Notice: WARP Client Users on Linux - Rotate Package Manager Keys

This notice is applicable to you if: you use the WARP Client on a Linux-based operating system.

Users on other platforms, including Windows, macOS, iOS and Android, are unaffected, as those platforms do not use Linux (APT or RPM) packaging systems.

The private key used to sign our Linux distribution binaries—that is ultimately trusted by apt or yum—was accidentally published in a public place. As a result, if no action is taken, this could allow a malicious third party to install arbitrary packages via injected updates.

Impact: Users that have installed the WARP Linux client via a package manager are impacted and are encouraged to delete the old key and replace it as soon as possible. You can identify if you have the exposed key with the following commands based on your Linux distribution:

  • apt based OS (Ubuntu/Debian): the command apt-key list shows a trusted key labeled Cloudflare Package Repository <[email protected]> with fingerprint 6759 A02A A9CC A897 8317 3160 4408 F627 835B 8ACB

  • rpm based OS (CentOS/RHEL): the command rpm -qi gpg-pubkey-835b8acb-\* shows a summary of the trusted key, with a line showing Version: 835b8acb

Remediation: The exposed private key has been deleted from the public place and we have a new key in our package repository. To fix this issue please follow the instructions below depending on your Linux distribution.

apt based OS (Ubuntu/Debian)

Delete the old key:

sudo apt-key del 835b8acb

Follow the instructions on Cloudflare Package Repository to trust the new key.

rpm based OS (CentOS/RHEL)

Delete the old key:

sudo rpm -e gpg-pubkey-835b8acb-*

Force re-install the RPM for repository setup. Replace <VERSION> with the release version number applicable to your distribution per the supported versions listed at Cloudflare Package Repository for your distro.

sudo rpm -ivh --replacepkgs --replacefiles<VERSION>.rpm

Please feel free reply to this thread if you have specific questions about rotating the key used by your package manager. We’ll be publishing a more detailed blog post shortly.


… and the blog post is here:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.