Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Stonehenge on June 20, 2023, 01:39:18 AM

Title: GPG import OPNSense pub key = no valid OpenPGP data found
Post by: Stonehenge on June 20, 2023, 01:39:18 AM
Hi,

Following instructions from OPNsense documentation Download and Verification (https://docs.opnsense.org/manual/install.html#download-and-verification)

I checked that the OPNsense-23.1.pub file in 3 mirrors (US, FR, https://pkg.opnsense.org/releases/mirror/README) match the same value.

I then proceed to import the pub key in my GPG keyring. Using GPG v2.2.27 on Ubuntu 22.04.2
Code Select

gpg --version                                                                                 
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4

gpg --import ./OPNsense-23.1.pub

# Console output:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0


Not sure what is going on, this is the first time I fail to import a GPG key. Can you please help to fix?

Title: Re: GPG import OPNSense pub key = no valid OpenPGP data found
Post by: Stonehenge on June 20, 2023, 01:50:08 AM
Ouch, it was written in the OPNSense doc, verification must use openssl (not GPG)

Code Select

openssl base64 -d -in ./OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2.sig -out ./OPN_image.sig

openssl dgst -sha256 -verify OPNsense-23.1.pub -signature ./OPN_image.sig ./OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2

# Console output
Verified OK


Quite complicate syntax compared to GPG but it's OK. I wonder why the OPNsense public key is named after the release like OPNsense-23.1.pub. Would it make more sense to give it an immutable name like OPNsense.pub ?

Title: Re: GPG import OPNSense pub key = no valid OpenPGP data found
Post by: franco on June 20, 2023, 09:07:46 AM
Because a new key is generated for each release for security reasons.


Cheers,
Franco
Title: Re: GPG import OPNSense pub key = no valid OpenPGP data found
Post by: Stonehenge on June 21, 2023, 11:25:04 PM
Quote from: franco on June 20, 2023, 09:07:46 AM
Because a new key is generated for each release for security reasons.

Many apt repos in Debian, Ubuntu use the same GPG public key. That key have a comfortable validity period (a few years) so we don't need to re-import often. Same principle for TLS certificates. As long as the authors of the GPG public keys keep their GPG private key safe, there should be no security issue. Anyone attempting to modify/hack that GPG public key then the `gpg --verify` will fail.

How can generating a new pubkey at each OPNsense release could be considered safer?


Title: Re: GPG import OPNSense pub key = no valid OpenPGP data found
Post by: franco on June 27, 2023, 03:07:37 PM
Quote from: Stonehenge on June 21, 2023, 11:25:04 PM
How can generating a new pubkey at each OPNsense release could be considered safer?

Because we use plain RSA keys like SSH does. They don't have lifetimes. Are you implying SSH is unsafe?


Cheers,
Franco
Text only | Text with Images