Skip to content

Instantly share code, notes, and snippets.

@hide32767

hide32767/vyos_add_gpg_key.md

Last active March 31, 2020 13:30
Show Gist options
  • Save hide32767/ace0cab439e7bafd2f85aa3ca1d9384a to your computer and use it in GitHub Desktop.
Save hide32767/ace0cab439e7bafd2f85aa3ca1d9384a to your computer and use it in GitHub Desktop.
Download ZIP
VyOSの `add system image` 時に発生する署名検証エラーを解消する
Raw
vyos_add_gpg_key.md

VyOSの add system image 時に発生する署名検証エラーを解消する

※ originated at 2016/03/30 11:27 (JST)

概要

Public key - VyOS によると、 1.1.6 以降で署名に利用される鍵が変更された。 VyOSの add system image での署名検証の際は root のkeyringが使われるため、 gpg コマンドで公開鍵を追加するときは sudo してやる必要がある。(VyOS wikiの通りにやると vyos のkeyringに入ってしまうので)

事象

公開鍵が登録されていないと、署名検証に失敗する。

$ add system image http://mirror.vyos.net/iso/release/1.1.7/vyos-1.1.7-amd64.iso
Trying to fetch ISO file from http://mirror.vyos.net/iso/release/1.1.7/vyos-1.1.7-amd64.iso
(略)
Found it.  Checking digital signature...
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Wed Feb 17 22:37:47 2016 JST using RSA key ID A0FE6D7E
gpg: Can't check signature: public key not found
Signature check FAILED.
Do you want to continue anyway? (yes/no) [no]

公開鍵が登録されていれば、署名検証に成功する。

$ add system image http://mirror.vyos.net/iso/release/1.1.7/vyos-1.1.7-amd64.iso
Trying to fetch ISO file from http://mirror.vyos.net/iso/release/1.1.7/vyos-1.1.7-amd64.iso
(略)
Found it.  Checking digital signature...
gpg: Signature made Wed Feb 17 22:37:47 2016 JST using RSA key ID A0FE6D7E
gpg: Good signature from "VyOS Maintainers (VyOS Release) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0694 A923 0F51 39BF 834B  A458 FD22 0285 A0FE 6D7E
Digital signature is valid.
Checking MD5 checksums of files on the ISO image...OK.
Done!

手順

事前に gpg --list-keys を実行して、GnuPG周りのファイル群を生成しておく。

$ sudo gpg --list-keys
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created

gpg --recv-key を実行して公開鍵サーバーから取り込む。対象の keyID (今回の場合 A0FE6D7E )は Search results for '0xfd220285a0fe6d7e' で確認できる。

$ sudo gpg --recv-keys A0FE6D7E
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: requesting key A0FE6D7E from hkp server keys.gnupg.net
gpg: key A0FE6D7E: public key "VyOS Maintainers (VyOS Release) <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

または、 New (post-1.1.6) key - VyOS の内容を /tmp/so3group_maintainers.key などとして保存しておき、 gpg --import で取り込む。取り込んだあとで /tmp/so3group_maintainers.key を削除しても問題ない。

$ sudo gpg --import /tmp/so3group_maintainers.key
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: key A0FE6D7E: public key "VyOS Maintainers (VyOS Release) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

公開鍵が取り込まれたことを gpg --list-keys で確認する。

$ sudo gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   4096R/A0FE6D7E 2015-08-12
uid                  VyOS Maintainers (VyOS Release) <[email protected]>
sub   4096R/E599BC20 2015-08-12

参考

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment