Add CI job to report when PGP keys are 2 months away from expiration

Question

Add CI job to report when PGP keys are 2 months away from expiration

ben-grande opened this issue 8 months ago · 4 comments

ben-grande commented 8 months ago

Current problem (if any)

Need to monitor manually keys expiration date.

Proposed solution

Job will open an issue reporting that a certain key is about to expire.

The value to a user, and who that user might be

No errors on PGP verification.

.

Answer 1 · 2024-04-24T17:28:37.000Z

The key more closest to expire is 152812300785C96444D3334D17565732E08E5E41.asc, expires in 2024-08-20. This issue has to be closes before September. The key used for authentication expired last year before it was even imported to the repo, no new version seems to be available.

Sequoia PGP has a nice human-readable output but GPG machine-readable output might be best for this use case. Supporting both tools might be a good idea.

% gpg --show-keys salt/sys-bitcoin/files/server/keys/152812300785C96444D3334D17565732E08E5E41.asc
pub   rsa4096/17565732E08E5E41 2015-03-05 [SC] [expires: 2024-08-20]
      Key fingerprint = 1528 1230 0785 C964 44D3  334D 1756 5732 E08E 5E41
uid                            Ava Chow <me@achow101.com>
uid                            Ava Chow <achow101@pm.me>
uid                            Ava Chow <github@achow101.com>
sub   rsa4096/DB88DB0BD2EDFBFC 2015-03-05 [E] [expires: 2024-08-20]
      Key fingerprint = 775F 1492 D895 5479 8BD5  6C5A DB88 DB0B D2ED FBFC
sub   rsa4096/7D2D8897932EC802 2023-04-14 [A] [expired: 2023-04-20]
      Key fingerprint = 4199 62FF 051D 5DD7 52BB  F48D 7D2D 8897 932E C802

% gpg --show-keys --with-colons salt/sys-bitcoin/files/server/keys/152812300785C96444D3334D17565732E08E5E41.asc
pub:-:4096:1:17565732E08E5E41:1425584761:1724176400::-:::scESC::::::23::0:
fpr:::::::::152812300785C96444D3334D17565732E08E5E41:
uid:-::::1702483391::646CDBDE320F3DA1920383571B3F48995E2FE1A9::Ava Chow <me@achow101.com>::::::::::0:
uid:-::::1702483440::B43F4BF8DB03072DEDFF5E64FCA37F9F63A0D5AB::Ava Chow <achow101@pm.me>::::::::::0:
uid:-::::1702483420::1BD2BB65D3EA2E1EBD6DCB5501EA58E046B3C752::Ava Chow <github@achow101.com>::::::::::0:
sub:-:4096:1:DB88DB0BD2EDFBFC:1425584761:1724176458:::::e::::::23:
fpr:::::::::775F1492D89554798BD56C5ADB88DB0BD2EDFBFC:
sub:e:4096:1:7D2D8897932EC802:1681501851:1682003813:::::a::::::23:
fpr:::::::::419962FF051D5DD752BBF48D7D2D8897932EC802:

% sq inspect salt/sys-bitcoin/files/server/keys/152812300785C96444D3334D17565732E08E5E41.asc
salt/sys-bitcoin/files/server/keys/152812300785C96444D3334D17565732E08E5E41.asc: OpenPGP Certificate.

    Fingerprint: 152812300785C96444D3334D17565732E08E5E41
Public-key algo: RSA
Public-key size: 4096 bits
  Creation time: 2015-03-05 19:46:01 UTC
Expiration time: 2024-08-20 17:53:20 UTC (creation time + P3455DT79639S)
      Key flags: certification, signing

         Subkey: 775F1492D89554798BD56C5ADB88DB0BD2EDFBFC
Public-key algo: RSA
Public-key size: 4096 bits
  Creation time: 2015-03-05 19:46:01 UTC
Expiration time: 2024-08-20 17:54:18 UTC (creation time + P3455DT79697S)
      Key flags: transport encryption, data-at-rest encryption

         Subkey: 419962FF051D5DD752BBF48D7D2D8897932EC802
                 Invalid: The subkey is not live
Public-key algo: RSA
Public-key size: 4096 bits
  Creation time: 2023-04-14 19:50:51 UTC
Expiration time: 2023-04-20 15:16:53 UTC (creation time + P5DT69962S)
      Key flags: authentication

         UserID: Ava Chow <achow101@pm.me>

         UserID: Ava Chow <github@achow101.com>

         UserID: Ava Chow <me@achow101.com>

Answer 2 · 2024-05-15T15:08:43.000Z

Action to check for expiration dates is working:

[command]/usr/bin/git log -1 --format='%H'
'40a4107290c931898472b3fc0a8578e62632e21b'
##[group]Run scripts/pgp-expiration.sh $(find -type f -name "*.asc")
[36;1mscripts/pgp-expiration.sh $(find -type f -name "*.asc")�[0m
shell: /usr/bin/bash -e {0}
##[endgroup]
gpg: directory '/home/runner/.gnupg' created
gpg: /home/runner/.gnupg/trustdb.gpg: trustdb created
./salt/browser/files/repo/chrome.asc: expired: 1397BC53640DB551
./salt/browser/files/repo/chrome.asc: expired: 6494C6D6997C215E
./salt/browser/files/repo/chrome.asc: expired: 78BD65473CB3BD13
./salt/sys-bitcoin/files/server/keys/152812300785C96444D3334D17565732E08E5E41.asc: expired: 7D2D8897932EC802
./salt/sys-bitcoin/files/server/keys/6B002C6EA3F91B1B0DF0C9BC8F617F1200A6D25C.asc: expired: A7B1C35A8424C4E5
./salt/sys-bitcoin/files/server/keys/6B002C6EA3F91B1B0DF0C9BC8F617F1200A6D25C.asc: expired: BA03F4DBE0C63FB4
./salt/sys-bitcoin/files/server/keys/6B002C6EA3F91B1B0DF0C9BC8F617F1200A6D25C.asc: expired: F516F495EBEBFDCD
##[error]Process completed with exit code 1.

Unfortunately, some keys are kept with expired subkeys which are not in use anymore, such as salt/browser/files/repo/chrome.asc. This work has to be done manually. Others let their subkeys expire... so I decided to delete them, they are not useful expired. We will trust the master key for new subkeys as usual, when new subkeys needs to be added.

Answer 3 · 2024-05-29T15:56:58.000Z

What is missing: how to not open duplicated issues in case the problem is not fixed before the next scheduled run?

Answer 4 · 2024-06-25T20:29:45.000Z

Because of the issue above, I am closing this as partially completed. I don't care much to implement a logic to deal with open issues as I get notified when GHA workflows fails.