Page MenuHomePhabricator
Create Task
Maniphest T277742

Update sury-php images for updated gpg key
Closed, ResolvedPublic
Actions

Description

The key we use currently has been "compromised", see https://www.patreon.com/posts/dpa-new-signing-25451165 , and a new one has been issued.

We should update it ASAP.

Details

ProjectBranchLines +/-Subject
integration/configmaster+210 -0dockerfiles: Follow-up 49281f5fd and actually cascade these updates
Customize query in gerrit

Event Timeline

Joe created this task.Mar 18 2021, 10:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 18 2021, 10:35 AM
Joe triaged this task as High priority.Mar 18 2021, 10:36 AM

Triaging as high priority as this is at best going to make building the images fail, at worst it's a security liability.

hashar added a subscriber: hashar.Mar 18 2021, 11:07 AM

The key we have got revoked a couple years ago and reached expiration yesterday

name=docker run --rm -it --user=root --entrypoint=bash docker-registry.wikimedia.org/releng/sury-php
# apt update && apt install gpg
# apt-key list -v
...
/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expired: 2021-03-17]     // <------------------ Expired
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expired: 2021-03-17]
hashar closed this task as Resolved.Mar 18 2021, 2:37 PM
hashar claimed this task.

The sury base image has been updated via https://gerrit.wikimedia.org/r/c/integration/config/+/673226

The child images will get updated as part of other updates.

Jdforrester-WMF added a subscriber: Jdforrester-WMF.Apr 27 2021, 6:51 PM
In T277742#6925080, @hashar wrote:

The sury base image has been updated via https://gerrit.wikimedia.org/r/c/integration/config/+/673226

The child images will get updated as part of other updates.

As I predicted at the time, leaving this rake in the grass broke things when I tried to emergency-upgrade composer for {T281283}. In future, let's not do this. :-)

gerritbot added a comment.Apr 27 2021, 7:13 PM

Change 683040 had a related patch set uploaded (by Jforrester; author: Jforrester):

[integration/config@master] dockerfiles: Follow-up 49281f5fd and actually cascade these updates

https://gerrit.wikimedia.org/r/683040

gerritbot added a project: Patch-For-Review.Apr 27 2021, 7:13 PM
gerritbot added a comment.Apr 27 2021, 7:16 PM

Change 683040 merged by jenkins-bot:

[integration/config@master] dockerfiles: Follow-up 49281f5fd and actually cascade these updates

https://gerrit.wikimedia.org/r/683040

Stashbot added a comment.Apr 27 2021, 7:16 PM

Mentioned in SAL (#wikimedia-releng) [2021-04-27T19:16:35Z] <James_F> Docker: Rebuilding all Sury-php derivatives for T277742.

Maintenance_bot removed a project: Patch-For-Review.Apr 27 2021, 8:10 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL