Installing and Verifying Package Signing Keys for LINBIT Software Packages

This article will tell you how you can verify that your system implements proper LINBIT package signing and how you can install proper package signing keys if needed.

LINBIT® provides a variety of RPM and DEB package repositories (public and customer only). Repository metadata is signed with a key that formerly was published on the LINBIT website. By today’s cryptographic standards this key became outdated. For example, Ubuntu Noble (24.04) already warns about the lack of key strength and for LINBIT customers, updating the key was always a bit painful.

LINBIT now provides a linbit-keyring package that contains all valid keys for signing LINBIT software packages. These keys are:

  • The old key used so far
  • A new key generated with state-of-the-art cryptographic settings

This article will tell you how you can verify that your system implements proper LINBIT package signing and how you can install proper package signing keys if needed.

Package Signing in LINBIT Public Testing and Non-Production Repositories

LINBIT has some public package repositories intended for testing and non-production use, for DEB-based systems such as Ubuntu, Proxmox VE, and Debian Linux. If you are using the LINBIT personal package archive (PPA) for Ubuntu Linux, you can stop here. The LINBIT PPA uses different signing keys and you do not need to take further action.

The other LINBIT public repositories use the same package signing keys that are used in LINBIT customer repositories. If you are on a DEB-based system other than Ubuntu and using a LINBIT public package repository, you will need to follow the instructions in the “Installing a Downloaded Keyring Package on DEB-Based Systems” section later in this article.

Package Signing in LINBIT Customer Repositories

If you use LINBIT customer package repositories, that is, you are sure that you used the linbit-manage-node.py script to register your nodes, you can verify whether or not the linbit-keyring package is already installed.

On RPM-based systems, enter:

rpm -q linbit-keyring

Command output will show something similar to the following if the package is installed:

linbit-keyring-2024.06.18-1.noarch

On DEB-based systems, enter:

dpkg -l | grep linbit-keyring

Command output will show ii linbit-keyring [...] if the package is installed.

If the package is installed you likely do not need to take any further actions. However, it is a good idea to verify that your system is using the proper signing keys. You can find verification instructions later in this article, in the “Verifying Repositories Are Signed by the Proper Keys” section.

If the linbit-keyring package is not installed on your system, you should install it, either by using a package manager command and installing the package from LINBIT customer repositories, or else install it from a manually downloaded package.

Installing LINBIT Signing Keys from a Downloaded Package

You can download the appropriate keyring package from one of these links:

Installing a Downloaded Keyring Package on RPM-Based Systems

First, if you did not install the keyring package from the repositories already, install the downloaded RPM keyring package by entering the following command:

rpm -i ./linbit-keyring.rpm

Next, run this command to replace the old value of gpgkey in the LINBIT repository definition file:

sed -i 's#^[ \t]*gpgkey=.*$#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linbit#' /etc/yum.repos.d/linbit.repo

📝 NOTE: Recent versions of the LINBIT manage node Python script will generate a proper linbit.repo file automatically. For recently registered nodes then, this sed command might be unnecessary but should not break anything if you run it.

Installing a Downloaded Keyring Package on DEB-Based Systems

If you did not install the keyring package from the repositories already, install the downloaded DEB keyring package by entering the following command:

# dpkg -i ./linbit-keyring.deb

Verifying Repositories Are Signed by the Proper Keys

Instructions in this section detail how you can verify that LINBIT repository packages are signed by the correct keys.

Verifying Key Signing on RPM-Based Systems

To verify proper key signing on RPM-based systems, enter:

cat /etc/yum.repos.d/linbit.repo

Output should show the following lines which indicate proper LINBIT key signing:

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-linbit
gpgcheck=1

If the output does not show this, you will need to confirm that the linbit-keyring package is installed on your system and then use the sed command shown earlier to change the LINBIT repository definition file to point to the proper signing key.

LINBIT RHEL Package and Repository Signing Background Information

For its RHEL repositories, LINBIT not only signs the repository metadata, but also the RPM packages themselves. That means that after a switch to the new signing key, all the metadata for all repositories will be signed by the new key. When new software is released, the new RPM packages themselves will get signed by the new key. The important thing is that old RPM packages will not be re-signed, they will still be signed by the old key. That is, existing RPM packages will be unchanged.

There is a huge archive of packages and re-signing might even break very old and outdated systems that would not even allow the new signing key. There might still be people that manually fetch such RPM packages from LINBIT archives. Signed RPM packages (not to be confused with signed repository metadata) are pretty niche. Regular users will not notice any difference. Things will just work because the linbit-keyring package contains both the old and new signing key.

Verifying Key Signing on DEB-Based Systems

To verify proper key signing on DEB-based systems, enter:

cat /etc/apt/source.list.d/linbit.list

Output should be similar to this:

deb [signed-by=/etc/apt/trusted.gpg.d/linbit-keyring.gpg] http://packages.linbit.com/YOUR_HASH/ YOUR_DISTRO drbd-9

The important part in this output is the signed-by keyword.


Written by RCK, 2024-10-03.

Reviewed by MAT, 2024-10-04.