home shape

Public Key Infrastructure: Setup Guide for Debian & Ubuntu

We want to have a full chain of trust for our debian packages. Therefore the Suse Open Build Service (OBS) service signs them. We publish the key alongside the repository.

However, one can do better and do the validation right on apt-get install arangodb. Here’s how:

First we will install pgpdump, so we can inspect our key:

apt-get install pgpdump

We download the key and inspect it:

wget http://www.arangodb.com/repositories/arangodb2/Debian_8.0/Release.key
pgpdump Release.key 
Old: Public Key Packet(tag 6)(269 bytes)
        Ver 4 - new
        Public key creation time - Wed Nov 12 14:09:28 CET 2014
        Pub alg - RSA Encrypt or Sign(pub 1)
        RSA n(2048 bits) - ...
        RSA e(17 bits) - ...
Old: User ID Packet(tag 13)(76 bytes)
        User ID - home:fceller:version2 OBS Project <home:fceller:version2@build.opensuse.org>
Old: Signature Packet(tag 2)(318 bytes)
        Ver 4 - new
        Sig type - Positive certification of a User ID and Public Key packet(0x13).
        Pub alg - RSA Encrypt or Sign(pub 1)
        Hash alg - SHA1(hash 2)
        Hashed Sub: signature creation time(sub 2)(4 bytes)
                Time - Wed Nov 12 14:09:28 CET 2014
        Hashed Sub: key flags(sub 27)(1 bytes)
                Flag - This key may be used to certify other keys
                Flag - This key may be used to sign data
        Hashed Sub: key expiration time(sub 9)(4 bytes)
                Time - Fri Jan 20 14:09:28 CET 2017
        Hashed Sub: preferred symmetric algorithms(sub 11)(5 bytes)
                Sym alg - AES with 256-bit key(sym 9)
                Sym alg - AES with 192-bit key(sym 8)
                Sym alg - AES with 128-bit key(sym 7)
                Sym alg - CAST5(sym 3)
                Sym alg - Triple-DES(sym 2)
        Hashed Sub: preferred hash algorithms(sub 21)(5 bytes)
                Hash alg - SHA256(hash 8)
                Hash alg - SHA1(hash 2)
                Hash alg - SHA384(hash 9)
                Hash alg - SHA512(hash 10)
                Hash alg - SHA224(hash 11)
        Hashed Sub: preferred compression algorithms(sub 22)(3 bytes)
                Comp alg - ZLIB <RFC1950>(comp 2)
                Comp alg - BZip2(comp 3)
                Comp alg - ZIP <RFC1951>(comp 1)
        Hashed Sub: features(sub 30)(1 bytes)
                Flag - Modification detection (packets 18 and 19)
        Hashed Sub: key server preferences(sub 23)(1 bytes)
                Flag - No-modify
        Sub: issuer key ID(sub 16)(8 bytes)
                Key ID - 0x358D849C89A14917
        Hash left 2 bytes - e2 d6 
        RSA m^d mod n(2048 bits) - ...
                -> PKCS-1
Old: Signature Packet(tag 2)(70 bytes)
        Ver 4 - new
        Sig type - Positive certification of a User ID and Public Key packet(0x13).
        Pub alg - DSA Digital Signature Algorithm(pub 17)
        Hash alg - SHA1(hash 2)
        Hashed Sub: signature creation time(sub 2)(4 bytes)
                Time - Wed Nov 12 14:09:28 CET 2014
        Sub: issuer key ID(sub 16)(8 bytes)
                Key ID - 0x3B3011B76B9D6523
        Hash left 2 bytes - cc b6 
        DSA r(158 bits) - ...
        DSA s(158 bits) - ...
                -> hash(DSA q bits)

The next thing to do is to cut’n’paste the key into the submit a key form over at the keyserver. We now want to search the key so we get to know its fingerprint. We search for a unique property from the dump above, home:fceller:version2 is a good choice. We put it into the string search field, and check the Show PGP Fingerprints hook:

Search results for 'version2 home fceller'

Type bits/keyID     cr. time   exp time   key expir

pub  2048R/89A14917 2014-11-12            
     Fingerprint=C605 15C5 EC94 954D 9B5A  0302 358D 849C 89A1 4917 

uid home:fceller:version2 OBS Project <home:fceller:version2@build.opensuse.org>
sig  sig3  89A14917 2014-11-12 __________ 2017-01-20 [selfsig]
sig  sig3  6B9D6523 2014-11-12 __________ __________ openSUSE Build Service <buildservice@opensuse.org>

Now users can add these keys to their installation using the Fingerprint (without blanks) like this:

apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys C60515C5EC94954D9B5A0302358D849C89A14917

and the chain of trust for installing ArangoDB packages is closed, on apt-get install arangodb the package is going to be verified.

Willi Goesgens avatar 1452092470 92x92

Willi Goesgens

Willi is part of ArangoDB Core team. He primarily works on performance tuning, the release process of ArangoDB and helping the community with his broad experience.

Leave a Comment





Get the latest tutorials, blog posts and news: