Pocket syncs fail on FIPS-hardened hosts: "unknown key"
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Landscape Server |
New
|
Undecided
|
Unassigned | ||
Bug Description
When mirroring the Ubuntu repositories, it is not necessary to pass the `mirror_gpg_key` parameter, as the Ubuntu signing keys are used for it by default. However, when attempting the mirror the Ubuntu archive on a FIPS-hardened host with pockets created without the `mirror_gpg_key` parameter, the pocket sync will fail with errors from reprepro:
```
b" Error: unknown key '40976EAF437D05B5' There have been errors!
```
This is in reference to the 2004 repository signing key, which uses DSA1024:
http://
Keys generated with DSA are deprecated in FIPS 186-5, with a grandfather exception solely for verification purposes:
"Prior versions of this standard specified the DSA. This standard no longer approves the DSA for digital signature generation. However, the DSA may be used to verify signatures generated prior to the implementation date of this standard."
Presumably, when the `mirror_gpg_key` is not defined, Landscape falls back on an array of the Ubuntu repo signing keys that includes the 2004 key along with the 2012 and 2018 keys. The issue can be worked around by explicitly passing the 2018 archive signing key as the `mirror_gpg_key` argument when creating or modifying a pocket, which seems to override Landscape's default that includes the problematic 2004 key.
This was reproduced on an Ubuntu 22.04 virtual machine hardened with fips-preview based on a customer support ticket.
| information type: | Proprietary → Public |
| Mitch Burton (mitchburton) wrote | #1 |
We could choose to make the set of fallback keys configurable - that way the 2004 key could be omitted. Additionally, the `mirror_gpg_key` param could accept the names of specific Ubuntu keys.