This article will tell you how you can verify that your system implements proper LINBIT package signing and how you can install proper package signing keys if needed.
LINBIT® provides a variety of RPM and DEB package repositories (public and customer only). Repository metadata is signed with a key that formerly was published on the LINBIT website. By today’s cryptographic standards this key became outdated. For example, Ubuntu Noble (24.04) already warns about the lack of key strength and for LINBIT customers, updating the key was always a bit painful.
LINBIT now provides a linbit-keyring
package that contains all valid keys for signing LINBIT software packages. These keys are:
- The old key used so far
- A new key generated with state-of-the-art cryptographic settings
The fingerprint of the new package signing key is:
4E53 8554 6726 D13C B649 872C FC05 A31D B826 FE48
Package signing in LINBIT public testing and non-production repositories
LINBIT has some public package repositories intended for testing and non-production use, for DEB-based systems such as Ubuntu, Proxmox VE, and Debian Linux. If you are using the LINBIT personal package archive (PPA) for Ubuntu Linux, you can stop here. The LINBIT PPA uses different signing keys and you do not need to take further action.
The other LINBIT public repositories use the same package signing keys that are used in LINBIT customer repositories. If you are on a DEB-based system other than Ubuntu and using a LINBIT public package repository, you will need to follow the instructions in the “Installing a Downloaded Keyring Package on DEB-Based Systems” section later in this article.
Package signing in LINBIT customer repositories
If you use LINBIT customer package repositories, that is, you are sure that you used the linbit-manage-node.py
script to register your nodes, you can verify whether or not the linbit-keyring
package is already installed.
On RPM-based systems, enter:
rpm -q linbit-keyring
Command output will show something similar to the following if the package is installed:
linbit-keyring-2024.06.18-1.noarch
On DEB-based systems, enter:
dpkg -l | grep linbit-keyring
Command output will show ii linbit-keyring [...]
if the package is installed.
If the package is installed you likely do not need to take any further actions. However, it is a good idea to verify that your system is using the proper signing keys. You can find verification instructions later in this article, in the “Verifying Repositories Are Signed by the Proper Keys” section.
Installing the LINBIT keyring package
If the linbit-keyring
package is not installed on your system, you should install it, either by using a package manager command and installing the package from LINBIT customer repositories, or else install it from a manually downloaded package.
Installing LINBIT signing keys from a downloaded package❗ IMPORTANT: On DEB-based systems, remove existing keys that installing the
linbit-keyring
package might duplicate, before installing thelinbit-keyring
package:
apt-key del 32A746AD3ACFB7EB9A188D1953B3B037282B6E23
apt-key del 4E5385546726D13CB649872CFC05A31DB826FE48
You can download the appropriate keyring package from one of these links:
Installing a downloaded keyring package on RPM-based systems
First, if you did not install the keyring package from the repositories already, install the downloaded RPM keyring package by entering the following command:
rpm -i ./linbit-keyring.rpm
Next, run this command to replace the old value of gpgkey
in the LINBIT repository definition file:
sed -i 's#^[ ]*gpgkey=.*$#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linbit#' /etc/yum.repos.d/linbit.repo
📝 NOTE: Recent versions of the LINBIT manage node Python script will generate a proper
linbit.repo
file automatically. For recently registered nodes then, thissed
command might be unnecessary but should not break anything if you run it.
Installing a downloaded keyring package on DEB-based systems
If you did not install the keyring package from the repositories already, install the downloaded DEB keyring package by entering the following command:
# dpkg -i ./linbit-keyring.deb
Verifying repositories are signed by the proper keys
Instructions in this section detail how you can verify that LINBIT repository packages are signed by the correct keys.
Verifying key signing on RPM-based systems
To verify proper key signing on RPM-based systems, enter:
cat /etc/yum.repos.d/linbit.repo
Output should show the following lines which indicate proper LINBIT key signing:
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linbit gpgcheck=1
If the output does not show this, you will need to confirm that the linbit-keyring
package is installed on your system and then use the sed
command shown earlier to change the LINBIT repository definition file to point to the proper signing key.
LINBIT RHEL package and repository signing background information
For its RHEL repositories, LINBIT not only signs the repository metadata, but also the RPM packages themselves. That means that after a switch to the new signing key, all the metadata for all repositories will be signed by the new key. When new software is released, the new RPM packages themselves will get signed by the new key. The important thing is that old RPM packages will not be re-signed, they will still be signed by the old key. That is, existing RPM packages will be unchanged.
There is a huge archive of packages and re-signing might even break very old and outdated systems that would not even allow the new signing key. There might still be people that manually fetch such RPM packages from LINBIT archives. Signed RPM packages (not to be confused with signed repository metadata) are pretty niche. Regular users will not notice any difference. Things will just work because the linbit-keyring
package contains both the old and new signing key.
Verifying key signing on DEB-based systems
To verify proper key signing on DEB-based systems, enter:
cat /etc/apt/source.list.d/linbit.list
Output should be similar to this:
deb [signed-by=/etc/apt/trusted.gpg.d/linbit-keyring.gpg] http://packages.linbit.com/YOUR_HASH/ YOUR_DISTRO drbd-9
The important part in this output is the signed-by
keyword.
Written by RCK, 2024-10-07-03.
Reviewed by MAT, 2024-10-04.
Updated by MAT, 2024-11-21.