Package Timestamp Change

2 minutes

What happened?

On August 16, 2021 at approximately 17:30 UTC, we initiated a change via automation that is used to keep our package repositories updated. An edge case in the logic caused an unexpected, non-idempotent change to signatures for InfluxDB, Telegraf, and Chronograf RPM packages. These signature changes were timestamp-related only, and the contents of the packages themselves did not change.

Which specific packages were affected?

  • chronograf-1.9.0..rpm for x86_64, arm64, armel, i386
  • influxdb-1.8.9..rpm for aarch64, x86_64, armel, armv7hl, i386
  • influxdb2-2.0.8..rpm for aarch64, x86_64
  • telegraf-1.19.2-1..rpm for aarch64, x86_64, armel, i386

How do I verify packages?

An example of how this can be verified:

# Using influxdb 1.8.9 on Centos 7 for this example
# Download the rpm from the package repository
$ cd /home/centos
$ cat <<EOF | sudo tee /etc/yum.repos.d/influxdb.repo
[influxdb]
name = InfluxDB Repository - RHEL \$releasever
baseurl = https://repos.influxdata.com/rhel/\$releasever/\$basearch/stable
enabled = 1
gpgcheck = 1
gpgkey = https://repos.influxdata.com/influxdb.key
EOF
$ sudo yum install --downloadonly --downloaddir=/home/centos/influxdb.repo.rpm influxdb

# Download rpm from dl.influxdata.com
$ curl -o influxdb.s3.rpm https://s3.amazonaws.com/dl.influxdata.com/influxdb/releases/influxdb-1.8.9.x86_64.rpm

# Use rpm to check and compare the signatures on each file
$ rpm -Kv ./influxdb.s3.rpm
./influxdb.s3.rpm:
    Header SHA1 digest: OK (911f8471b1220ae2ea615a4415b791164f254b3a)
    MD5 digest: OK (fc25eacdd74fd71f019e4128a3f19308)
$ rpm -Kv ./influxdb.repo.rpm/influxdb-1.8.9.x86_64.rpm
./influxdb.repo.rpm/influxdb-1.8.9.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 2582e0c5: OK
    Header SHA1 digest: OK (911f8471b1220ae2ea615a4415b791164f254b3a)
    V4 RSA/SHA256 Signature, key ID 2582e0c5: OK
    MD5 digest: OK (fc25eacdd74fd71f019e4128a3f19308)

What are we doing to prevent this from recurring?

Under normal circumstances, we will not re-sign packages unless we are rotating our signing keys as part of our standard procedure. We have since patched the logic error that triggered this undesirable behavior.

Related Blog Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top