Re: The authenticity of pkgs.fedoraproject.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jan 08, 2021 at 03:29:01PM +0100, Petr Pisar wrote:
> On Fri, Jan 08, 2021 at 05:03:34AM -0700, Brad Bell wrote:
> > 1. Does this mean that 38.145.60.17 is the correct host address and I do not
> > have to worry adding it to ~/.ssh/known_hosts ?
> > 
> Yes.

Yep. Thats the correct ip. 

> > 2. If I add the contents of
> >     https://admin.fedoraproject.org/ssh_known_hosts
> > starting with a new line and at the end of my ~/.ssh/known_hosts and try 'fedpkg push` I get:
> > 
> > cppad>fedpkg push
> > check_host_cert: certificate signature algorithm ssh-rsa: signature algorithm not supported
> > The authenticity of host 'pkgs.fedoraproject.org (38.145.60.17)' can't be established.
> > RSA key fingerprint is SHA256:Q12OTyTeOHWlS54dTzy2BNu7wB8UKNf18+7WHIDsORc.
> > Are you sure you want to continue connecting (yes/no/[fingerprint])?
> > 
> It seems the certificate is signed with ssh-rsa SSH alghoritm which uses SHA-1
> underneath and
> 
> > 3. If I execute `dnf info openssh' I get
> > 
> > Name         : openssh
> > Version      : 8.4p1
> > Release      : 4.fc33
> > 
> which is not supported by openssh-8.4p1 and Fedora 33 system-wide
> cryptopolicy.
> 
> I believe Fedora infrastrucure maintainers should create a new certificate
> with SHA-2 instead of SHA-1.

Well, it's sadly a bit more complex, but yes, I can resign the existing
rsa host key with sha-2. 

We want to at some point:

* move the last few hosts using rsa host keys to ed25519 (all but pkgs
and bastion host are already moved), but we are waiting for openssh to
implement a host key migration step so it will be transparent to users.
* drop ssh commits entirely sometime and move to https / token. 

pkgs didn't get signed with the new sha-2 key because we didn't move it
to the new ed25519 host key. I'll try and fix it later today. 

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Forum]     [KDE Users]

  Powered by Linux