[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HEADS UP: Tarsnap debian package signing key rotation

To: tarsnap users <tarsnap-users@tarsnap.com>, tarsnap alphatesters <tarsnap-alphatest@tarsnap.com>
Subject: HEADS UP: Tarsnap debian package signing key rotation
From: Colin Percival <cperciva@tarsnap.com>
Date: Sat, 4 Feb 2017 21:13:52 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tarsnap users and alphatesters,

While testing the Debian package-building process, the 2017 .deb package
signing key was accidentally copied from the build system (an airgapped
system with encrypted disk) onto the unencrypted USB stick used for
transferring files to the outside world.  While it was never published
anywhere, and the disk has since been overwritten, the key in question
should never have been written to an unencrypted disk in the first place;
so I've declared it "compromised" and generated a new 2017 .deb package
signing key.

You can see the revocation certificate for the old key, and the replacement
key, in the github tarsnap-public-keys repository:

https://raw.githubusercontent.com/Tarsnap/tarsnap-public-keys/master/keys-pack
aging/tarsnap-deb-packaging-key-2017-revoke.asc

https://raw.githubusercontent.com/Tarsnap/tarsnap-public-keys/master/keys-pack
aging/tarsnap-deb-packaging-key-2017b.asc

Since we have not yet released any non-experimental .deb packages, nothing
has been signed with the key in question (which made the decision to replace
it much easier), but anyone who installed the experimental tarsnap .deb
package after January 11th will have the tarsnap-archive-keyring_0.2 package
installed, including the now-revoked key.  (According to my server logs,
there are 21 such people.)

If you have installed tarsnap experimental .deb packages, you should update
your installed packages now in order to get tarsnap-archive-keyring_0.4,
which has the new key.

(For the morbidly curious: Two things went wrong in order to make this key
get accidentally copied to the USB stick.  First, keys were left in the
package-building script's "input" directory after the builds completed; I
keep the package-build input and output directories for future reference,
but I have now updated the script to remove the keys after a build finishes.
Second, I simply typoed a command, and copied out the build *input* instead
of the build *output*; alas, preventing wetware bugs is difficult, but I'll
try to be more careful in the future.)

Sorry about the mixup,

- -- 
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
-----BEGIN PGP SIGNATURE-----

iHMEARECADMWIQTq9Iu6fMd6MP78Dak4zsppDGpqbgUCWJa0iBUcY3BlcmNpdmFA
dGFyc25hcC5jb20ACgkQOM7KaQxqam73QgCbBeUa96Q+8g3XLg4gcEOoec7/QGAA
oIbqQezQHaqV89o2glN6g40Scjse
=+ri0
-----END PGP SIGNATURE-----

Prev by Date: Updated Tarsnap experimental .deb packages
Next by Date: tarsnap and sparse files
Previous by thread: Updated Tarsnap experimental .deb packages
Next by thread: tarsnap and sparse files
Index(es):
- Date
- Thread