Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some key signatures are considered weak with gnupg 2.4 #45

Open
lazka opened this issue Dec 6, 2023 · 2 comments
Open

Some key signatures are considered weak with gnupg 2.4 #45

lazka opened this issue Dec 6, 2023 · 2 comments

Comments

@lazka
Copy link
Member

lazka commented Dec 6, 2023
edited
Loading

Updating to gnupg 2.4 results in the Alexey's packager key losing trust:

error: perl-Error: signature from "Alexey Pavlov (Alexpux) <[email protected]>" is marginal trust
:: File /var/cache/pacman/pkg/perl-Error-0.17029-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
error: perl-LWP-MediaTypes: signature from "Alexey Pavlov (Alexpux) <[email protected]>" is marginal trust
Do you want to delete it? [Y/n] 
:: File /var/cache/pacman/pkg/perl-LWP-MediaTypes-6.04-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).

This is because the packager key has 3 out of currently 4 signatures using a weak algo (SHA1), the 4. is Ray's revoked key, so ignore:

$ gpg --list-packets packager/Alexpux.asc  | grep -n2 "digest algo 2"
26-:signature packet: algo 1, keyid F40D263ECA25678A
27-     version 4, created 1411928539, md5len 0, sigclass 0x10
28:     digest algo 2, begin of digest a6 d5
29-     hashed subpkt 2 len 4 (sig created 2014-09-28)
30-     subpkt 16 len 8 (issuer key ID F40D263ECA25678A)
--
33-:signature packet: algo 1, keyid 9F418C233E652008
34-     version 4, created 1411983368, md5len 0, sigclass 0x10
35:     digest algo 2, begin of digest ed 29
36-     hashed subpkt 2 len 4 (sig created 2014-09-29)
37-     subpkt 16 len 8 (issuer key ID 9F418C233E652008)
--
40-:signature packet: algo 1, keyid BBE514E53E0D0813
41-     version 4, created 1411922751, md5len 0, sigclass 0x10
42:     digest algo 2, begin of digest 79 8e
43-     hashed subpkt 2 len 4 (sig created 2014-09-28)
44-     subpkt 16 len 8 (issuer key ID BBE514E53E0D0813)
--
47-:signature packet: algo 1, keyid DA7EF2ABAEEA755C
48-     version 4, created 1412450524, md5len 0, sigclass 0x10
49:     digest algo 2, begin of digest 95 fe
50-     hashed subpkt 2 len 4 (sig created 2014-10-04)
51-     subpkt 16 len 8 (issuer key ID DA7EF2ABAEEA755C)
  • The short-term workaround is to pass --allow-weak-key-signatures in pacman-key
  • A mid term to rebuild all packages from Alexey
  • A long term -> More Master Keys #14

In theory, Alexey could re-sign his packagers key with a better algo, and @elieux could add a signature for Alexey's packagers key, which would with mine get us back to three non-weak signatures. Not sure that's worth it.

I've added a regression test in msys2/msys2-tests#56 as well, so we notice when the key trust fails in the future.
@lazka lazka mentioned this issue Dec 6, 2023
Merged
lazka added a commit to lazka/msys2-pacman that referenced this issue Dec 8, 2023
@lazka
pacman-key: pass --allow-weak-key-signatures during import
9c41f53 
Our keyring contains SHA1 signatures, which gnupg 2.4 no longer imports
by default. We can't easily get rid of them now, so allow them for now.

See msys2/MSYS2-keyring#45
@lazka lazka mentioned this issue Dec 8, 2023
Merged
lazka added a commit to lazka/msys2-pacman that referenced this issue Dec 8, 2023
@lazka
pacman-key: pass --allow-weak-key-signatures during import
5bbfbf0 
Our keyring contains SHA1 signatures, which gnupg 2.4 no longer imports
by default. We can't easily get rid of them now, so allow them for now.

See msys2/MSYS2-keyring#45
lazka added a commit to msys2/msys2-pacman that referenced this issue Dec 8, 2023
@lazka
pacman-key: pass --allow-weak-key-signatures during import
4903343 
Our keyring contains SHA1 signatures, which gnupg 2.4 no longer imports
by default. We can't easily get rid of them now, so allow them for now.

See msys2/MSYS2-keyring#45
@lazka
Copy link
Member Author

lazka commented Dec 20, 2023

As of today the repos no longer contain packages signed by the weak key. Older versions still do of course..

elieux added a commit that referenced this issue Apr 10, 2024
@elieux
Set allow-weak-key-signatures and refresh
0e06421 
New option is required to maintain status quo for current keys with
GnuPG v2.4.

See #45.
See: msys2/msys2-pacman@4903343
lazka added a commit to lazka/msys2-pacman that referenced this issue May 5, 2024
@lazka
pacman-key: pass --allow-weak-key-signatures during import
8953575 
Our keyring contains SHA1 signatures, which gnupg 2.4 no longer imports
by default. We can't easily get rid of them now, so allow them for now.

See msys2/MSYS2-keyring#45
lazka added a commit to lazka/msys2-pacman that referenced this issue May 5, 2024
@lazka
pacman-key: pass --allow-weak-key-signatures during import
37f8c3c 
Our keyring contains SHA1 signatures, which gnupg 2.4 no longer imports
by default. We can't easily get rid of them now, so allow them for now.

See msys2/MSYS2-keyring#45
lazka added a commit to lazka/msys2-pacman that referenced this issue May 5, 2024
@lazka
pacman-key: pass --allow-weak-key-signatures during import
036f176 
Our keyring contains SHA1 signatures, which gnupg 2.4 no longer imports
by default. We can't easily get rid of them now, so allow them for now.

See msys2/MSYS2-keyring#45
lazka added a commit to msys2/msys2-pacman that referenced this issue May 5, 2024
@lazka
pacman-key: pass --allow-weak-key-signatures during import
4578696 
Our keyring contains SHA1 signatures, which gnupg 2.4 no longer imports
by default. We can't easily get rid of them now, so allow them for now.

See msys2/MSYS2-keyring#45
@lazka
Copy link
Member Author

lazka commented Jun 14, 2024

672 packages left on the server, 226 come from i686.

@lazka lazka mentioned this issue Jun 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lazka