OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • GPG import OPNSense pub key = no valid OpenPGP data found
« previous next »
  • Print
Pages: [1]

Author Topic: GPG import OPNSense pub key = no valid OpenPGP data found  (Read 1609 times)

Stonehenge

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
GPG import OPNSense pub key = no valid OpenPGP data found
« on: June 20, 2023, 01:39:18 am »
Hi,

Following instructions from OPNsense documentation Download and Verification

I checked that the OPNsense-23.1.pub file in 3 mirrors (US, FR, https://pkg.opnsense.org/releases/mirror/README) match the same value.

I then proceed to import the pub key in my GPG keyring. Using GPG v2.2.27 on Ubuntu 22.04.2
Code: [Select]
gpg --version                                                                                 
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4

gpg --import ./OPNsense-23.1.pub

# Console output:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Not sure what is going on, this is the first time I fail to import a GPG key. Can you please help to fix?

Logged

Stonehenge

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: GPG import OPNSense pub key = no valid OpenPGP data found
« Reply #1 on: June 20, 2023, 01:50:08 am »
Ouch, it was written in the OPNSense doc, verification must use openssl (not GPG)

Code: [Select]
openssl base64 -d -in ./OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2.sig -out ./OPN_image.sig

openssl dgst -sha256 -verify OPNsense-23.1.pub -signature ./OPN_image.sig ./OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2

# Console output
Verified OK

Quite complicate syntax compared to GPG but it's OK. I wonder why the OPNsense public key is named after the release like OPNsense-23.1.pub. Would it make more sense to give it an immutable name like OPNsense.pub ?

« Last Edit: June 20, 2023, 02:14:07 am by Stonehenge »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17665
  • Karma: 1611
    • View Profile
Re: GPG import OPNSense pub key = no valid OpenPGP data found
« Reply #2 on: June 20, 2023, 09:07:46 am »
Because a new key is generated for each release for security reasons.


Cheers,
Franco
Logged

Stonehenge

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: GPG import OPNSense pub key = no valid OpenPGP data found
« Reply #3 on: June 21, 2023, 11:25:04 pm »
Quote from: franco on June 20, 2023, 09:07:46 am
Because a new key is generated for each release for security reasons.

Many apt repos in Debian, Ubuntu use the same GPG public key. That key have a comfortable validity period (a few years) so we don't need to re-import often. Same principle for TLS certificates. As long as the authors of the GPG public keys keep their GPG private key safe, there should be no security issue. Anyone attempting to modify/hack that GPG public key then the `gpg --verify` will fail.

How can generating a new pubkey at each OPNsense release could be considered safer?


« Last Edit: June 22, 2023, 04:45:47 am by Stonehenge »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17665
  • Karma: 1611
    • View Profile
Re: GPG import OPNSense pub key = no valid OpenPGP data found
« Reply #4 on: June 27, 2023, 03:07:37 pm »
Quote from: Stonehenge on June 21, 2023, 11:25:04 pm
How can generating a new pubkey at each OPNsense release could be considered safer?

Because we use plain RSA keys like SSH does. They don't have lifetimes. Are you implying SSH is unsafe?


Cheers,
Franco
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • GPG import OPNSense pub key = no valid OpenPGP data found
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2