Code Monkey home page Code Monkey logo

3mdeb-secpack's Introduction

3mdeb Security Pack

This git repository was inspired by the Qubes Security Pack and is a central place for all security-related information about the 3mdeb projects. It includes the following:

  • 3mdeb customers PGP keys (customer-keys/) - keys managed by 3mdeb on behalf of our customers, typically we use those keys for binaries signing
  • Dasharo keys (dasharo/) - Dasharo Master Key used to sign Dasharo keys related to market segments (Secure Firewall, Workstation), as well as Dasharo market segment firmware release signing keys, to read more about Dasharo visit website and documentation
  • 3mdeb PGP keys (keys/)
    • employees-keys - 3mdeb employees keys signed according to org chart, chain of signatures end with owner-key signature
    • master-key - 3mdeb Master Key signs all keys dedicated to given purpose e.g. Open Source Software Release Signing Key, Open Source Firmware Release Signing Key and others
    • owner-key - 3mdeb Owner Key
  • 3mdeb Open Source Firmware Master Key (open-source-firmware/) - key used to sign firmware releases produced by 3mdeb
  • 3mdeb Open Source Software Master Key (open-source-software/) - key used to sign software releases produced by 3mdeb
  • Supporting scripts (scripts/)

The files contained in this repository can be verified in two ways:

  • By verifying the git commit tags (git tag -v)
  • By verifying the detached PGP signatures, which are provided for the majority of files included here

All the keys used by the 3mdeb projects, including the keys used to sign files and commits in this repository, are signed by the 3mdeb owner Piotr Król (E0309B2D85A67E846329E34BB2EE71E967AA9E4C, keybase.io).

Even though this key is also included in this repo, you should make sure to obtain the key fingerprint via some other channel, as you can be sure that if you were getting a falsified 3mdeb Security Pack it would contain a falsified owner key as well.

Adding new Master Key

user@vault ~ % gpg --expert --full-gen-key --allow-freeform-uid
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want for the subkey? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Mon 02 Feb 2026 01:28:36 PM CET
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: 3mdeb Dasharo Master Key
Email address:
Comment:
You selected this USER-ID:
    "3mdeb Dasharo Master Key"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key ABE1D0BC66278008 marked as ultimately trusted
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/0D5F6F1DA800329EB7C597A2ABE1D0BC66278008.rev'
public and secret key created and signed.

pub   rsa4096 2021-02-03 [SC] [expires: 2026-02-02]
      0D5F6F1DA800329EB7C597A2ABE1D0BC66278008
      0D5F6F1DA800329EB7C597A2ABE1D0BC66278008
uid                      3mdeb Dasharo Master Key
sub   rsa4096 2021-02-03 [E] [expires: 2026-02-02]
user@vault ~ % gpg --export-secret-keys 0D5F6F1DA800329EB7C597A2ABE1D0BC66278008 > 3mdeb-dasharo-master-priv-key.asc
user@vault ~ % gpg --recipient [email protected] --armor --encrypt 3mdeb-dasharo-master-priv-key.asc

Store backup of private key in safe location.

3mdeb-secpack's People

Contributors

3mdeb-karolzmyslowski avatar artur-rs avatar arturkow2 avatar daniilkl avatar janprusinowski avatar kewkaa avatar kotylamichal avatar krystian-hebel avatar m-iwanicki avatar macpijan avatar maheshtammisetti avatar mateuszkochner avatar mgabryelski1 avatar miczyg1 avatar mikebdp2 avatar mixss avatar mkopec avatar philipandag avatar pietrushnic avatar pkubaj avatar plangowski avatar pre-commit-ci[bot] avatar psotas avatar rafkoch avatar sergiidmytruk avatar stojak139808 avatar sulewskiprzemyslaw avatar tomaszair avatar tym2k1 avatar wiktorg351 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

bbczeuz sergiidmytruk arturkow2000 mikebdp2 krystian-hebel mkopec maheshtammisetti wiktorg351

3mdeb-secpack's Issues

Latest PC Engines apu4 firmware is signed with the wrong key

I tried to download the latest firmware for my PC Engines apu4 today (version 4.17.0.2) from your website here:
https://3mdeb.com/open-source-firmware/pcengines/apu4/apu4_v4.17.0.2.rom

When I attempted to verify the download, I found that the SHA256 hash matches, but I could not verify the GPG signature of the hash. Of course, I found this concerning, so I downloaded one release earlier (4.17.0.1) and everything verified perfectly with GPG on that firmware file. These two firmwares are supposed to be signed by the same key, according to your instructions in this repository, so something appears to be wrong.

$ gpg --list-sigs "3mdeb Master Key" "3mdeb Open Source Firmware Master Key" "PC Engines open-source firmware release 4.17 signing key"
pub   4096R/7BD37C54 2019-02-12
uid                  3mdeb Master Key <[email protected]>
sig 3        7BD37C54 2019-02-12  3mdeb Master Key <[email protected]>
sig          67AA9E4C 2019-02-12  [User ID not found]

pub   4096R/64CB97EC 2019-02-12
uid                  3mdeb Open Source Firmware Master Key <[email protected]>
sig 3        64CB97EC 2019-02-12  3mdeb Open Source Firmware Master Key <[email protected]>
sig          7BD37C54 2019-02-12  3mdeb Master Key <[email protected]>

pub   4096R/9535DAEF 2022-06-28 [expires: 2023-06-28]
uid                  PC Engines open-source firmware release 4.17 signing key
sig 3        9535DAEF 2022-06-28  PC Engines open-source firmware release 4.17 signing key
sig          64CB97EC 2022-06-28  3mdeb Open Source Firmware Master Key <[email protected]>
sub   4096R/1A714455 2022-06-28 [expires: 2023-06-28]
sig          9535DAEF 2022-06-28  PC Engines open-source firmware release 4.17 signing key

$ gpg --verify apu4_v4.17.0.1.SHA256.sig apu4_v4.17.0.1.SHA256
gpg: Signature made Wed 29 Jun 2022 05:00:38 AM CDT using RSA key ID 9535DAEF
gpg: Good signature from "PC Engines open-source firmware release 4.17 signing key"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EFAD 577C 9304 616D DC95  CB7F 2AB2 A20D 9535 DAEF

$ gpg --verify apu4_v4.17.0.2.SHA256.sig apu4_v4.17.0.2.SHA256
gpg: Signature made Mon 01 Aug 2022 03:58:25 AM CDT using RSA key ID AC3B2B46
gpg: Can't check signature: public key not found

$ gpg --list-packets apu4_v4.17.0.1.SHA256.sig 
:signature packet: algo 1, keyid 2AB2A20D9535DAEF
        version 4, created 1656496838, md5len 0, sigclass 0x00
        digest algo 10, begin of digest 70 50
        hashed subpkt 33 len 21 (?)
        hashed subpkt 2 len 4 (sig created 2022-06-29)
        subpkt 16 len 8 (issuer key ID 2AB2A20D9535DAEF)
        data: [4096 bits]

$ gpg --list-packets apu4_v4.17.0.2.SHA256.sig 
:signature packet: algo 1, keyid 9963C36AAC3B2B46
        version 4, created 1659344305, md5len 0, sigclass 0x00
        digest algo 10, begin of digest af 69
        hashed subpkt 33 len 21 (?)
        hashed subpkt 2 len 4 (sig created 2022-08-01)
        subpkt 16 len 8 (issuer key ID 9963C36AAC3B2B46)
        data: [4095 bits]

Given the output above, it looks like the latest firmware was signed by a different key than it was supposed to be. Luckily, a quick web search brings up a mailing list post from 2020 that shows this second key belongs to someone in your company, so I'm hopeful that this is a good sign that there is no reason to suspect any security compromise; rather this is likely just a simple mistake.

I did not check any of the other 4.17.0.2 firmware files for other models, so I don't know if they're all affected or not.

Thanks for looking into this, and please let me know if you need any more information from me.

Outdated key for MSI Z690

The key has expired a few months ago. Can its expiration date be bumped?

pub   rsa4096/0x5DC481E1F371151E 2022-05-27 [SCA] [expired: 2023-05-27]
      89B569C42BB9FCCBC3C9CFDF5DC481E1F371151E
uid                   [ expired] Dasharo release 1.x compatible with MSI MS-7D25 signing key

[Feature Request] Sign binaries with OpenBSD's signify

To start, I think an introduction to signify would be useful:
https://flak.tedunangst.com/post/signify
https://man.openbsd.org/signify

signify is an OpenBSD utility used to create and verify cryptographic signatures. It is also available as a package in various Linux distributions, and it's easy to install/build on other platforms as well.

I have already completed the process of verifying signatures with GnuPG, and it works perfectly fine. However, since I plan to run OpenBSD on the PC Engines apu2, being able to verify the signature with signify would be an appreciated enhancement. Although signify could be used in place of GnuPG, it is much smaller and simpler, and may not suit your needs in all cases, so signing binaries with both tools would probably work best. I tested it with the v4.11.0.3 release binaries on a Mac (key generation, signing, verifying) and it works as one would expect.

I'd be happy to assist with anything I can, of course. Just let me know.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.