyray]

Yum can install on a rockylinux9:

113 MB/s | 799 MB     00:07
OpenSearch 2.x                                                                                                                                                                                                                                                                               77 kB/s | 4.2 kB     00:00
Importing GPG key 0x9310D3FC:
 Userid     : "OpenSearch project <[email protected]>"
 Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
 From       : <>
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction

Depends on how your repo file looks like. There are still signatures out there which are not updated.

[ TEST 2024-08-20 14:49 ]
root@db:~ # curl -fsSLO https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo.sig
[ TEST 2024-08-20 14:49 ]
root@db:~ # curl -fsSLO https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo
[ TEST 2024-08-20 14:49 ]
root@db:~ # gpg --verify opensearch-2.x.repo.sig opensearch-2.x.repo
gpg: Signature made Sat 07 May 2022 12:57:51 AM CEST
gpg:                using RSA key C2EE2AF6542C03B4
gpg: Good signature from "OpenSearch project <[email protected]>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: C5B7 4989 65EF D1C2 924B  A9D5 39D3 1987 9310 D3FC
     Subkey fingerprint: 2187 3199 B103 0FCD 49DA  83F8 C2EE 2AF6 542C 03B4

Ignoring the sig file and continuing as documented ( https://opensearch.org/docs/latest/install-and-configure/install-opensearch/rpm/#install-opensearch-from-a-yum-repository ) will also not help

[ TEST 2024-08-20 14:50 ]
root@db:~ # sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo -o /etc/yum.repos.d/opensearch-2.x.repo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   242  100   242    0     0   2847      0 --:--:-- --:--:-- --:--:--  2847
[ TEST 2024-08-20 14:54 ]
root@db:~ # dnf update --assumeno --disablerepo=* --enablerepo=opensearch-2.x
OpenSearch 2.x                                                                                                                                                                                                                                2.4 kB/s | 498  B     00:00
OpenSearch 2.x                                                                                                                                                                                                                                 91 kB/s | 4.2 kB     00:00
Importing GPG key 0x9310D3FC:
 Userid     : "OpenSearch project <[email protected]>"
 Fingerprint: C5B7 4989 65EF D1C2 924B A9D5 39D3 1987 9310 D3FC
 From       : https://artifacts.opensearch.org/publickeys/opensearch.pgp
OpenSearch 2.x                                                                                                                                                                                                                                3.5 kB/s | 498  B     00:00
Error: Failed to download metadata for repo 'opensearch-2.x': repomd.xml GPG signature verification error: Bad GPG signature

Workarround is to disable repo gpg-check within the repo file ( repo_gpgcheck=0 ).
It might also be necessary to find the previous rpm imported key and remove it if it is the old one.
The current new key should definitly show something like this

# rpm -qa gpg-pubkey* | \grep 9310d3fc
gpg-pubkey-9310d3fc-609af0ea
# gpg --import-options import-show --import --dry-run <(rpm -qi gpg-pubkey-9310d3fc-609af0ea)
pub   rsa4096 2021-05-11 [SC]
      C5B7498965EFD1C2924BA9D539D319879310D3FC
uid                      OpenSearch project <[email protected]>
sub   rsa2048 2021-05-11 [S] [expires: 2025-05-12]

gpg: Total number processed: 1

The older key has no subkey and will print something like this when checking gpg --import-options import-show --import --dry-run <(rpm -qi gpg-pubkey-9310d3fc-609af0ea)

pub   rsa4096 2021-05-11 [SC]
      C5B7498965EFD1C2924BA9D539D319879310D3FC
uid                      OpenSearch project <[email protected]>

gpg: Total number processed: 1

[flybyray]

way nicer
#3527 (comment)