April 2, 2024
GPG Public Key Expiration
Overview
The GPG Public Key used to sign Debian packages embedded in Protegrity appliances is due to expire on April 9, 2024. Although installed appliances will continue to function, customers may encounter issues attempting to upgrade and/or apply maintenance releases. To avoid potential issues, Protegrity is advising customers to apply the patch to any/all installed products and versions affected. The patch must be applied prior to applying maintenance releases or beginning the upgrade process from any/all products and versions affected.
Impact
The patch is minimally intrusive. In simple terms, it executes a script that extends the expiry date of the GPG public key used to sign Debian packages embedded in Protegrity appliances. Existing installed appliances will continue to function normally. Customers may encounter issues if attempting to upgrade and/or apply maintenance releases.
Products and Versions Affected
The patch should be applied to following:
Enterprise Security Administrator (ESA) | All versions from 7.2 prior to 9.1.0.2 inclusive |
Protegrity Storage Unit (PSU) | All versions from 7.2 prior to 9.1.0.0 inclusive |
Data Security Gateway (DSG) | All versions from 2.4 prior to 3.1.0.2 inclusive |
The patch to be applied for each affected version is listed in the table below.
Product Part Number | Product Build Number |
ESA_PAP-ALL-64_x86-64_9.1.0.2 | ESA_PAP-ALL-64_x86-64_9.1.0.2.2168.HF-3 |
ESA_PAP-ALL-64_x86-64_9.1.0.1 | ESA_PAP-ALL-64_x86-64_9.1.0.1.2164.HF-1 |
ESA_PAP-ALL-64_x86-64_9.1 | PSU_PAP-ALL-64_x86-64_9.1.0.0.126.HF-2 |
ESA_PAP-ALL-64_x86-64_9.1.0.0.2162.HF-2 | |
ESA_PAP-ALL-64_x86-64_9.0 | PSU_PAP-ALL-64_x86-64_9.0.0.0.185.HF-4 |
ESA_PAP-ALL-64_x86-64_9.0.0.0.2106.HF-4 | |
ESA_PAP-ALL-64_x86-64_8.1.0.1 | ESA_PAP-ALL-64_x86-64_8.1.0.1.1992.HF-3 |
PSU_PAP-ALL-64_x86-64_8.1.0.1.86.HF-3 | |
ESA_PAP-ALL-64_x86-64_8.1 | ESA_PAP-ALL-64_x86-64_8.1.0.0.1971.HF-4 |
PSU_PAP-ALL-64_x86-64_8.1.0.0.162.HF-4 | |
ESA_PAP-ALL-64_x86-64_7.2.1 | ESA_PAP-ALL-64_x86-64_7.2.1.37.HF-14 |
ESA_PAP-ALL-64_x86-64_7.2 | ESA_PAP-ALL-64_x86-64_7.2.HF-4 |
DSG_PAP-ALL-64_x86-64_2.4 | DSG_PAP-ALL-64_x86-64_2.4.0.3.HF-2 |
DSG_PAP-ALL-64_x86-64_3.1.0.2 | DSG_PAP-ALL-64_x86-64_3.1.0.2.12.HF-4 |
DSG_PAP-ALL-64_x86-64_3.1.0.1 | DSG_PAP-ALL-64_x86-64_3.1.0.1.2.HF-1 |
DSG_PAP-ALL-64_x86-64_3.1 | DSG_PAP-ALL-64_x86-64_3.1.0.0.11.HF-5 |
DSG_PAP-ALL-64_x86-64_3.0 | DSG_PAP-ALL-64_x86-64_3.0.0.0.8.HF-3 |
DSG_PAP-ALL-64_x86-64_2.6.0.1 | DSG_PAP-ALL-64_x86-64_2.6.0.1.7.HF-4 |
DSG_PAP-ALL-64_x86-64_2.6 | DSG_PAP-ALL-64_x86-64_2.6.0.0.6.HF-4 |
DSG_PAP-ALL-64_x86-64_2.4.2 | DSG_PAP-ALL-64_x86-64_2.4.2.20.HF-8 |
DSG_PAP-ALL-64_x86-64_2.4.1 | DSG_PAP-ALL-64_x86-64_2.4.1.21.HF-10 |
DSG_PAP-ALL-64_x86-64_2.2.3 | DSG_PAP-ALL-64_x86-64_2.2.3.52.HF-3 |
Existing Installations
Existing installations will continue to function normally. Downloading the patch from MyProtegrity.com and applying it to existing installations of the products and versions affected is strongly recommended to avoid issues upgrading and/or applying maintenance releases.
Maintenance Releases
The patch must be applied before applying maintenance release to any of the products and versions affected. For example…
1. …an existing installation of ESA is at version 9.1.0.0, 9.1.0.1, or 9.1.0.2.
2. …application of maintenance release 9.1.0.4 is planned/scheduled.
3. …patch must be applied prior to application of the maintenance release.
New Installations
Customers preparing to install a new instance of the following products and versions should download a new ISO image from MyProtegrity.com and use the new ISO image when installing. ISO images downloaded prior to April 9, 2024, will fail to install completely.
Enterprise Security Administrator (ESA) | Versions 8.1 and 9.0 |
Protegrity Storage Unit (PSU) | Versions 8.1 and 9.0 |
Data Security Gateway (DSG) | Not impacted |
Upgrades
The patch must be downloaded from MyProtegrity.com and applied to the existing installations of the products and versions affected prior to beginning the upgrade process. If the upgrade process includes installing, even temporarily, an instance of one of the products and versions affected, the patch must be applied to that instance before continuing the upgrade process. Examples follow to help illustrate.
Example: In Place
The example assumes the starting point for the upgrade is ESA 7.2.0 to be upgraded to 9.1.0.
· Patch must be applied to the starting ESA 7.2.0 appliance.
· Apply ESA 7.2.1 maintenance release.
· Follow the documented upgrade process.
Example: Parallel (Canary)
The example assumes the starting point for the upgrade is ESA 7.2.0 to be upgraded to 9.1.0.
· Patch must be applied to the starting ESA 7.2.0 appliance.
· Parallel instance(s) must be installed and patched (see New Installations),
· Follow the documented upgrade process.
Verification
The following script may be used to verify that remediation has been applied to an installed instance of one of the affected products.
#!/usr/bin/python
import datetime
import os
import ksa.common
import sys
KEY_CREATION_DATE_COMMAND="/usr/bin/gpg --show-keys /usr/share/debsig/keyrings/%s/dpkg.gpg | grep pub | awk '{print $3}'"
EXPIRY_DATE_FETCH_COMMAND = '''grep Expiry= /etc/debsig/policies/{0}/dpkg.pol | cut -d '"' -f8 | uniq'''
POLICIES_DIRECTORY = "/etc/debsig/policies/"
def get_creation_date(fingerprint):
"""
Fetches creation date from given fingerprint of key
:param fingerprint: fingerprint of key
:type fingerprint: str
:return: datetime representation of creation date of key
:rtype: datetime.datetime
"""
ret, out, err = ksa.common.ShellExec2(KEY_CREATION_DATE_COMMAND.format(fingerprint), shell=True)
if ret != 0:
ksa.common.LogDebug("Unable to fetch expiry of key {}, ERROR : {}".format(fingerprint, err))
# Return creation date of 1st key as default value
return datetime.datetime(2019,4,11)
try:
return datetime.datetime.strptime(out.strip(), "%Y-%m-%d")
except Exception as err:
return datetime.datetime(2019,4,11)
def get_expiry_days(fingerprint):
"""
Fetches no. of days the key will be valid from the date of it's creation
:param fingerprint: fingerprint of key
:type fingerprint: str
:return: number of days key will be valid from it creation
:rtype: int
"""
ret, out, err = ksa.common.ShellExec2(EXPIRY_DATE_FETCH_COMMAND.format(fingerprint), shell=True)
if ret != 0:
ksa.common.LogDebug("Unable to fetch expiry from policy of key {}, ERROR : {}".format(fingerprint, err))
# Return default expiry of 5 years
return 1825
return int(out.strip())
def main():
current_keys = os.listdir(POLICIES_DIRECTORY)
if not current_keys:
print("Verification key on the machine expired")
return -1
max_validity = None
for key_fingerprint in current_keys:
creation_date = get_creation_date(key_fingerprint)
valid_days = get_expiry_days(key_fingerprint)
validity = creation_date + datetime.timedelta(days=valid_days)
if max_validity is None or validity > max_validity:
max_validity = validity
print(max_validity.date())
return 0
if __name__ == "__main__":
sys.exit(main())
To run the verification script:
1. Credentials for an appliance administrator and the appliance root password will be required.
2. Login to the appliance command line interface (CLI) as an appliance administrator.
3. Select “Administration” then “OS Console” from the menus.
4. Enter the root password when prompted.
5. Open in a text editor a new file, get_verification_key_expiry.py.
Example: vi get_verification_key_expiry.py
6. Copy the script above into the file and save the file.
7. Changes the permissions on the file to 755.
Example: chmod 755 get_verification_key_expiry.py
Run the following command to execute the script:
./get_verification_key_expiry.py
The output will be the expiry date of the current GPG public key. If the date returned is 2024-04-09, the patch should be applied to extend the expiration date. If the date returned is 2027-04-01 or greater, the expiry date has been extended and the patch should not be applied.
