Remote GPG key updating

[Dan Nicholson <dbn endlessos org>]

A couple years ago at Endless we accidentally let one of our GPG keys expire that was used to sign our OS commits (hangs head in shame). Without a valid GPG key, our users would have been prevented from updating. Fortunately we had a workaround because we had a 2nd key in the legacy global trusted keyring that we could sign our OS commits with. Obviously, that was not the ideal solution and we began thinking about ways to get clients to update their GPG trusted keyrings.

Right now you might be saying, don't add expiration to your keys if you don't have a way to rotate them. That is entirely valid, but the use case for pushing key updates is arguably more important for the case of revoking where a private key has been lost or compromised. So, I personally think there's a lot of value in having a standard and secure way to update trusted keys in ostree.

I looked around to see how other people handle this and was focused on standardized methods rather than a custom ostree method. The 2 that looked most attractive were updating using DANE[1] or Web Key Directory (WKD) [2]. DANE uses DNS records to provide PGP keys while WKD uses HTTP. I opted to pursue WKD since in order to publish DNS records securely you really need DNSSEC and I felt like that was a significant barrier to a publisher whereas you almost certainly already have an https:// server if you're publishing an ostree repo.

I got pretty far into a WKD client side implementation and API/CLI for updating in https://github.com/ostreedev/ostree/pull/2260 before I moved on to some other work and it stalled. Before picking it up again I wanted to discuss here to see if this was something that would be acceptable in ostree.

1. https://www.rfc-editor.org/rfc/rfc7929.html

2. https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-11

--
Dan Nicholson  |  +1.206.437.0833  |  Endless