... |
... |
@@ -81,6 +81,78 @@ machines: coccia fasolo respighi seger suchon usper |
81
|
81
|
Also, to seperate code and actual runtime, the code is deployed (and
|
82
|
82
|
owned by) the seperate user dak-code
|
83
|
83
|
|
|
84
|
+General
|
|
85
|
+~~~~~~~
|
|
86
|
+
|
|
87
|
+Rotating Secure Boot Keys
|
|
88
|
+-------------------------
|
|
89
|
+
|
|
90
|
+Four keys are used: dak signs a JSON file used by the signing service
|
|
91
|
+(one key for main archive and security archive), the code-signing
|
|
92
|
+service signs files trusted by Debian's Secure Boot CA and uploads
|
|
93
|
+using a key trusted by dak.
|
|
94
|
+
|
|
95
|
+To rotate keys used by dak:
|
|
96
|
+
|
|
97
|
+- Generate new key::
|
|
98
|
+
|
|
99
|
+ export GNUPGHOME=${base}/s4kr1t/dot-gnupg
|
|
100
|
+ gpg --list-secret-keys
|
|
101
|
+ gpg --homedir --full-generate-key
|
|
102
|
+ gpg --keyring /srv/keyring.debian.org/keyrings/debian-keyring.gpg \
|
|
103
|
+ --local-user ${OLD_FINGERPRINT} --edit-key ${NEW_FINGERPRINT}
|
|
104
|
+ gpg -a --export ${NEW_FINGERPRINT}
|
|
105
|
+
|
|
106
|
+ When editing key, run `sign` command and `addrevoker` to add current
|
|
107
|
+ FTP masters as designated revokers.
|
|
108
|
+
|
|
109
|
+- Tell dak to use new key. Edit dak.conf, update fingerprint used in
|
|
110
|
+ `ExportSigningKeys`.
|
|
111
|
+
|
|
112
|
+- Tell code-signing to use new key (in `code-signing` project)::
|
|
113
|
+
|
|
114
|
+ gpg --no-default-keyring --keyring etc/external-signature-requests.kbx \
|
|
115
|
+ --import
|
|
116
|
+
|
|
117
|
+To rotate Secure Boot key (in `code-signing` project):
|
|
118
|
+
|
|
119
|
+- Get new key installed in YubiKey and `etc/debian-prod-cert.pem`
|
|
120
|
+
|
|
121
|
+- Update `trusted_keys` in `etc/debian-prod.yaml` using::
|
|
122
|
+
|
|
123
|
+ openssl x509 -in etc/debian-prod-cert.pem -noout -text
|
|
124
|
+ openssl x509 -in etc/debian-prod-cert.pem -outform der | openssl dgst -sha256
|
|
125
|
+
|
|
126
|
+- Update certificate comman name in `etc/debian-prod.yaml`; there are
|
|
127
|
+ two occurances in the `efi` group: `token` and part of `pkcs11_uri`.
|
|
128
|
+
|
|
129
|
+To rotate upload key for code-signing service:
|
|
130
|
+
|
|
131
|
+- Generate new key (as above for dak keys).
|
|
132
|
+
|
|
133
|
+- Update `maintainer.key_id` in `etc/debian-prod.yaml` (in `code-signing`
|
|
134
|
+ project).
|
|
135
|
+
|
|
136
|
+- Tell dak about new key::
|
|
137
|
+
|
|
138
|
+ gpg --no-default-keyring \
|
|
139
|
+ --keyring config/debian-common/keyrings/automatic-source-uploads.kbx \
|
|
140
|
+ --import
|
|
141
|
+
|
|
142
|
+ and update fingerprint `AllowSourceOnlyNewKeys` setting in
|
|
143
|
+ `config/debian/external-signatures.conf`
|
|
144
|
+
|
|
145
|
+- Import key on `ftp-master` and `security-master`::
|
|
146
|
+
|
|
147
|
+ dak import-keyring -U "%s" \
|
|
148
|
+ ${base}/config/debian-common/keyrings/automatic-source-uploads.kbx
|
|
149
|
+
|
|
150
|
+- Update ACL on `ftp-master` and `security-master`::
|
|
151
|
+
|
|
152
|
+ dak acl export-per-source automatic-source-uploads
|
|
153
|
+ dak acl allow automatic-source-uploads ${NEW_FINGERPRINT} ${SOURCES}
|
|
154
|
+ dak acl deny automatic-source-uploads ${OLD_FINGERPRINT} ${SOURCES}
|
|
155
|
+
|
84
|
156
|
security archive
|
85
|
157
|
~~~~~~~~~~~~~~~~
|
86
|
158
|
|