builder-v2: fetch stage fails due to incorrect public key for python-fido2

[peakunshift]

Qubes OS release

v4.2

Brief summary

When using builder-v2, Fetch stage fails with this issue:

sqv --keyring /tmp/tmp.Jzo3DW0BTO/keyring /home/user/Qubes/qubes-builderv2/artifacts/tmp/tmp159fgf5n/untrusted_fido2-1.1.2.tar.gz.sig /home/user/Qubes/qubes-builderv2/artifacts/tmp/tmp159fgf5n/untrusted_fido2-1.1.2.tar.gz
Signing key on 20EE325B86A81BCBD3E56798F04367096FBA95E8 is bad:
            The primary key is not live
   because: Expired on 2020-05-01T11:07:16Z

It seems that the key used in the repo is expired (https://github.com/QubesOS/qubes-python-fido2/blob/main/debian-pkg/debian/upstream/signing-key.asc) but valid here for example: https://keys.openpgp.org/search?q=20EE325B86A81BCBD3E56798F04367096FBA95E8.

Manually downloading the sources and verify it locally works.
Also, replacing the current outdated key on the repo by the new one fixes the issue.

Steps to reproduce

• Setup qubes-builder-v2 on a Fedora 40 system, using Podman to build qubes-os-r4.2
• run ./qb package fetch

Expected behavior

Stage complete as expected.

Actual behavior

Fails because of bad signature.

---

See https://forum.qubes-os.org/t/building-qubes-trying-to-get-a-first-successful-build/26721

[peakunshift]

Should I open a PR to simply replace the .asc file?

[marmarek]

On Thu, Jun 06, 2024 at 06:57:54AM -0700, PeakUnshift wrote: Should I open a PR to simply replace the `.asc` file?

That would be helpful :)

…

-- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

[peakunshift]

For info here is what contains the new key from the server:

pub   rsa2048 2014-01-10 [SC] [expires: 2025-04-29]
      20EE325B86A81BCBD3E56798F04367096FBA95E8
uid           Dain Nilsson <[email protected]>
sub   rsa2048 2014-01-10 [A] [expires: 2025-04-29]
sub   rsa2048 2014-01-10 [E] [expires: 2025-04-29]

and what the current one in the repo contains:

pub   rsa2048 2013-11-29 [SC] [expired: 2020-03-05]
      0A3B0262BCA1705307D5FF06BCA00FD4B2168C0A
uid           Klas Lindfors <[email protected]>
sub   rsa2048 2013-11-29 [E] [expired: 2020-03-05]
sub   rsa2048 2013-11-29 [A] [expired: 2020-03-05]
pub   rsa4096 2015-10-05 [SC] [expired: 2020-04-12]
      B70D62AA6A31AD6B9E4F9F4BDC8888925D25CA7A
uid           Alessio Di Mauro <[email protected]>
uid           Alessio Di Mauro <[email protected]>
sub   rsa2048 2015-10-05 [S] [expired: 2020-04-12]
sub   rsa2048 2015-10-05 [E] [expired: 2020-04-12]
sub   rsa2048 2015-10-05 [A] [expired: 2020-04-12]
pub   rsa2048 2017-06-26 [SC]
      268583B64786F50F807456DA8CED3A80D41C0DCB
uid           Trevor Bentley <[email protected]>
sub   rsa2048 2017-06-26 [A]
sub   rsa2048 2017-06-26 [E]
pub   rsa4096 2017-08-03 [SC]
      57A9DEED4C6D962A923BB691816F3ED99921835E
uid           Emil Lundberg (Software Developer) <[email protected]>
sub   rsa2048 2017-08-15 [E] [revoked: 2017-10-09]
sub   rsa2048 2017-10-18 [E]
sub   rsa4096 2017-08-03 [S] [revoked: 2017-09-18]
sub   rsa4096 2017-08-03 [E] [revoked: 2017-09-18]
sub   rsa4096 2017-08-03 [A] [revoked: 2017-09-18]
sub   rsa4096 2017-08-04 [E] [revoked: 2017-10-18]
sub   rsa4096 2017-08-15 [S] [revoked: 2018-03-29]
sub   rsa4096 2017-08-15 [E] [revoked: 2017-10-09]
sub   rsa4096 2017-08-15 [A] [revoked: 2018-03-29]
sub   rsa2048 2018-03-13 [S] [revoked: 2018-03-29]
sub   rsa2048 2018-05-10 [S] [expired: 2020-05-30]
sub   rsa2048 2018-05-10 [A] [expired: 2020-05-30]
sub   rsa2048 2018-09-10 [S] [revoked: 2018-11-06]
sub   rsa2048 2018-09-10 [A] [revoked: 2018-11-06]
pub   rsa4096 2016-05-23 [SC] [expired: 2020-05-01]
      8D0B4EBA9345254BCEC0E843514F078FF4AB24C3
uid           Dag Heyman <[email protected]>
uid           Dag Heyman <[email protected]>
sub   rsa4096 2016-05-23 [S] [expired: 2020-05-01]
sub   rsa4096 2016-05-23 [E] [expired: 2020-05-01]
sub   rsa4096 2016-05-23 [A] [expired: 2020-05-01]
pub   rsa3744 2015-02-02 [SC] [expired: 2020-03-10]
      B6042E2BD1FDBC2BCA8588B2FF8D3B45B7B875A9
uid           Jean Paul Galea <[email protected]>
uid           Jean Paul Galea <[email protected]>
sub   rsa2048 2015-02-02 [S] [expired: 2020-03-10]
sub   rsa2048 2015-02-02 [E] [expired: 2020-03-10]
sub   rsa2048 2015-02-02 [A] [expired: 2020-03-10]
pub   rsa2048 2014-09-02 [SC] [expired: 2016-09-01]
      FF8AF719AE5828181B894D831CE39268A0973948
uid           Tommaso De Orchi <[email protected]>
pub   rsa2048 2014-01-10 [SC] [expired: 2020-05-01]
      20EE325B86A81BCBD3E56798F04367096FBA95E8
uid           Dain Nilsson <[email protected]>
uid           [unknown attribute of size 50]
uid           [unknown attribute of size 73]
sub   rsa2048 2014-01-10 [E] [expired: 2020-05-01]
sub   rsa2048 2014-01-10 [A] [expired: 2020-05-01]
pub   rsa4096 2018-08-15 [C] [expired: 2020-07-29]
      1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
uid           Aveen Ismail <[email protected]>
sub   rsa2048 2018-08-15 [E] [expired: 2020-07-29]
sub   rsa2048 2018-08-15 [S] [expired: 2020-07-29]
sub   rsa2048 2018-08-15 [A] [expired: 2020-07-29]
sub   rsa4096 2018-08-16 [S] [expired: 2020-07-29]
sub   rsa4096 2018-08-16 [A] [expired: 2020-07-29]
pub   rsa3744 2015-04-07 [SC] [expired: 2021-12-14]
      7FBB6186957496D58C751AC20E777DD85755AA4A
uid           Konstantinos Georgantas <[email protected]>
sub   rsa2048 2015-04-07 [S] [expired: 2021-12-14]
sub   rsa2048 2015-04-07 [E] [expired: 2021-12-14]
sub   rsa2048 2015-04-07 [A] [expired: 2021-12-14]
pub   rsa4096 2019-09-17 [C] [expired: 2020-09-16]
      9E885C0302F9BB9167529C2D5CBA11E6ADC7BCD1
uid           Dennis Fokin <[email protected]>
sub   rsa2048 2019-09-17 [E] [expired: 2020-09-16]
sub   rsa2048 2019-09-17 [S] [expired: 2020-09-16]
sub   rsa4096 2019-09-17 [A] [expired: 2020-09-16]
pub   rsa4096 2018-07-02 [SC] [expired: 2020-06-24]
      355C8C0186CC96CBA49F9CD8DAA17C2953914D9D
uid           Alessandro Carlo Chirico <[email protected]>
sub   rsa2048 2018-07-02 [E] [expired: 2020-06-24]
sub   rsa2048 2018-07-02 [S] [expired: 2020-06-24]
sub   rsa2048 2018-07-02 [A] [expired: 2020-06-24]
sub   rsa4096 2018-07-02 [S] [expired: 2020-06-24]
sub   rsa4096 2018-07-02 [A] [expired: 2020-06-24]

Can this difference be a problem? It seems to work on my side.

Also, why this issue hasn't been catch by the CI? Is there a way to test that this update fixes the issue?

Thanks!

[peakunshift]

My bad I see that there is https://github.com/QubesOS/qubes-python-fido2/blob/main/debian-pkg/debian/upstream/signing-key.sh to generate the file.

[qubesos-bot]

Automated announcement from builder-github

The package python-fido2 has been pushed to the r4.2 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing bookworm-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package python-fido2 has been pushed to the r4.2 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing trixie-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package python-fido2 has been pushed to the r4.2 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package python-fido2 has been pushed to the r4.2 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update