Page MenuHomePhabricator
Create Task
Maniphest T277742

Update sury-php images for updated gpg key
Closed, ResolvedPublic
Actions

Description

The key we use currently has been "compromised", see https://www.patreon.com/posts/dpa-new-signing-25451165 , and a new one has been issued.

We should update it ASAP.

Details

SubjectRepoBranchLines +/-
dockerfiles: Follow-up 49281f5fd and actually cascade these updatesintegration/configmaster+210 -0
Customize query in gerrit

Event Timeline

Joe created this task.Mar 18 2021, 10:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 18 2021, 10:35 AM
Joe triaged this task as High priority.Mar 18 2021, 10:36 AM

Triaging as high priority as this is at best going to make building the images fail, at worst it's a security liability.

hashar subscribed.Mar 18 2021, 11:07 AM

The key we have got revoked a couple years ago and reached expiration yesterday

name=docker run --rm -it --user=root --entrypoint=bash docker-registry.wikimedia.org/releng/sury-php
# apt update && apt install gpg
# apt-key list -v
...
/etc/apt/trusted.gpg.d/php.gpg
------------------------------
pub   rsa3072 2019-03-18 [SC] [expired: 2021-03-17]     // <------------------ Expired
      1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743
uid           [ expired] DEB.SURY.ORG Automatic Signing Key <deb@sury.org>
sub   rsa3072 2019-03-18 [E] [expired: 2021-03-17]
hashar closed this task as Resolved.Mar 18 2021, 2:37 PM
hashar claimed this task.

The sury base image has been updated via https://gerrit.wikimedia.org/r/c/integration/config/+/673226

The child images will get updated as part of other updates.

Jdforrester-WMF subscribed.Apr 27 2021, 6:51 PM
In T277742#6925080, @hashar wrote:

The sury base image has been updated via https://gerrit.wikimedia.org/r/c/integration/config/+/673226

The child images will get updated as part of other updates.

As I predicted at the time, leaving this rake in the grass broke things when I tried to emergency-upgrade composer for {T281283}. In future, let's not do this. :-)

gerritbot added a comment.Apr 27 2021, 7:13 PM

Change 683040 had a related patch set uploaded (by Jforrester; author: Jforrester):

[integration/config@master] dockerfiles: Follow-up 49281f5fd and actually cascade these updates

https://gerrit.wikimedia.org/r/683040

gerritbot added a project: Patch-For-Review.Apr 27 2021, 7:13 PM
gerritbot added a comment.Apr 27 2021, 7:16 PM

Change 683040 merged by jenkins-bot:

[integration/config@master] dockerfiles: Follow-up 49281f5fd and actually cascade these updates

https://gerrit.wikimedia.org/r/683040

Stashbot added a comment.Apr 27 2021, 7:16 PM

Mentioned in SAL (#wikimedia-releng) [2021-04-27T19:16:35Z] <James_F> Docker: Rebuilding all Sury-php derivatives for T277742.

Maintenance_bot removed a project: Patch-For-Review.Apr 27 2021, 8:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL