This article will tell you how you can verify that your system implements proper LINBIT package signing and how you can install proper package signing keys if needed.
LINBIT® provides a variety of RPM and DEB package repositories (public and customer only). Repository metadata is signed with a key that formerly was published on the LINBIT website. By today’s cryptographic standards this key became outdated. For example, Ubuntu Noble (24.04) already warns about the lack of key strength and for LINBIT customers, updating the key was always a bit painful.
LINBIT now provides a linbit-keyring package that contains all valid keys for signing LINBIT software packages. These keys are:
- The old key used so far
- A new key generated with state-of-the-art cryptographic settings
This article will tell you how you can verify that your system implements proper LINBIT package signing and how you can install proper package signing keys if needed.
Package Signing in LINBIT Public Testing and Non-Production Repositories
LINBIT has some public package repositories intended for testing and non-production use, for DEB-based systems such as Ubuntu, Proxmox VE, and Debian Linux. If you are using the LINBIT personal package archive (PPA) for Ubuntu Linux, you can stop here. The LINBIT PPA uses different signing keys and you do not need to take further action.
The other LINBIT public repositories use the same package signing keys that are used in LINBIT customer repositories. If you are on a DEB-based system other than Ubuntu and using a LINBIT public package repository, you will need to follow the instructions in the “Installing a Downloaded Keyring Package on DEB-Based Systems” section later in this article.
Package Signing in LINBIT Customer Repositories
If you use LINBIT customer package repositories, that is, you are sure that you used the linbit-manage-node.py script to register your nodes, you can verify whether or not the linbit-keyring package is already installed.
On RPM-based systems, enter:
rpm -q linbit-keyringCommand output will show something similar to the following if the package is installed:
linbit-keyring-2024.06.18-1.noarchOn DEB-based systems, enter:
dpkg -l | grep linbit-keyringCommand output will show ii linbit-keyring [...] if the package is installed.
If the package is installed you likely do not need to take any further actions. However, it is a good idea to verify that your system is using the proper signing keys. You can find verification instructions later in this article, in the “Verifying Repositories Are Signed by the Proper Keys” section.
If the linbit-keyring package is not installed on your system, you should install it, either by using a package manager command and installing the package from LINBIT customer repositories, or else install it from a manually downloaded package.
Installing LINBIT Signing Keys from a Downloaded Package
You can download the appropriate keyring package from one of these links:
Installing a Downloaded Keyring Package on RPM-Based Systems
First, if you did not install the keyring package from the repositories already, install the downloaded RPM keyring package by entering the following command:
rpm -i ./linbit-keyring.rpmNext, run this command to replace the old value of gpgkey in the LINBIT repository definition file:
sed -i 's#^[ \t]*gpgkey=.*$#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linbit#' /etc/yum.repos.d/linbit.repo📝 NOTE: Recent versions of the LINBIT manage node Python script will generate a proper
linbit.repofile automatically. For recently registered nodes then, thissedcommand might be unnecessary but should not break anything if you run it.
Installing a Downloaded Keyring Package on DEB-Based Systems
If you did not install the keyring package from the repositories already, install the downloaded DEB keyring package by entering the following command:
# dpkg -i ./linbit-keyring.debVerifying Repositories Are Signed by the Proper Keys
Instructions in this section detail how you can verify that LINBIT repository packages are signed by the correct keys.
Verifying Key Signing on RPM-Based Systems
To verify proper key signing on RPM-based systems, enter:
cat /etc/yum.repos.d/linbit.repoOutput should show the following lines which indicate proper LINBIT key signing:
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linbit
gpgcheck=1
If the output does not show this, you will need to confirm that the linbit-keyring package is installed on your system and then use the sed command shown earlier to change the LINBIT repository definition file to point to the proper signing key.
LINBIT RHEL Package and Repository Signing Background Information
For its RHEL repositories, LINBIT not only signs the repository metadata, but also the RPM packages themselves. That means that after a switch to the new signing key, all the metadata for all repositories will be signed by the new key. When new software is released, the new RPM packages themselves will get signed by the new key. The important thing is that old RPM packages will not be re-signed, they will still be signed by the old key. That is, existing RPM packages will be unchanged.
There is a huge archive of packages and re-signing might even break very old and outdated systems that would not even allow the new signing key. There might still be people that manually fetch such RPM packages from LINBIT archives. Signed RPM packages (not to be confused with signed repository metadata) are pretty niche. Regular users will not notice any difference. Things will just work because the linbit-keyring package contains both the old and new signing key.
Verifying Key Signing on DEB-Based Systems
To verify proper key signing on DEB-based systems, enter:
cat /etc/apt/source.list.d/linbit.listOutput should be similar to this:
deb [signed-by=/etc/apt/trusted.gpg.d/linbit-keyring.gpg] http://packages.linbit.com/YOUR_HASH/ YOUR_DISTRO drbd-9The important part in this output is the signed-by keyword.
Written by RCK, 2024-10-03.
Reviewed by MAT, 2024-10-04.