GPG import OPNSense pub key = no valid OpenPGP data found

Started by Stonehenge, June 20, 2023, 01:39:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 20, 2023, 01:39:18 AM
Hi,

Following instructions from OPNsense documentation Download and Verification

I checked that the OPNsense-23.1.pub file in 3 mirrors (US, FR, https://pkg.opnsense.org/releases/mirror/README) match the same value.

I then proceed to import the pub key in my GPG keyring. Using GPG v2.2.27 on Ubuntu 22.04.2
Code Select

gpg --version                                                                                 
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4

gpg --import ./OPNsense-23.1.pub

# Console output:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0


Not sure what is going on, this is the first time I fail to import a GPG key. Can you please help to fix?

June 20, 2023, 01:50:08 AM #1 Last Edit: June 20, 2023, 02:14:07 AM by Stonehenge
Ouch, it was written in the OPNSense doc, verification must use openssl (not GPG)

Code Select

openssl base64 -d -in ./OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2.sig -out ./OPN_image.sig

openssl dgst -sha256 -verify OPNsense-23.1.pub -signature ./OPN_image.sig ./OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2

# Console output
Verified OK


Quite complicate syntax compared to GPG but it's OK. I wonder why the OPNsense public key is named after the release like OPNsense-23.1.pub. Would it make more sense to give it an immutable name like OPNsense.pub ?

June 20, 2023, 09:07:46 AM #2
Because a new key is generated for each release for security reasons.


Cheers,
Franco
June 21, 2023, 11:25:04 PM #3 Last Edit: June 22, 2023, 04:45:47 AM by Stonehenge
Quote from: franco on June 20, 2023, 09:07:46 AM
Because a new key is generated for each release for security reasons.

Many apt repos in Debian, Ubuntu use the same GPG public key. That key have a comfortable validity period (a few years) so we don't need to re-import often. Same principle for TLS certificates. As long as the authors of the GPG public keys keep their GPG private key safe, there should be no security issue. Anyone attempting to modify/hack that GPG public key then the `gpg --verify` will fail.

How can generating a new pubkey at each OPNsense release could be considered safer?


June 27, 2023, 03:07:37 PM #4
Quote from: Stonehenge on June 21, 2023, 11:25:04 PM
How can generating a new pubkey at each OPNsense release could be considered safer?

Because we use plain RSA keys like SSH does. They don't have lifetimes. Are you implying SSH is unsafe?


Cheers,
Franco
Print
Go Up Pages1
User actions