2024-11-21 12:52:22

Čapkova báseň na dědečkově stole

Můj dědeček Karel Fridrich měl velký těžký stůl. Pod skleněnou deskou měl papírové pamětiny: pohlednice, užitečná čísla. A taky jednu báseň:

S lidmi je kříž.

Ale když už je člověk na kříži,

tu na všechno docela jinak pohlíží.

To je tím, že je výše.

To je tím, že tak těžko dýše.

To dělá to rozepjaté náručí.

To dělá ta velká bolest.

Vždy se mi ta báseň líbila a pamatuji si ji; i když už je děda skoro třicet let na onom světě a jeho věci jsou dávno pryč.

Ještě když byl naživu - a já v pubertě - tak jsem se ho zeptal na původ té básně. Prý ji napsal Karel Čapek a našli ji v jeho dlani když umřel. Já to tehdy vzal jako fakt. Děda nebyl typ, který by žertoval. Naopak oplýval znalostmi, a moudrostí jako málokdo v mém okolí.

Až o mnoho let později jsem si zkoušel tento příběh ověřit. Ale ten příběh nikde není. Dokonce ani ta báseň se nazdá být někde zachycena. Odkud ta báseň pochází? Napsal ji opravdu Čapek? Můj děda měl dvanáct let když Karel Čapek umřel, ale nevím o tom, že by se nějak blíže znali. Na druhou stranu, můj praděda krátce provozoval hospodu kousek od Annenského náměstí v Praze. A v hospodě se kříží mnohé proudy.

V každém případě je to úchvatná báseň a je škoda, aby nebyla vytažena na světlo světa. At už má původ jakýkoliv.

Pokud někdo náhodou můžete potvrdit nebo vyvrátit tento příběh, tak budu rád, když se ozvete.


Posted by Miroslav Suchý | Permanent link
Comments

2024-10-13 00:40:20

Placení za dobíjení elektroaut

Ahoj Miro, jakého máš ty providera/karty pro vaše elektroauto? Jaký máš tarif/roaming, co ti umožňuje cestovat a nabíjet po evropě a za jakých podmínek? Nejde mi o skutečné ceny, spíš o to, jakého máš porvidera, jaká je to síť, co kde můžeš a nemůžeš, do jakých různých situací se při nabíjení můžeš dostat.

V placení ze dobíjení elektroaut je trochu chaos. Je to jak v dřevných dobách mobilů, kdy jsi měl jednu simku na psaní SMSek a druhou na volání.

Ve zkratce platí: čím chceš mít život jednodušší tím to budeš mít dražší. A čím pomaleji ti stačí dobíjet, tím to budeš mít levnější.

Takže mám čtyři poskytovatele pro ČR a tři do zahraničí a střídám je. Můžeš mít jednoho pokud hodně chceš, ale ten rozdíl v ceně je takový, že rád akceptuješ mít vícero registrací.

V ČR stačí, když máš registraci u ČEZ, EON a PRE. V Brně mám ještě lokálního poskytovatele Teplárny Brno. Registrace tě nic nestojí, máš ji za pět minut hotovou. A můžeš platit z aplikace nebo NFC čipem co ti zdarma pošlou.
A klidně můžeš zaplatit čipem EONu u PRE. Ale budeš platit až o 4 Kč více za kWh. Což klidně mohou být dvě stovky na jednom dobíjení.

V ČR existují minimálně dva poskytovatelé, kteří fungují podobně jako CCS. Dostaneš kartu, která ti bude fungovat všude a dostaneš jednu fakturu na konci měsíce. Ale furt je to o něco dražší. Firmám to zjednodušší život. Fyzickým osobám asi moc ne. Mě osobně nevadí mít několik čipů v přihrádce auta. Hlavně proto, že v ČR vlastně dobíjím velmi málo. Výlety po Jižní Moravě a Vysočině zvládnu bez dobíjení po cestě. To už musí být výlet do Jeseníků nebo na Vltavu, abych byl nucen se cestou zpět stavit na nabíjecí stanici. Takže tarif v ČR neřeším a používám ten, kde se neplatí měsíční poplatky - hodně měsíců v roce v ČR u stanic prostě nedobíjím. Dobíjím doma. V létě zadarmo z FVE, v zimě z nočního proudu za cca 4 Kč/kWh.

Takže mnohem více řeším nabíjení mimo ČR. K tomu existuje docela hodně poskytovatelů, kteří umožňují se připojit k téměř libovolné nabíječce v Evropě. Jsou jenom o trochu dražší než místní poskytovatelé. Ale za ten komfort, že nemusím řešit registrace v aplikaci v italštině nebo holandštině - to mi za to stojí.
Většina automobilek provozuje takovou brandovanou službu: ChargeMyHyundai, Powerpass od Škody….
Pak existuje další specializovaní poskytovatelé. Já teď používám Elli Ty ceníky se dost liší. A kdo byl nejlevnější vloni, nemusí být nejlevnější letos.
No pak začíná velká magie výběru tarifu. Protože velmi brzy zjistíš, že cena za dobíjení se může pohybovat od 7 Kč až po 21 Kč za kWh. Takže plné nabití vybité baterky tě může stát 350 Kč nebo taky 1050 Kč. Pokud použiju jako příměr oblibené Chorvatsko, tak mě cesta do Zadaru a zpět může stát buď dva tisíce nebo taky šest tisíc. A to už se vyplatí trochu u toho přemýšlet.
Takže když jedu do Chorvatska tak si u Elli zaplatím nejdražší tarif. A pak mám u nabíjecí sítě Ionity cenu 11 Kč/kWh - což mi několikanásobně zaplatí cenut toho tarifu 350 Kč/měsic. A tarif si na konci měsíce vypnu a přepnu na bezplatný. A nechám to tak až do další dovolené. Tedy to Chorvatska tam a zpátky dám za tři tisíce Kč.
Ionity je zároveň síť, co má nejrychlejší nabíjecí stanice. Takže u stanice jsem obvykle tak deset minut. Vzácně patnáct minut. Stanice jsou v příhodné vzdálenosti cca 200 km od sebe podél dálnic, takže si vystačím s těmito stanicemi.
Kdybych chtěl hodně šetřit, tak i v zahraničí najdeš možnosti jak nabíjet levněji, ale musel bys stát u nabíjecí stanice třeba hodinu. A to s plně naloženým autem a dětma asi nechceš. A těch cest během roku zase tolik nemám. Navíc ty levnější stanice jsou zpravidla osamocené. Tak se může stát, že tam přijedeš a stanice je obsazená a další auto stojí ve frontě. Takže na řadu můžeš přijít i za dvě hodiny. A to fakt nechceš. Takové dobíjení akceptuješ akorát v cílové destinaci vedle svého hotelu.
Já mám právě v oblibě síť Ionity, která staví větší “hnízda”. Čtyři stanice jsou minimum. Šest hodně obvyklé. Občas se najdou hnízda o deseti a více stanicích. A když přijedeš k takovému hnízdu o šesti stanicích, tak jsou málokdy všechny stojany obsazené. A pokud ano, tak jsme zmiňoval, že jsou to velmi rychlé nabíjecí stanice a nejpozději za 15 minut odjíždíš. Takže když je vše obsazené, tak se ti nejpozději do dvou minut nějaký stojan uvolní.


Posted by Miroslav Suchý | Permanent link
Comments

2024-06-19 10:19:02

DevConf.cz 2024 Day 3

On the third day of DevConf, I was in the kids' corner all day, which I ran together with Petr Blaho. I didn’t have time for anything else that day.

In the corner we had the Ada & Zengemann book by Matthias and a bunch of stickers.

Ada & Zengemann book

We played a lot of Ricochet Robot - I like this game because quite often the one who comes up with an unusual and unexpected solution wins. Plus, an almost unlimited number of people can play at the same time and they all play at the same time. No waiting for a teammate to make a turn. The rules are so simple that they blur the distinction between an adult and a small child.

Ricochet Robot

Mr. and Mrs. Mašláňovi brought Lego Coding Express - for me, it was the first time I’ve seen it live. A great educational toy for kindergartens. The Lego was pretty durable and I can definitely recommend it for kindergartens. What pleasantly surprised me was that you can print an adapter with which you can connect the original tracks to the wooden tracks they sell for wooden trains. Great!

Ricochet Robot

I had a Cubetto for the little kids there. I also brought Lego WeDo and Micro:bit. Both were used and I gave two Micro:bits to kids who were interested. Hopefully they’ll make some things with them that they’ll enjoy.

Fully packed room

Fully packed room

We had about twenty kids hanging around all day. And by noon there were six (or maybe more) kids there at the same time, each at a different age - that was pretty wild.

One of the popular things was an Useless Box.

Fully packed room

While I was at DevConf, my wife was on a wellness retreat with her sister, and she kept me supplied with photos from the retreat. So I tried to keep up and took a few pictures too.

If you have kids and you want to try something similar, you can use my notes (in Czech only).


Posted by Miroslav Suchý | Permanent link
Comments

2024-06-14 17:41:55

DevConf.cz 2024 Day 2

Today started with a Keynote: What if you could boot a container? where Dan Walsh, Stef Walter and Colin Walters talked about bootable containers. The demo was a bit choppy, but otherwise the keynote was funny and easy to understand.

Then I moved on to Brian Stinson’s talk on RHEL 11. I didn’t learn anything new (as I am deep down involved), but it was a nice affirmation.

I went to the “Fedora Hatch Meetup @DevConf.com” where we spent a good portion of it discussing the budget and hardware needed for secondary architectures and unusual expansion cards.

Then I met Marrhias Kirschner from the FSFE, who gave me a copy of his book Ada & Zangemann and asked if I could take it to tomorrow’s Kids' Corner, where unfortunately he can’t make it. The book is aimed at young children (5-8 years old) and is an inspiration why to play with HW and SW and why it is worth fighting for free SW. That sounds very pathetic, but in the book it is presented as a fairy tale and in very simple language.

Matthias Kirschner

Then I had some free time before the “Fedora RISC-V” talk started, so I stopped by the VUT students' booth on deep fake and took a quiz to see if I could tell in an audio recording if it was a deep fake. I ended up staying there for 45 minutes - so I missed the RISC-V lecture. I thought I could recognize about 30% of the samples, but I recognized about 81%. Students will use the result in their future work.

Deep fake introduction

Afterwards I had some more nice chats in the atrium and at the end I dropped in for Martin’s lightning talk “My experience with teaching beginners”. Nothing new for me, but a nice affirmation.

Find the community to volunteer

In few minutes I am going to move to social event at Dobrák. I will not report from there because “What happen Las Vegas, stays in Las Vegas”.


Posted by Miroslav Suchý | Permanent link
Comments

2024-06-13 22:07:55

DevConf.cz 2022 Day One

The first thing that surprised me was that when I arrived at 9:00 (the keynote started at 9:30), the courtyard was already full of people. And I had some interesting conversations in the first half hour.

The opening keynote was boring.

Then I planned to go to the talk “Creating more meaningful Fedora release notes”, but the talk was cancelled at the last minute. So I moved on to the “Upstream Meetup”. Tomas and Lenka prepared interesting questions to warm up. And the answers and discussion was so interesting that we didn’t get beyond this opening slide. But that didn’t matter at all. Together in the group we shared our experiences on how to manage an upstream project and how to work with contributors. Tomas took notes and I’m looking forward to posting them somewhere.

The discussion was so interesting that I skipped “How to build Collaboration and influence Open Source Project” where I originally wanted to go.

On my lunch break, I walked around to four food trucks and chose a Japanese (or Vietnamese?) one where I had some great chicken pieces with rice Kaarage Don.

Then I watched the talk “Learning from Nix: how other package managers can do better”. Nix has a nice handling of hermetic builds, and Evan showed a mockup of how a similar thing could be done in DNF. Plus there are folks at Conflux working on similar things, so maybe we can look forward to a similar thing in the RPM world soon. Otherwise, the NIX packaging language looked very complicated. SPEC file is a trivial thing compared to that. In follow up discussion Daniel Riek mentioned that he has a quick'n'dirty tool that rebuild packages for specified AWS flavour - this gives him 10-20% performance boost. He promised me that he will clean up this script and next year he will present it at DevConf. :)

Then I looked at “Do you like your changelogs”. In the talk, Laura and Frantisek gave a live demonstration of how developers think about and work with changelogs, and combined it with data Laura had collected in her master’s thesis. The talk was entertaining and informative. We will definitely use the data from it in the Packit team, as automating Changelogs is something we want to pursue in the near future.

In the followup discussion about Towncrier I talked with Sviatoslav Sydorenko who pointed me to Chronographer GitHub CI application that checks if commit has towncrier entry. And to sphinxcontrib-towncrier that makes nice documentation [example]. We use towncrier in Mock, this will be useful.

I only hopped on the RPM developers meetup for a bit because I had to move and get ready for my own talk. It was called “Indiana Jones and obsolete projects”. The room was fully packed. In addition to the actual content, I had prepared a theatrical insert: I was dressed as Indiana, and I had a bullwhip. Tomas helped me with the dramatic entrance and a moment later he purposely gave me an excuse to try out the bullwhip. At the end we paraphrased the famous scene where Indiana pulls a gun against the sword. Content-wise, I went through several innovations: cell phones, smartphones, SSDs, CDs… and showed how one technology replaced another despite people initially rejecting the new technology. Similarly, I then thought about the life cycle of software projects. The biggest compliment for me was Martin’s comment, “This was the first lecture where I didn’t fall asleep today.” You can check the recording and the slides.

I stayed in the same room to listen to “Let the user speak”, where representatives of different projects shared their experiences with Packit, Testing Farm and tmt. Which for me as a member of the Packit team was pleasantly refreshing.

But after this session was over, I found myself terribly tired. So I staggered home and hit the bed.


Posted by Miroslav Suchý | Permanent link
Comments

2022-07-14 11:51:41

Packit - how to create pull-request for Fedora from upstream

I am a contributor to fedora-license-data upstream, and I investigated what will be the easiest way to build a new version of the Fedora package. I ended up using Packit for that. With just one command, it creates a pull request in src.fedoraproject.org.

At the start, we have to configure the upstream. I run:

$ packit init

in the upstream repository. This command created .packit.yaml with

# See the documentation for more information: 
# https://packit.dev/docs/configuration/ 

specfile_path: fedora-license-data.spec 

# add or remove files that should be synced 
files_to_sync: 
   - fedora-license-data.spec 
   - .packit.yaml 
# name in upstream package repository or registry (e.g. in PyPI) 
upstream_package_name: fedora-license-data 
# downstream (Fedora) RPM package name 
downstream_package_name: fedora-license-data

The upstream uses tags to mark a release. The commits look like this:

*  e960257 (tag: v1.0) Merge branch 'noarch' into 'master'

I put in .packit.yaml one line to configure how we do a release:

upstream_tag_template: "v{version}"

The packit.yaml is highly configurable and you can see result of my .packit.yaml.

Now I can run command:

# packit propose-downstream

If you did not git-push it, you have to run:

# packit propose-downstream --local-content

For some unknown reason, Packit still cannot figure out the version automatically. So I had to run:

# packit propose-downstream --local-content . 1.0 --dist

This command creates PR for all branches. To limit for just some branch(es) you can use the command line option --dist-git-branch rawhide,f36.

You can see the resulting PR here

By the way, the Packit team is working on a feature where you can configure this workflow in dist-git, and you will not need to modify the upstream - if you are not a direct upstream contributor.


Posted by Miroslav Suchý | Permanent link
Comments

2021-04-20 16:02:17

OOMKiller and httpd

How to set up httpd to survive when OOMKiller kills one of its children.

In Copr, we have had a leaking process in our frontend. It is one route, which was leaking few megabytes. The route has a separate child process in httpd, so only one process has been leaking. We still did not identify the culprit, and in the meantime we had to fight with OOMKiller.

Few megabytes here and there and the process was too big. And we run out of memory. OOMKiller came and killed the process (as it was the biggest one). Usually, you will not care. Httpd is killing its children periodically, and when one is killed, the master process starts new child immediately. But…

Default OOMPolicy is stop. And here I will quote from man systemd.service:

OOMPolicy= 
Configure the Out-Of-Memory (OOM) killer policy. On Linux, when memory
becomes scarce the kernel might decide to kill a running process in order to free up 
memory and reduce memory pressure. This setting takes one of continue, stop or
kill. If set to continue and a process of the service is killed by the kernel's
OOM killer this is logged but the service continues running. If set to stop the
event is logged but the service is terminated cleanly by the service manager.
If set to kill and one of the service's processes is killed by the OOM killer
the kernel is instructed to kill all remaining processes of the service, too.
Defaults to the setting DefaultOOMPolicy= in systemd-system.conf(5) is set to,
except for services where Delegate= is turned on, where it defaults to continue.

Stop means that the OOMKiller will kill the process, it master process and all siblings. Effectively systemctl stop httpd. :((

Do you want to try it? Grab mod_oom from Copr project.

Put in httpd.conf:

 
  LoadModule oom_module modules/mod_oom.so 
   
  SetHandler oom 
  

And visit http://localhost/oom. It will eat all your memory, and you will see what happens. :) Your httpd service will be stopped.

How to improve this?

You can put: OOMPolicy=continue in httpd.service. In fact, Joe Orton did it in Fedora as default. More information in BZ 1947475.

Next time you will have OOM in your child proces, you will likely not even notice. Unless you carefully check the log.

Big thank goes to Joe Orton and Pavel Raiskup for the investigation.


Posted by Miroslav Suchý | Permanent link
Comments

2021-02-18 11:06:01

Different OpenGPG DNS entries for the same email

In previous blogpost, I wrote How to generate OpenPGP record for DNS (TYPE61). You may get puzzled what to do when you have different GPG keys with the same email. E.g. EPEL GPG keys are:

pub   rsa4096 2019-06-05 [SCE]
      94E279EB8D8F25B21810ADF121EA45AB2F86D6A1
uid           Fedora EPEL (8) 
pub   rsa4096 2013-12-16 [SCE]
      91E97D7C4A5E96F17F3E888F6A2FAEA2352C64E5
uid           Fedora EPEL (7) 
pub   rsa4096 2010-04-23 [SCE]
      8C3BE96AF2309184DA5C0DAE3B49DF2A0608B895
uid           EPEL (6) 

Three different GPG keys with the same email. How should we put it in DNS?

This is actually nothing unusual in DNS. You can have multiple DNS entries normally. E.g.:

;; ANSWER SECTION:
seznam.cz.        274    IN    A    77.75.74.172
seznam.cz.        274    IN    A    77.75.74.176
seznam.cz.        274    IN    A    77.75.75.172
seznam.cz.        274    IN    A    77.75.75.176 

When you run the command suggested in the previous blogpost, you will get:

$ gpg2  --export-options export-dane --export epel@fedoraproject.org
$ORIGIN _openpgpkey.fedoraproject.org.
; 94E279EB8D8F25B21810ADF121EA45AB2F86D6A1
; Fedora EPEL (8) 
1a355c3f6ac5389917041321fdddee2c0ffc4a38f78adec159a015ec TYPE61 \# 1141 (
        99020d045cf7cefb011000c93882169651ae7719e9bc99e4c50cf60ada1623b8
        287559e8725add97cde4563a92429fb6760c6e1b99948800d47d81da450cf12b
        0f1e7ee427c31cd4f6467bd27802c6d99b4161a65267d24e189aa4ecf4d34d7c
        f9ea3930569b776bdd886a35cbee759b6b110e937ca9d09aa97928eb973232e2
        d7ae88c91c8baf440ff1ee2a8ead17f26bcc773b10b83c4825e698039cff2954
        ad252d89dc0c440237be83f6e6e16505a121217fcc923e7bcd3a57bd61cdfc8b
        fccb779909bf962fa544a536e54b24f5d59a7f8347ff06473083c0915278b83e
        07fee4b8f70a969f28936064fb8546e279c17b72b84b0a6951cef251f269113f
        aff84ff177b4d0cf5997833440d5154913147354ebf876f8edfdf0c358fdf3a1
        c8a68d2b79e713483a409d5d387df59571c0465a453ad5addd599953426758b7
        9876f6a9e047dff6a4d6649848ec2ab45a6f0380b5295e0365926aaebc4ecfd9
        6e4402bd84e40a8a4280db7f0fc6896751bc758a78d18c44b9c623742ea17dd4
        a409570fbbf5dd5759c4dc9dbe97b2a5b7ff01f472ac744a864523ddc535a589
        0cdc335913bec2e4951eebfd27c5bb7811351905380b8182463fc73b3db9159c
        ee88fca80bd63c3eecc5ba033f0ec7e45764bc8631599b5bf4cc73c85a25f28b
        328528dd3564f273e2521a0e0b4fe423b8fd8a516b071054e5d52d1782130167
        3cc671ba8c9b3f22cbd1a50011010001b4284665646f7261204550454c202838
        29203c6570656c406665646f726170726f6a6563742e6f72673e890238041301
        02002205025cf7cefb021b0f060b090807030206150802090a0b041602030102
        1e01021780000a091021ea45ab2f86d6a166a00ffe319cb5b0b37e0607254342
        48e9ae4d1f5fb2328699bf53b06c2072aca472cbf98e3abc000663ff6f32f744
        d1f72bf44936669ef31354569920b3cf35204c6e811684c6d47e05868ffb67c0
        572bf8f26e8c174997ea5e74ce7e14856a5c0377095226f7d8355f4c6f2bdbc4
        df2a651535cfb3c4599ac8cc50c34e815193447bd731e99cf4cd209e7f6174f0
        36a53d3b1208f213108f8b9f175d74e34009419edbaf7af37ab97204e07e25dd
        7348f56b00fa5e332269a5614748300858aeb1f9a9b5dd52089d7b6a07f0b3e0
        60472c52b9776fc862ca55c38ed2a258fc8e2144b6702aebed40ab9587de2078
        6c4d9eeb3d340d217dddfaf03b258ded698f22873642c35126181f242fa2b064
        00c30abcc406c71017aec8c1bc1998f3c68860d07e1b39212e8d52d38c7d716c
        01b80e78563bfd555cb5fe2d710bc9c3bc6504dc8e3ff80102aea38c2f30faef
        f40d7af681131be57042535def85413c60af867cf019735b4cafca1f5f96447d
        1849bfb8d5f941dcd2a131253a746234486b48c4348785554d9b1dbfe97893f5
        4ff39eb66c1b92b0f2721b6c5cfef4c19451680932c775665f51f20cfb57d7e9
        9fb2fbcb92e127c1ce08cb18fd9effec752cfadfc0d4c23883b43983952e4997
        608b4cf1ba4896b8290b7808803f8cbbcca2b83a327ae383437160876b7eb39f
        0566933de2c4bf10d1ab91d793aaab606347f7f2a2
        )

$ORIGIN _openpgpkey.fedoraproject.org.
; 91E97D7C4A5E96F17F3E888F6A2FAEA2352C64E5
; Fedora EPEL (7) 
1a355c3f6ac5389917041321fdddee2c0ffc4a38f78adec159a015ec TYPE61 \# 1141 (
        99020d0452ae6884011000b5529857c0ca8201aacf507fd9b0e16c95a6de4d53
        b6a439396273bde9ffab81907bc40ac139279093b07dd22a9227ce7f73bd8e02
        7e0e5d8bd3eb781f09e5e926ce4cede99790fb0d4165928eef7d956f80a92366
        8d85a199194b44697438eee02308fbefa7485ef70c34597348f8f4d0ddb102a8
        cc6e39675769f669b004e60aba569a8fbc55d5c9fad56bfb9a9688035667fa87
        6b7845da627eaf2a4c7b07154df1a42cfe4fafdd196286438d9941f4da2e70cc
        8d3a00b266340327af9086d7ea2655b731af6a76293dc596e17d110cf729a9f1
        4d664eb8df123896c67e63612bf58bb94bff31d25cbeb66988a24684d30c1b75
        4bbbe3461366309eb2ba185a2460e73b90db17cac49a15e44f8487eb58c060c9
        9fa1df5a14609ee751470bee278e73b5856d2ae94ac3c410a5dd924d6adc4100
        c96915a69cca285ff3c04d38c2044c41f5d933dfc0ebbaf93b2241ccb6c22a96
        400e40c76c5f57774e8bfa044d970e3206d331712ddb8919b57073feab21cf79
        4f4e798f7e84cf41eb8f17694c638e1f146a30ae66f5f9456dac71b439d2ef0e
        fb5aacd6ec78c5ac3d15793c76be78e31aa7211c44297c3a453b36fc2d316181
        889dc913547e5418df958b3b32cd57ea55dde437260d75505c1e95234ba9f41f
        b8544673ecdcc243631e1e723ef9bda1d4750487ea27ab0a18f19bb4f357a3b1
        11311ca95b2473d338b4b70011010001b4284665646f7261204550454c202837
        29203c6570656c406665646f726170726f6a6563742e6f72673e890238041301
        020022050252ae6884021b0f060b090807030206150802090a0b041602030102
        1e01021780000a09106a2faea2352c64e5c7c60ffe2ca6aa6c4e3b4333baa9ca
        d28b1caaee66dbee5a2aade517ef4fdc30f4651414c678659197e27517838f6a
        8b10cb6b2591f1d746fece64c8e8b70b4b97ffa8a7cda632460f8187bd1baea2
        942b5e05d41aeb3e2dbd79a29f1be1ae305b577411b66bb3ad3e6c37cae2a6ab
        d129bfa07498fe84e4a49dbd2452a895ad19c03ac114bfc03cd7244347a79ade
        f48b26dc2632769cb418b440e70a387cf079b8b75484b1140ef87628afff7cc8
        e36b7a342fe48dcfc3746836729f9031094f5107710771379c160a32e6e9918f
        df4166b79b47534efb8801ae2bc87ddbc3e1f24d7cd0475f08521fd00218236f
        1e75d58c7405f621d60292a44487a1f05af69f976d7c9105ed2117f066d7ec56
        ec5a8dbd91732b56036a1cdc839df0015683ee6e041db4964991564091a1eb32
        ef00cadc13eb643878daa6248d5a59b650348e63598a9ce912ae08aebf17df6a
        b61153f6024ed7bfb246e2fa52fdbfbe0cd547544677054b2b09548c63c08d87
        e5a4243058c0004b18aff6e3f260f1dc12b4ab6d11b4c2321f011defbacd4e48
        ec77c591d9a5715f9904ec0cfef355138bcd5f7c477270140c49e3fc6a78e378
        bc23c553a3ac4f795643cc3b8a5e68858f79c26ba37ebea593cf6413325d393c
        dc9fb0c16d4aeedf7090306299dc4bed463b02ec50db2f4d7bab14be65503f1c
        69327e2bb8729815f155276ea97978067ed4b97a0f
        )

$ORIGIN _openpgpkey.fedoraproject.org.
; 8C3BE96AF2309184DA5C0DAE3B49DF2A0608B895
; EPEL (6) 
1a355c3f6ac5389917041321fdddee2c0ffc4a38f78adec159a015ec TYPE61 \# 1132 (
        99020d044bd22942011000cb1a7523db8655296ee588537f240e4282dce53672
        aceec060edf55b356af2884dd445b9f5257beb7701ed90ac98f7afe27d9d4b77
        7944da0385eb56c6676096c0935e7bbe92a7d67e8ac3fc4505db1b98f08ffe01
        33d1caee9864b6a15527c55b6368df4e371fc51bc633c601c1717c871d020d95
        11023bdfd71452409ee2028e7ca9c1e75edc4e02f42601b47dcfa43f87f0fe63
        f3e1a08269d4e57854d1c26c2b3d33b1d4541a600b9dcf0dc4d442ec1c81e63a
        a50828f5e4f578b352655ac9e4172d8af97551c0fa3fa0881a491e4f680d86a8
        a77513e78145c65d6ed0ce879f7be7d542a2529bb4eadaaf68a95678e89f7ae3
        0682448b51c92a6e5b977164edf858ceb0b30d813f63250026c7e25de5baab69
        5e8dc1bdf9e4f870051f71dc32ec1d6ae971bfbcd829709f36849f82ba447e8d
        84c78226fc8dd676dc0c13f19b9f076add5273800c4b54585ccc31f03648e621
        d3c094d27dfe2c518e2a7876066d5bc55c042acda0bf8b843ac87e3be72dd46e
        bc11f2f4fdec085ec567271a1e53163fa4622ed1e710c19c6d9f10a501e2d9d4
        5e535c32afd42082e194fa3a925d86abd7211cb1d4466aca6934867cf906b06e
        6fdae1da13d744c4b4f02b852a079706efa930d88ed7d5f76942ff68b080eea0
        6201bd5eb3b857c755dfd15f9bba0b15fbd36e0e66bf843f13a016a3f8248e6b
        7191cba56f202f8c5b58010011010001b4214550454c20283629203c6570656c
        406665646f726170726f6a6563742e6f72673e89023604130102002005024bd2
        2942021b0f060b090807030204150208030416020301021e01021780000a0910
        3b49df2a0608b8951fc60ffc0b18fbfda8edfd7b26fd365af07ca754128d6d1f
        129dae1373f9762b3b8c950d305944f4aebcbdb26a879222140e2a134f7c4813
        f6676c6ec81c7e6a07c66195727fa56e1796b12bdc82b5eecf480bb7c4c618a1
        8644e0282d7a6e52c6f51cdb4a10ec0f438cf5b90da73b3e612d1c83395d08d8
        bc1857c0631888c1294305114c454ec2fb5ce664ac083f59b4c7d8f5b786b7d2
        5ad71103b118a2723707cd1ddfd7dfc2ced29b229b4b93e6663a8e3ee4ef5761
        74b4c84a2219dc070a288d664f1317ed1e92a1cca561f1f7433bfdcfd72d4593
        70a29fc51b08ef4c58c14d476edf57308036510f963b0703edc4cf817bb9ba05
        a7438e128bf86328b80446e0a999ed8531b8b9bf67ca2ba9219ddc90f1ebde75
        5c0d419c2fa9500ff9e498d54878b60fc75b873ce4a559fba88c0620cd11fa2c
        bec8760e051c7040d2da3b156f1d4171483b236224500e4f68fc3f9fad55dabc
        c01d0f0d21fcc91a67e07749f5162ab9abb83a48e5bb13967f4b91692fff4947
        02661fb5fca0443a672f047611640e4997f9da90283119bda96903b3aaaa4e70
        72af9722eeccee6ec9b3176a2a4b1314c62570655eb6db0127d76bfc86612006
        895ac6cfd084ebaefa74c966f05facdd75c4d77419ad79a396873a8f03a58e77
        c09234c65e3881ece50b11279df7a3115ed7cb9345b901bf6977bb4a0d1e901c
        8eeb8075df0a8a519d9d9555
        )

I.e., three entries for 1a355c3f6ac5389917041321fdddee2c0ffc4a38f78adec159a015ec entry.

RFC 7929 explicitly does not mention how to handle this situation. The only relevant part is Appendix A. on page 18. If you read it you may get a bit different result:

$ gpg2  --export-options export-minimal,no-export-attributes --export 'epel@fedoraproject.org' | wc -c
3414
#^^^ this is the value at the end of the first line (number of octets)

$ gpg2  --export-options export-minimal,no-export-attributes --export 'epel@fedoraproject.org' \
    |hexdump -e '"\t" /1 "%.2x"' -e '/32 "\n"' 
# this will give you the value of the key

When you concat two previous results you will get:

; 8C3BE96AF2309184DA5C0DAE3B49DF2A0608B895
; EPEL (6) >
; 91E97D7C4A5E96F17F3E888F6A2FAEA2352C64E5
; Fedora EPEL (7) >
; 94E279EB8D8F25B21810ADF121EA45AB2F86D6A1
; Fedora EPEL (8) >
1a355c3f6ac5389917041321fdddee2c0ffc4a38f78adec159a015ec TYPE61 \# 3414 (
        99020d045cf7cefb011000c93882169651ae7719e9bc99e4c50cf60ada1623b8
        287559e8725add97cde4563a92429fb6760c6e1b99948800d47d81da450cf12b
        0f1e7ee427c31cd4f6467bd27802c6d99b4161a65267d24e189aa4ecf4d34d7c
        f9ea3930569b776bdd886a35cbee759b6b110e937ca9d09aa97928eb973232e2
        d7ae88c91c8baf440ff1ee2a8ead17f26bcc773b10b83c4825e698039cff2954
        ad252d89dc0c440237be83f6e6e16505a121217fcc923e7bcd3a57bd61cdfc8b
        fccb779909bf962fa544a536e54b24f5d59a7f8347ff06473083c0915278b83e
        07fee4b8f70a969f28936064fb8546e279c17b72b84b0a6951cef251f269113f
        aff84ff177b4d0cf5997833440d5154913147354ebf876f8edfdf0c358fdf3a1
        c8a68d2b79e713483a409d5d387df59571c0465a453ad5addd599953426758b7
        9876f6a9e047dff6a4d6649848ec2ab45a6f0380b5295e0365926aaebc4ecfd9
        6e4402bd84e40a8a4280db7f0fc6896751bc758a78d18c44b9c623742ea17dd4
        a409570fbbf5dd5759c4dc9dbe97b2a5b7ff01f472ac744a864523ddc535a589
        0cdc335913bec2e4951eebfd27c5bb7811351905380b8182463fc73b3db9159c
        ee88fca80bd63c3eecc5ba033f0ec7e45764bc8631599b5bf4cc73c85a25f28b
        328528dd3564f273e2521a0e0b4fe423b8fd8a516b071054e5d52d1782130167
        3cc671ba8c9b3f22cbd1a50011010001b4284665646f7261204550454c202838
        29203c6570656c406665646f726170726f6a6563742e6f72673e890238041301
        02002205025cf7cefb021b0f060b090807030206150802090a0b041602030102
        1e01021780000a091021ea45ab2f86d6a166a00ffe319cb5b0b37e0607254342
        48e9ae4d1f5fb2328699bf53b06c2072aca472cbf98e3abc000663ff6f32f744
        d1f72bf44936669ef31354569920b3cf35204c6e811684c6d47e05868ffb67c0
        572bf8f26e8c174997ea5e74ce7e14856a5c0377095226f7d8355f4c6f2bdbc4
        df2a651535cfb3c4599ac8cc50c34e815193447bd731e99cf4cd209e7f6174f0
        36a53d3b1208f213108f8b9f175d74e34009419edbaf7af37ab97204e07e25dd
        7348f56b00fa5e332269a5614748300858aeb1f9a9b5dd52089d7b6a07f0b3e0
        60472c52b9776fc862ca55c38ed2a258fc8e2144b6702aebed40ab9587de2078
        6c4d9eeb3d340d217dddfaf03b258ded698f22873642c35126181f242fa2b064
        00c30abcc406c71017aec8c1bc1998f3c68860d07e1b39212e8d52d38c7d716c
        01b80e78563bfd555cb5fe2d710bc9c3bc6504dc8e3ff80102aea38c2f30faef
        f40d7af681131be57042535def85413c60af867cf019735b4cafca1f5f96447d
        1849bfb8d5f941dcd2a131253a746234486b48c4348785554d9b1dbfe97893f5
        4ff39eb66c1b92b0f2721b6c5cfef4c19451680932c775665f51f20cfb57d7e9
        9fb2fbcb92e127c1ce08cb18fd9effec752cfadfc0d4c23883b43983952e4997
        608b4cf1ba4896b8290b7808803f8cbbcca2b83a327ae383437160876b7eb39f
        0566933de2c4bf10d1ab91d793aaab606347f7f2a299020d0452ae6884011000
        b5529857c0ca8201aacf507fd9b0e16c95a6de4d53b6a439396273bde9ffab81
        907bc40ac139279093b07dd22a9227ce7f73bd8e027e0e5d8bd3eb781f09e5e9
        26ce4cede99790fb0d4165928eef7d956f80a923668d85a199194b44697438ee
        e02308fbefa7485ef70c34597348f8f4d0ddb102a8cc6e39675769f669b004e6
        0aba569a8fbc55d5c9fad56bfb9a9688035667fa876b7845da627eaf2a4c7b07
        154df1a42cfe4fafdd196286438d9941f4da2e70cc8d3a00b266340327af9086
        d7ea2655b731af6a76293dc596e17d110cf729a9f14d664eb8df123896c67e63
        612bf58bb94bff31d25cbeb66988a24684d30c1b754bbbe3461366309eb2ba18
        5a2460e73b90db17cac49a15e44f8487eb58c060c99fa1df5a14609ee751470b
        ee278e73b5856d2ae94ac3c410a5dd924d6adc4100c96915a69cca285ff3c04d
        38c2044c41f5d933dfc0ebbaf93b2241ccb6c22a96400e40c76c5f57774e8bfa
        044d970e3206d331712ddb8919b57073feab21cf794f4e798f7e84cf41eb8f17
        694c638e1f146a30ae66f5f9456dac71b439d2ef0efb5aacd6ec78c5ac3d1579
        3c76be78e31aa7211c44297c3a453b36fc2d316181889dc913547e5418df958b
        3b32cd57ea55dde437260d75505c1e95234ba9f41fb8544673ecdcc243631e1e
        723ef9bda1d4750487ea27ab0a18f19bb4f357a3b111311ca95b2473d338b4b7
        0011010001b4284665646f7261204550454c20283729203c6570656c40666564
        6f726170726f6a6563742e6f72673e890238041301020022050252ae6884021b
        0f060b090807030206150802090a0b0416020301021e01021780000a09106a2f
        aea2352c64e5c7c60ffe2ca6aa6c4e3b4333baa9cad28b1caaee66dbee5a2aad
        e517ef4fdc30f4651414c678659197e27517838f6a8b10cb6b2591f1d746fece
        64c8e8b70b4b97ffa8a7cda632460f8187bd1baea2942b5e05d41aeb3e2dbd79
        a29f1be1ae305b577411b66bb3ad3e6c37cae2a6abd129bfa07498fe84e4a49d
        bd2452a895ad19c03ac114bfc03cd7244347a79adef48b26dc2632769cb418b4
        40e70a387cf079b8b75484b1140ef87628afff7cc8e36b7a342fe48dcfc37468
        36729f9031094f5107710771379c160a32e6e9918fdf4166b79b47534efb8801
        ae2bc87ddbc3e1f24d7cd0475f08521fd00218236f1e75d58c7405f621d60292
        a44487a1f05af69f976d7c9105ed2117f066d7ec56ec5a8dbd91732b56036a1c
        dc839df0015683ee6e041db4964991564091a1eb32ef00cadc13eb643878daa6
        248d5a59b650348e63598a9ce912ae08aebf17df6ab61153f6024ed7bfb246e2
        fa52fdbfbe0cd547544677054b2b09548c63c08d87e5a4243058c0004b18aff6
        e3f260f1dc12b4ab6d11b4c2321f011defbacd4e48ec77c591d9a5715f9904ec
        0cfef355138bcd5f7c477270140c49e3fc6a78e378bc23c553a3ac4f795643cc
        3b8a5e68858f79c26ba37ebea593cf6413325d393cdc9fb0c16d4aeedf709030
        6299dc4bed463b02ec50db2f4d7bab14be65503f1c69327e2bb8729815f15527
        6ea97978067ed4b97a0f99020d044bd22942011000cb1a7523db8655296ee588
        537f240e4282dce53672aceec060edf55b356af2884dd445b9f5257beb7701ed
        90ac98f7afe27d9d4b777944da0385eb56c6676096c0935e7bbe92a7d67e8ac3
        fc4505db1b98f08ffe0133d1caee9864b6a15527c55b6368df4e371fc51bc633
        c601c1717c871d020d9511023bdfd71452409ee2028e7ca9c1e75edc4e02f426
        01b47dcfa43f87f0fe63f3e1a08269d4e57854d1c26c2b3d33b1d4541a600b9d
        cf0dc4d442ec1c81e63aa50828f5e4f578b352655ac9e4172d8af97551c0fa3f
        a0881a491e4f680d86a8a77513e78145c65d6ed0ce879f7be7d542a2529bb4ea
        daaf68a95678e89f7ae30682448b51c92a6e5b977164edf858ceb0b30d813f63
        250026c7e25de5baab695e8dc1bdf9e4f870051f71dc32ec1d6ae971bfbcd829
        709f36849f82ba447e8d84c78226fc8dd676dc0c13f19b9f076add5273800c4b
        54585ccc31f03648e621d3c094d27dfe2c518e2a7876066d5bc55c042acda0bf
        8b843ac87e3be72dd46ebc11f2f4fdec085ec567271a1e53163fa4622ed1e710
        c19c6d9f10a501e2d9d45e535c32afd42082e194fa3a925d86abd7211cb1d446
        6aca6934867cf906b06e6fdae1da13d744c4b4f02b852a079706efa930d88ed7
        d5f76942ff68b080eea06201bd5eb3b857c755dfd15f9bba0b15fbd36e0e66bf
        843f13a016a3f8248e6b7191cba56f202f8c5b58010011010001b4214550454c
        20283629203c6570656c406665646f726170726f6a6563742e6f72673e890236
        04130102002005024bd22942021b0f060b090807030204150208030416020301
        021e01021780000a09103b49df2a0608b8951fc60ffc0b18fbfda8edfd7b26fd
        365af07ca754128d6d1f129dae1373f9762b3b8c950d305944f4aebcbdb26a87
        9222140e2a134f7c4813f6676c6ec81c7e6a07c66195727fa56e1796b12bdc82
        b5eecf480bb7c4c618a18644e0282d7a6e52c6f51cdb4a10ec0f438cf5b90da7
        3b3e612d1c83395d08d8bc1857c0631888c1294305114c454ec2fb5ce664ac08
        3f59b4c7d8f5b786b7d25ad71103b118a2723707cd1ddfd7dfc2ced29b229b4b
        93e6663a8e3ee4ef576174b4c84a2219dc070a288d664f1317ed1e92a1cca561
        f1f7433bfdcfd72d459370a29fc51b08ef4c58c14d476edf57308036510f963b
        0703edc4cf817bb9ba05a7438e128bf86328b80446e0a999ed8531b8b9bf67ca
        2ba9219ddc90f1ebde755c0d419c2fa9500ff9e498d54878b60fc75b873ce4a5
        59fba88c0620cd11fa2cbec8760e051c7040d2da3b156f1d4171483b23622450
        0e4f68fc3f9fad55dabcc01d0f0d21fcc91a67e07749f5162ab9abb83a48e5bb
        13967f4b91692fff494702661fb5fca0443a672f047611640e4997f9da902831
        19bda96903b3aaaa4e7072af9722eeccee6ec9b3176a2a4b1314c62570655eb6
        db0127d76bfc86612006895ac6cfd084ebaefa74c966f05facdd75c4d77419ad
        79a396873a8f03a58e77c09234c65e3881ece50b11279df7a3115ed7cb9345b9
        01bf6977bb4a0d1e901c8eeb8075df0a8a519d9d9555
        )

This is also a valid result. I contacted the author of RFC 7929 Paul Wouters to clarify this and he suggested that the first option is preferred. But when working on implementation, you should keep in mind that the second is an option as well.


Posted by Miroslav Suchý | Permanent link
Comments

2021-02-13 17:42:02

How to generate OpenPGP record for DNS (TYPE61)

Yesterday, I wrote how you could verify packages using GPG stored in DNS. You may wonder how you can store it in DNS?

Easy but least secure way

Take the armored GPG keys. E.g., RPM-GPG-KEY-fedora-35-primary and you can copy it into this service. You will need to add the email associated with the key as well. Use: fedora-35-primary@fedoraproject.org. Click Generate, and you have your DNS record ready.

Hey, how should I know that email address? That is easy. Run:

$ gpg2 RPM-GPG-KEY-fedora-35-primary
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2021-02-04 [SCE]
      787EA6AE1147EEE56C40B30CDB4639719867C58F
uid           Fedora (35) 

Hmm, I had to use the command-line anyway. Can I somehow generate it from the command-line, without using 3rd party service? Sure:

From Command Line

First, import the key:

$  gpg2 --import RPM-GPG-KEY-fedora-35-primary 
gpg: key DB4639719867C58F: public key "Fedora (35) " imported
gpg: Total number processed: 1
gpg:               imported: 1

And then export it:

$ gpg2  --export-options export-dane --export fedora-35-primary@fedoraproject.org
$ORIGIN _openpgpkey.fedoraproject.org.
; 787EA6AE1147EEE56C40B30CDB4639719867C58F
; Fedora (35) 
e27f1efe21ae589b7796e61af3ac4a4c1c2428615daca70d8f1c9e96 TYPE61 \# 1172 (
        99020d04601c49ca011000cb7fc60791ecc9e9a765318c3b6861889496a5b7c2
        63db1fc1d8afa121f22ec46b69563ede2d180353bea3693e69543e6614c277a6
        47a7791fdc4e6aaa42437242c857da8417c04cd449bd4234c09f0868245fc436
        cd992b21c0ab174436c2b29b95ab9d854fa255a9c00ec9b5f1812ab1be40537e
        ddb54accdd061d5a0f51f9788f7d5f112818d3d37bd504e74c4ac637f4b6829f
        a229d4ebe9f08128fc8784558d6a98238f01a2b46c91f7b9f8380ae7a4b3e4d2
        c105937822f1b992fa38c5e838f2b0bcc41fc5b8355c3f2fb99d0ab63fdc347d
        b16aed319ac02ef472697a4bce3d1c65caab63c997eba1589e172a70660bd0c2
        d9e733cfe0484bbf2554eb634e76984513ec271bef891c1c54c57cc9259e41bf
        d1f5380116b9d381f7c63d24b5b7b7bca70f5e83ceb8a055b074afd34506600c
        8f7aecbef3b714fd812133b9374952a3e9e21983288c3b4c25d5818344a72e97
        092cf40fae964835a136f8b37ce666f3f4ec6a13c56e368da2b9592f8d85979e
        f3ad17a1585b7352a94be8df6688ecac4b59f0f6d467e62f17c469add580ae31
        db264d89a51280c53871b1002c0611b5d0bbb1d9668c0748362393dc31d27f72
        a8e8d3c71cae3057ba2c56ae2e62bbd317a7ca93fdf4b3366b1d2209fcfea64a
        8bc42e95fbbbeeeaa15bfc2dd9bb678ad811b2a8e1c4cba3614e196f8864b45f
        21294fd75fbe36aa12f92b0011010001b4314665646f72612028333529203c66
        65646f72612d33352d7072696d617279406665646f726170726f6a6563742e6f
        72673e89024e041301080038162104787ea6ae1147eee56c40b30cdb46397198
        67c58f0502601c49ca021b0f050b0908070206150a09080b020416020301021e
        01021780000a0910db4639719867c58f8d600ffb058a609724806581e18f22a1
        ffe7faccf7d5bdb1f6d04ab7908ece1413749cb5fe054d66baf4bea93b92dd62
        eb0779b71ae96da4a44424a2ed9b9103d6b1b35c0a13d72a7d608f0b00374c08
        23b28c08eca1653ced852e0befdb9e3ad3791d8b44e09fc8f0bbe96f7ce62395
        9b94be6ec403c3b0b62eb95d00ce0c0eea326754a2b46699e0a40b56df9311ad
        788ac6121828f3a3b3d8f15dc93a4e7482a5a0f3637f6e6d84cd2ed3f375840d
        bd65be3e0896fc6022a29e835d735d8c66ad849924909fbf37fe94d4babb1807
        8f1fc9d32959d8b89b1abe86000c8ef545ab0194b048cd047234fcc040a7c644
        83bb2aa65b056f3415ee10857c39edd83225357c937cb1dec3a6c171e4cf9776
        7327412f87ae34cf283de65ab94076711385d615f23664a56843cacdfff7d78e
        864d2b2e7cb48cdc246ae7ff894f0e73a5ef3248cb44c260e54f552b226e596b
        73c179e330de5644506a2b8b19a2630c7ed6d31f5fb9c9b456fc0def05b6b145
        6daded4ccd8dccde91264489a2cdf4bfc7709088475405f3af360dd025105f5d
        93681089849001a689d09240cc7bd191124b2e02b66106221cd572daddc9c857
        ecada9b9c1209639f84f788c8b053649beba4d94f6de7ec4fde7b4dfd81348ba
        0cd9ac2e55c4348a919811875546bd22109c2cb3910cba114daa3e9896e7d1bf
        84f21766b2a870adca2d2f7f8b32504d196d8cc0
        )

And voilà, this your DNS record which you can copy'n'paste to your zone. In this case, to _openpgpkey.fedoraproject.org..

Remember, if the email associated with the GPG key is foo@bar.com then the generated record has to go to _openpgpkey.bar.com. zone.

And do not forget - all this has a sense only if your domain is signed using DNSSEC. Otherwise, anyone can falsify these records.


Posted by Miroslav Suchý | Permanent link
Comments

2021-02-11 17:27:24

Verify package GPG signature using DNSSEC

When you want to be sure that RPM packages installed on your system were not altered, you should enable

gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch

in your repo file or in dnf.conf. The problem is how to get the file on your disk the secure way?

We have fedora-repos and distribution-gpg-keys. This will allow you to fetch new keys. But how to fetch the very first GPG key?

You can either manually download, verify, and rpm --import that key. Fedora has a dedicated page for its GPG keys. This process is manual and boring. Can we utilize something which we can trust? What about DNS signed using DNSSEC?

Can we put the GPG key in the DNS record and sign it using DNSSEC? We can trust this record and can safely import it.

This is what Martin Sehnoutka has done in his master thesis Automatic verification of software packages with help of DNS. He even provided patches for DNF, created some DNS records, but then … things stalled. I picked it up a few days ago.

Fedora now provides GPG keys for Fedora 27+ in DNS. Want to check it?

Enable DNSSEC

Default Fedora installation use systemd-resolved. In such case, add to the file /etc/systemd/resolved.conf following line:

[Resolve]
DNSSEC=allow-downgrade

and restart the service:

sudo systemctl restart systemd-resolved.service

From man resolved.conf: If set to “allow-downgrade” DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled.

Manual check

This step is only for curious nerds. :)

Start with the email associated with GPG key and use tool email2domain and run:

$ email2domain fedora-27@fedoraproject.org
2d81eb3c5ebd20d163ff111a2dbcdc7e3336825d7d2331a3ef543aa8._openpgpkey.fedoraproject.org

This is the DNS record to query and is formatted using RFC 7929.

Now query this DNS record:

$ dig -t TYPE61 2d81eb3c5ebd20d163ff111a2dbcdc7e3336825d7d2331a3ef543aa8._openpgpkey.fedoraproject.org

; <<>> DiG 9.11.26-RedHat-9.11.26-2.fc33 <<>> -t TYPE61 2d81eb3c5ebd20d163ff111a2dbcdc7e3336825d7d2331a3ef543aa8._openpgpkey.fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13055
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;2d81eb3c5ebd20d163ff111a2dbcdc7e3336825d7d2331a3ef543aa8._openpgpkey.fedoraproject.org.        IN OPENPGPKEY

;; ANSWER SECTION:
2d81eb3c5ebd20d163ff111a2dbcdc7e3336825d7d2331a3ef543aa8._openpgpkey.fedoraproject.org. 86400 IN OPENPGPKEY mQINBFiskqMBEADTbsoAXpDPk+FtcwBEPZQVe0YQYdOqavfQQVD/RYAc HnJW/K1bZhQusBjUIec9SfGi3uBNNmbziAvpd/ycMKyWHuWQLmBgbImr qnPbBPMXmxeNGnZjA1hjVDp0pzj2+gZQhqYWSf6kQy9u9A1mSU63Kl/t fw7+hX7Tc3I8feGAFCHcFQgESxUib8Mw/OOGR3Am9fKdA+K1kJeQIiZv XMcNFx+3CfoavhFdicuoT2KbcSuzRm76duKNHlLaP6/IbZxNiDWh8SDV pFaFPlqR/R/+wibA6e9wMf6CZ4vfUY7NKYf4tYBs0EYdkn3j/KhJJxdb +M46Q/xwq9ovZo7XIhLrIUPuMw91X9cbvkU/a9kE1ffdpNmF1fDnUcEk uuEqOl+aMVsUBEbAQ86yrwpDfL4XT9vwnDIkggKZyvDTZ6q00XKg3Ger KuZtQBl/YcHDXuBlB1fzpGl8a8hq/+GeT2sVxjlYwPXjrsKd1NeP6ctQ sR6gHuP3W5ohP4rArtM6ONN8rlTiodDLVGHBpUzIRdgr7RCL1AqB9vrd Q2MVZMasTcUnUvKo0H4mps+x05jGao0b0Z0TJc6wr6ybHH38NVG06VX5 rJZlfZchGwkWzmYxai55/7ln1vJmk+kbdS7pK0jfmeVJ8A77XLCL36oJ FCiCrYjV+ZGgvB+z08Jzwc7sgwARAQABtCxGZWRvcmEgMjcgKDI3KSA8 ZmVkb3JhLTI3QGZlZG9yYXByb2plY3Qub3JnPokCOAQTAQIAIgUCWKyS owIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ9V50MPUoLuTc ww/+LFPVEyVguMeU/QABEsE5FEN7kcDReZtdwq7p/aKC29mzCxeHggit YOGlrINkJ26Aq6p+oW6w7JxBWJnKoTBYJDFzNIbp/6GbG4oKcEnWQZfT nRLTr5aukVdWBFevzC0huraobKz3joYRIX826VUzS/A418zpnDVPtpo3 x86V9f292rqi2tn9Q5cQC5Ck3/cjQDEwkN9gHz4j/c1oa6zBOcHbKkaZ dWA2dIs6XOxCIHg78i6VQwMMs+vfm2vbV3ACCcOVnd3d6NxIQuDLEQwd tdB2zI8R74bjacosrcafK+F2DnkM7WrLSCiTKLJBMRDx+X2nOjT5pLut s4FC/XYRO23SMtPAMzQ852Z1lkjsaVDsjzNqCasUB0vDPHLQE8aj0zch NBSzuHoKpXNYTyJztekWL/QXkUsXu0x7N5WhBlZ+lni6LtZU51l7BJd1 n+ZKnQ4gmjQ1ffVLbgzb9Z1MNje0s61FdKmUJQGULYqh32W4GV+RLvtI 6AJV/EmFCUEfRJ3eA8tJiyKe512wiim/WDhvzFuuPBup2Z3TufiaJQOy sLlN5+HUQitTtcd7j8ZgpsIAIZtSWOMxbIAJWbzn8gjfIj4ZDeo0ZZXH 0VgDkXtpv1g8R2aRAz6ob5YYW5VnI2UEr53x1Z7lmUhv/TUZn26IeU16 jCJ80k7pJvQSF8Y=

;; Query time: 560 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Čt úno 11 17:07:46 CET 2021
;; MSG SIZE  rcvd: 1272

This is huge! Where to look? First, we look for TYPE61 record. In ANSWER SECTION there is the GPG key of Fedora 27. It really exists there! But can we trust it? Every documentation about DNSSEC says that we should look for ad flag. It stands for “Authenticated Data”. This is the part:

;; flags: qr rd ra;

But the flag is not there. That is because I use systemd-resolved (default in Fedora) and it is not capable of forwarding RRSIG records to the client! Systemd has four years old issue which recently got some love and the situation is changing every minute. Hopefully, it will be resolved very soon now.

When we do not use systemd-resolved, will the situation be better?

$ dig @192.168.1.1 -t TYPE61 2d81eb3c5ebd20d163ff111a2dbcdc7e3336825d7d2331a3ef543aa8._openpgpkey.fedoraproject.org
....
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
...

The 192.168.1.1 is a DNS server on my home router. Use a DNS server of your provider to test this step. What about the flag? Yes! The ad flag is there. We can trust the data as they have been signed and verified from the top-level domain down to fedoraproject domain.

Security note: The response goes from resolver unprotected (unless you use DNS over TLS). You should really use resolver in network you trust.

To temporarily workaround this in DNF, I submitted pull-request.

I said that the bits are already in DNF. Want to try it?

DNF

Before we start, make sure you do not use systemd-resolved or apply this patch.

Put in /etc/dnf/dnf.conf:

[main] 
gpgkey_dns_verification=1

This option is well documented in man dnf.conf. I copy it here:

gpgkey_dns_verification
       boolean
       Should the dnf attempt to automatically verify GPG verification keys using
       the DNS system. This option requires libunbound to be installed on 
       the client system. This system has two main features. The first one is
       to check if any of the already installed keys have been revoked. Automatic
       removal of the key is not yet available, so it is up to the user, to remove
       revoked keys from the system. The second feature is automatic verification
       of new keys when a repository is added to the system. In interactive mode,
       the result is written to the output as a suggestion to the user.
       In non-interactive mode (i.e. when -y is used), this system will
       automatically accept keys that are available in the DNS and are correctly
       signed using DNSSEC. It will also accept keys that do not exist in the DNS
       system and their NON-existence is cryptographically proven using DNSSEC.
       This is mainly to preserve backward compatibility. Default is False.

Now, edit /etc/yum.repos.d/fedora.repo. And comment out the line with gpgkey:

#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch

Delete the current GPG from your rpmdb. I am on Fedora 33. Run:

$ rpm -qa --qf "%{summary} %{name}-%{version}-%{release}\n" |grep pubkey| grep fedora-33
Fedora (33) <fedora-33-primary@fedoraproject.org> public key gpg-pubkey-9570ff31-5e3006fb

The pseudo-package with Fedora 33 gpg key is gpg-pubkey-9570ff31-5e3006fb. I can remove it from system:

$ sudo rpm -e gpg-pubkey-9570ff31-5e3006fb

Now choose some simple leaf package as testing object. I am choosing fedora-upgrade:

# sudo rpm -e fedora-upgrade

Now I try to install it using DNF. And now we can install it again and now it should be verified using DNSSEC. Let’s pass “-v” to have more fun (and information):

# sudo dnf -v install fedora-upgrade

The output is looong. I am going to pick up only interesting lines:

DNSSEC extension: Testing already imported keys for their validity.
Running verification for key with id: rpmfusion-buildsys@lists.rpmfusion.org
DNSSEC extension: GPG Key rpmfusion-buildsys@lists.rpmfusion.org could not be tested
Running verification for key with id: @copr#copr@copr.fedorahosted.org
DNSSEC extension error (email=@copr#copr@copr.fedorahosted.org): Email address must contain exactly one '@' sign.

At the start, DNF checks whether some GPG has been revoked - this was not possible until now. And it informs us that DNS entry for rpmfusion-buildsys@lists.rpmfusion.org cannot be found. The second part is an error because group projects in Copr contain two @ characters. This is bug of Copr, but it caused no issue previously, so we did not care. We will do about it in the future. Nevertheless, all these lines are normally suppressed and are just informative.

Dependencies resolved.
=====================================================================================================================================================================================================================
 Package                                                 Architecture                                    Version                                              Repository                                        Size
=====================================================================================================================================================================================================================
Installing:
 fedora-upgrade                                          noarch                                          33.2-1.fc33                                          updates                                           23 k

Transaction Summary
=====================================================================================================================================================================================================================
Install  1 Package

Total download size: 23 k
Installed size: 38 k
Is this ok [y/N]: y
Downloading Packages:
fedora-upgrade-33.2-1.fc33.noarch.rpm                                                                                                                                                799  B/s |  23 kB     00:29    
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                783  B/s |  23 kB     00:29     
warning: /var/cache/dnf/updates-0e22a1f5a0a34771/packages/fedora-upgrade-33.2-1.fc33.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 9570ff31: NOKEY
Fedora 33 - x86_64 - Updates                                                                                                                                                         1.6 MB/s | 1.6 kB     00:00    
Running verification for key with id: fedora-33-primary@fedoraproject.org
DNSSEC extension: Key for user fedora-33-primary@fedoraproject.org is valid.
Importing GPG key 0x9570FF31:
 Userid     : "Fedora (33) "
 Fingerprint: 963A 2BEB 0200 9608 FE67 EA42 49FD 7749 9570 FF31
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-33-x86_64
Verified using DNS record with DNSSEC signature.
Is this ok [y/N]: 

DNF downloaded the package and found that it contains a new GPG key and ask me whether it can be imported.

The line:

Verified using DNS record with DNSSEC signature.

is not in the current code. I proposed it new pull request.

When you use dnf -y DNF normally imports GPG key without asking. When you use gpgkey_dns_verification and the DNS entry exists, it must match the file before the key is imported.

And that’s all.

Future work

I will play with this a bit more. And you can too. I hope that this will leads us to future where we will do not need to distribute GPG keys as separate files.

In the near future, I want to provide DNS records for all Copr projects.


Posted by Miroslav Suchý | Permanent link
Comments