3mdeb / 3mdeb-secpack Goto Github PK

To start, I think an introduction to signify would be useful:
https://flak.tedunangst.com/post/signify
https://man.openbsd.org/signify

signify is an OpenBSD utility used to create and verify cryptographic signatures. It is also available as a package in various Linux distributions, and it's easy to install/build on other platforms as well.

I have already completed the process of verifying signatures with GnuPG, and it works perfectly fine. However, since I plan to run OpenBSD on the PC Engines apu2, being able to verify the signature with signify would be an appreciated enhancement. Although signify could be used in place of GnuPG, it is much smaller and simpler, and may not suit your needs in all cases, so signing binaries with both tools would probably work best. I tested it with the v4.11.0.3 release binaries on a Mac (key generation, signing, verifying) and it works as one would expect.

I'd be happy to assist with anything I can, of course. Just let me know.

Thunderbird uses its own keyring for emails. The config can be changed to make it use gnupg and the personal key created in the tutorial.
Settings -> General -> Config Editor... -> mail.openpgp.allow_external_gnupg set to true

          @macpijan I don't like this format, although it is a lot of work to fix. Can we force following format:

• Command

  command

• Output

  command output
  

The goal is to improve copypastability and usefulness of documentation.

Originally posted by @pietrushnic in #102 (comment)

I tried to download the latest firmware for my PC Engines apu4 today (version 4.17.0.2) from your website here:
https://3mdeb.com/open-source-firmware/pcengines/apu4/apu4_v4.17.0.2.rom

When I attempted to verify the download, I found that the SHA256 hash matches, but I could not verify the GPG signature of the hash. Of course, I found this concerning, so I downloaded one release earlier (4.17.0.1) and everything verified perfectly with GPG on that firmware file. These two firmwares are supposed to be signed by the same key, according to your instructions in this repository, so something appears to be wrong.

$ gpg --list-sigs "3mdeb Master Key" "3mdeb Open Source Firmware Master Key" "PC Engines open-source firmware release 4.17 signing key"
pub   4096R/7BD37C54 2019-02-12
uid                  3mdeb Master Key <[email protected]>
sig 3        7BD37C54 2019-02-12  3mdeb Master Key <[email protected]>
sig          67AA9E4C 2019-02-12  [User ID not found]

pub   4096R/64CB97EC 2019-02-12
uid                  3mdeb Open Source Firmware Master Key <[email protected]>
sig 3        64CB97EC 2019-02-12  3mdeb Open Source Firmware Master Key <[email protected]>
sig          7BD37C54 2019-02-12  3mdeb Master Key <[email protected]>

pub   4096R/9535DAEF 2022-06-28 [expires: 2023-06-28]
uid                  PC Engines open-source firmware release 4.17 signing key
sig 3        9535DAEF 2022-06-28  PC Engines open-source firmware release 4.17 signing key
sig          64CB97EC 2022-06-28  3mdeb Open Source Firmware Master Key <[email protected]>
sub   4096R/1A714455 2022-06-28 [expires: 2023-06-28]
sig          9535DAEF 2022-06-28  PC Engines open-source firmware release 4.17 signing key

$ gpg --verify apu4_v4.17.0.1.SHA256.sig apu4_v4.17.0.1.SHA256
gpg: Signature made Wed 29 Jun 2022 05:00:38 AM CDT using RSA key ID 9535DAEF
gpg: Good signature from "PC Engines open-source firmware release 4.17 signing key"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EFAD 577C 9304 616D DC95  CB7F 2AB2 A20D 9535 DAEF

$ gpg --verify apu4_v4.17.0.2.SHA256.sig apu4_v4.17.0.2.SHA256
gpg: Signature made Mon 01 Aug 2022 03:58:25 AM CDT using RSA key ID AC3B2B46
gpg: Can't check signature: public key not found

$ gpg --list-packets apu4_v4.17.0.1.SHA256.sig 
:signature packet: algo 1, keyid 2AB2A20D9535DAEF
        version 4, created 1656496838, md5len 0, sigclass 0x00
        digest algo 10, begin of digest 70 50
        hashed subpkt 33 len 21 (?)
        hashed subpkt 2 len 4 (sig created 2022-06-29)
        subpkt 16 len 8 (issuer key ID 2AB2A20D9535DAEF)
        data: [4096 bits]

$ gpg --list-packets apu4_v4.17.0.2.SHA256.sig 
:signature packet: algo 1, keyid 9963C36AAC3B2B46
        version 4, created 1659344305, md5len 0, sigclass 0x00
        digest algo 10, begin of digest af 69
        hashed subpkt 33 len 21 (?)
        hashed subpkt 2 len 4 (sig created 2022-08-01)
        subpkt 16 len 8 (issuer key ID 9963C36AAC3B2B46)
        data: [4095 bits]

Given the output above, it looks like the latest firmware was signed by a different key than it was supposed to be. Luckily, a quick web search brings up a mailing list post from 2020 that shows this second key belongs to someone in your company, so I'm hopeful that this is a good sign that there is no reason to suspect any security compromise; rather this is likely just a simple mistake.

I did not check any of the other 4.17.0.2 firmware files for other models, so I don't know if they're all affected or not.

Thanks for looking into this, and please let me know if you need any more information from me.

Checking for -----BEGIN PGP PUBLIC KEY BLOCK----- presence should be sufficient.

Originally posted by @miczyg1 in #140 (comment)

The template for generating new keys should be changed to generate only SC keys; right now, it generates SCE, which is redundant.

The key has expired a few months ago. Can its expiration date be bumped?

pub   rsa4096/0x5DC481E1F371151E 2022-05-27 [SCA] [expired: 2023-05-27]
      89B569C42BB9FCCBC3C9CFDF5DC481E1F371151E
uid                   [ expired] Dasharo release 1.x compatible with MSI MS-7D25 signing key

This is a feedback from onboarding

Or perhaps instruct to read the script first as well, place some more extensive comments inside

Too many times we have learned the keys was expired on the last minute before the release

To make keys discoverable, we should, with every PR in CI, upload those to the public keyserver. It may simplify signature verification for some users and employees' key discoverability, e.g. Thunderbird users.

https://keys.openpgp.org/about/usage#gnupg

The suggested command:
gpg --import keys/employees-keys/[email protected]
uses wrong filename as the keys in repository are named name-surname-key-signed.asc.
The command should look like:
gpg --import keys/employees-keys/your.tl-or-mgr-name-key-signed.asc