Linux packaging and /etc/cron.daily/google-chrome{,-beta,-unstable} install obsolete dsa1024/7FAC5991 key
Reported by
ivan@ludios.org,
Dec 26 2016
|
|||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1. Install google-chrome-stable, google-chrome-beta, or google-chrome-unstable 2. Observe the 7FAC5991 key listed in `apt-key list` (also re-added daily if removed) What is the expected behavior? No 7FAC5991 key is installed, just the newer D38B4796 key. What went wrong? The 7FAC5991 key is installed: pub dsa1024/7FAC5991 2007-03-08 [SC] uid [ unknown] Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com> sub elg2048/C07CB649 2007-03-08 [E] Did this work before? N/A Chrome version: 57.0.2950.4 Channel: dev OS Version: Flash Version: The 7FAC5991 key seems to be unnecessary because the releases are now signed with the newer D38B4796 key. (I am sorry if I missed something.)
,
Dec 27 2016
,
Dec 30 2016
,
Jan 3 2017
I'll remove the old key when we do the next signing update, which we should be starting work on soon.
,
Jan 3 2017
,
Jul 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/17b8d523d8df939f39f444566ce9e25ee5796513 commit 17b8d523d8df939f39f444566ce9e25ee5796513 Author: Michael Moss <mmoss@google.com> Date: Thu Jul 27 17:15:20 2017 Distribute new Linux public key and remove obsolete key. BUG=677046 R=thestig@chromium.org, thomasanderson@chromium.org Change-Id: Ia0b7116cf81a6fa5eee00a840b02501ab64f65bb Reviewed-on: https://chromium-review.googlesource.com/588049 Reviewed-by: Thomas Anderson <thomasanderson@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Michael Moss <mmoss@chromium.org> Cr-Commit-Position: refs/heads/master@{#490000} [modify] https://crrev.com/17b8d523d8df939f39f444566ce9e25ee5796513/chrome/installer/linux/common/apt.include [modify] https://crrev.com/17b8d523d8df939f39f444566ce9e25ee5796513/chrome/installer/linux/common/rpm.include
,
Jul 28 2017
,
Jul 28 2017
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 29 2017
Your change meets the bar and is auto-approved for M61. Please go ahead and merge the CL to branch 3163 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), ketakid @(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 30 2017
Pls merge you change to M61 branch 3163 before 3:00 PM PT on Monday so we can take it in for next week last M61 Dev release. Thank you.
,
Jul 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c9a18c4d5d58898de8abb1591fd37b2428d812db commit c9a18c4d5d58898de8abb1591fd37b2428d812db Author: Michael Moss <mmoss@google.com> Date: Mon Jul 31 18:47:30 2017 Distribute new Linux public key and remove obsolete key. BUG=677046 R=thestig@chromium.org, thomasanderson@chromium.org Change-Id: Ia0b7116cf81a6fa5eee00a840b02501ab64f65bb Reviewed-on: https://chromium-review.googlesource.com/588049 Reviewed-by: Thomas Anderson <thomasanderson@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Michael Moss <mmoss@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#490000}(cherry picked from commit 17b8d523d8df939f39f444566ce9e25ee5796513) Reviewed-on: https://chromium-review.googlesource.com/590667 Reviewed-by: Michael Moss <mmoss@chromium.org> Cr-Commit-Position: refs/branch-heads/3163@{#172} Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528} [modify] https://crrev.com/c9a18c4d5d58898de8abb1591fd37b2428d812db/chrome/installer/linux/common/apt.include [modify] https://crrev.com/c9a18c4d5d58898de8abb1591fd37b2428d812db/chrome/installer/linux/common/rpm.include
,
Aug 2 2017
ping on Merge-Review-60?
,
Aug 2 2017
,
Aug 3 2017
Per discussion, let's wait until M61 as M60 is already in Stable and this doesn't have an immediate impact on users.
,
Aug 3 2017
,
Aug 3 2017
We need to restore the old key for RPMs because they apparently don't validate subkey signatures properly.
,
Aug 3 2017
,
Aug 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/aed698afc47c7779028d71af32ff08cffef375d0 commit aed698afc47c7779028d71af32ff08cffef375d0 Author: Michael Moss <mmoss@google.com> Date: Thu Aug 03 22:13:23 2017 Continue distributing old signing key in RPMs. RPM packages are going to still be signed with the old key for now because rpm apparently can't handle our new GPG subkeys. R=thestig@chromium.org Bug: 677046 Change-Id: I54037622ca38e20d8403f3f60bab33fcf5e2f8ec Reviewed-on: https://chromium-review.googlesource.com/600893 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Michael Moss <mmoss@chromium.org> Cr-Commit-Position: refs/heads/master@{#491859} [modify] https://crrev.com/aed698afc47c7779028d71af32ff08cffef375d0/chrome/installer/linux/common/rpm.include
,
Aug 4 2017
merge request for #18
,
Aug 4 2017
Merge is needed for m61 because we discovered that RPM has trouble validating packages signed with our new key, so we have to go back to signing with the old key, and hence have to continue distributing it, otherwise first-time installers won't have the key they need to validate updates. It's not needed for stable because we never removed the old key from those packages (re: #14).
,
Aug 4 2017
Approving merge to M61 branch 3163 based on comment #20.
,
Aug 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bc0c4d976145a4f59a45fef28445f7b4939c994b commit bc0c4d976145a4f59a45fef28445f7b4939c994b Author: Michael Moss <mmoss@google.com> Date: Fri Aug 04 21:55:35 2017 Continue distributing old signing key in RPMs. RPM packages are going to still be signed with the old key for now because rpm apparently can't handle our new GPG subkeys. R=thestig@chromium.org Bug: 677046 Change-Id: I54037622ca38e20d8403f3f60bab33fcf5e2f8ec Reviewed-on: https://chromium-review.googlesource.com/600893 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Michael Moss <mmoss@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#491859}(cherry picked from commit aed698afc47c7779028d71af32ff08cffef375d0) Reviewed-on: https://chromium-review.googlesource.com/602581 Reviewed-by: Michael Moss <mmoss@chromium.org> Cr-Commit-Position: refs/branch-heads/3163@{#328} Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528} [modify] https://crrev.com/bc0c4d976145a4f59a45fef28445f7b4939c994b/chrome/installer/linux/common/rpm.include |
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by kkaluri@chromium.org
, Dec 27 2016