Bugzilla – Bug 1199184
switch Tumbleweed to a 4096bit RSA signing key
Last modified: 2022-06-14 09:18:53 UTC
We currently still use a 2048 bit key for signing.
It would be better to switch to a 4096 RSA key.
AFAIK 2048 bit RSA is still considered secure. What about switching to something like ECDSA/EdDSA?
Is still considered secure, but other distros use longer keys and e.g. Dirk Mueller already argues on why openSUSE does not switch.
I am not yet familar how much could break with switching to elliptic curves though.
(In reply to Marcus Meissner from comment #2)
> Is still considered secure, but other distros use longer keys and e.g. Dirk
> Mueller already argues on why openSUSE does not switch.
I'm not arguing, I was asking what needs to be done to implement a longer key for ALP.
Based on factory first we should try to roll it out in openSUSE first and see the downsides before doing anything on SLE.
From a brief look at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
it appears that RSA2048 is the acceptable minimum, and other distributions are chosing larger keys.
I don't really care which cryptographic method we chose, so elliptic curve is totally fine by me as well. I don't know the implications of that very thorughly though, more expertise is needed.
Looks like EdDSA support landed in RPM in 2020 and it works on TW (with sha256 only, https://github.com/rpm-software-management/rpm/issues/1877 is missing). It doesn't work on Leap though, so either that would have to be backported (https://github.com/rpm-software-management/rpm/pull/1202 at least) or we'd have to deal with RSA a bit longer.
IMO it's better to keep RSA 2048 for a a bit longer and then switch to ECC directly instead of switching to RSA 4096 now (and maybe switch to ECC in the future).
I filed an OBS ticket to make signing keytypes configurable via api calls, as currently OBS API would only creating 2048bit RSA keys.
Is there also a github issue or such that I could watch for the OBS implementation discussion?
(I want to change to a longer key in a private OBS instance and would hope that this discussion helps me achieve that seamlessly ;-))