View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000497Rocky-Linux-9Generalpublic2022-10-08 13:352022-10-08 15:42
ReporterT X Assigned ToLouis Abel  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionwon't fix 
Summary0000497: Please sign Rocky 9 key with Rocky 8 key
DescriptionWell the advantage of GPG is to move trust away from PKI which has been compromised in the past.

Though new, I've had the Rocky 8 key for months longer than the Rocky 9 key. But technically I cannot verify, without resetting the trust back to PKI, that the Rocky 9 key is legit.

I do think it is correct to have a new key for each release, but I think each new key should be cross-signed with the old key.

$ gpg --fingerprint --list-sigs

pub rsa4096 2021-02-14 [SCE]
      7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60
uid [ unknown] Release Engineering <infrastructure@rockylinux.org>
sig 3 15AF5DAC6D745A60 2021-02-14 Release Engineering <infrastructure@rockylinux.org>

pub rsa4096 2022-05-09 [SC]
      21CB 256A E16F C54C 6E65 2949 702D 426D 350D 275D
uid [ unknown] Rocky Enterprise Software Foundation - Release key 2022 <releng@rockylinux.org>
sig 3 702D426D350D275D 2022-05-09 Rocky Enterprise Software Foundation - Release key 2022 <releng@rockylinux.org>

^ No cross-signatures, only self-signed

Please guys, it seems like the big companies we're all at the mercy of, gave your organisation specifically a load of money to build Rocky.
TagsNo tags attached.

Activities

Louis Abel

Louis Abel

2022-10-08 15:42

administrator   ~0000695

Hello. Thank you for the report.

Unfortunately we do not fully understand the nature of this bug report. Like in a previous bug report that we closed, we noted that the build systems are different and thus our key management components are also different. The legacy system has the 8 key, the new system has the 9 key, and the way they operate are radically different from one another. Cross signing was not part of the design; initial designs were for signing RPM packages, and that's it.

I do not believe our upstreams CentOS, Red Hat, nor Fedora do any sort of cross certification of their keys between major versions, and unfortunately, we do not see the benefit of this.

I would encourage joining one of our discussion mediums such as our forums (forums.rockylinux.org) or mattermost and starting a conversation if you'd like to engage with us and the community about your ideas/thoughts.

Issue History

Date Modified Username Field Change
2022-10-08 13:35 T X New Issue
2022-10-08 15:42 Louis Abel Assigned To => Louis Abel
2022-10-08 15:42 Louis Abel Status new => closed
2022-10-08 15:42 Louis Abel Resolution open => won't fix
2022-10-08 15:42 Louis Abel Note Added: 0000695