[llvm-dev] Unable to verify of llvm sources with the .sig files
204 views
Skip to first unread message
Wink Saville via llvm-dev
Mar 29, 2019, 1:56:49 PM3/29/19
to llvm-dev
I'm on an Arch Linux system:
$ uname -a
Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33 UTC 2019 x86_64 GNU/Linux
My gpg version is:
$ gpg --version
gpg (GnuPG) 2.2.15
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/wink/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
I went to http://releases.llvm.org/download.html and downloaded llvm-8.0.0:
I tried to import hans-gpg-key.asc but got an error:
$ gpg --import hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 2 bad signatures
gpg: key 0x0FC3042E345AD05D: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1
Searched around and found there is ----allow-non-selfsigned-uid and
it appears to succeed:
$ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 2 bad signatures
gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans Wennborg <ha...@chromium.org>"
gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <ha...@chromium.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
But when I verify I get an error "SHA1 algorithm rejected":
$ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
gpg: using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Bad public key
Have I done something wrong?
Is there an md5sum or some other HASH available so I could check the source manually?
-- Wink
Hans Wennborg via llvm-dev
Apr 4, 2019, 4:57:45 AM4/4/19
to Wink Saville, llvm-dev
Hi Wink,
Sorry for the late reply. I didn't see your email until now.
It's the "Note: signatures using the SHA1 algorithm are rejected"
error that's the problem.
It seems your gpg version doesn't like the message digest that was
used for the self-signature on my public key. I think the signatures
on the tarballs themselves should be okay, but that doesn't help if
you can't import my key of course.
I've tried to created a new self signature on my key. Can you try "gpg
--import" on the attached file and let me know if "gpg --verify" works
afterwards?
Thanks,
Hans
> _______________________________________________
> LLVM Developers mailing list
> llvm...@lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
Sorry for the late reply. I didn't see your email until now.
It's the "Note: signatures using the SHA1 algorithm are rejected"
error that's the problem.
It seems your gpg version doesn't like the message digest that was
used for the self-signature on my public key. I think the signatures
on the tarballs themselves should be okay, but that doesn't help if
you can't import my key of course.
I've tried to created a new self signature on my key. Can you try "gpg
--import" on the attached file and let me know if "gpg --verify" works
afterwards?
Thanks,
Hans
> LLVM Developers mailing list
> llvm...@lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
Wink Saville via llvm-dev
Apr 4, 2019, 11:58:50 AM4/4/19
to Hans Wennborg, llvm-dev
With the new signature file I was able to verify, but there was
still a bad signature: "gpg: key 0x0FC3042E345AD05D: 1 bad signature"
which I highlighted below. Didn't seem to be a problem, but thought
I'd point it out. I'd be glad to do additional tests if you'd like.
$ gpg --list-keys
/home/wink/.gnupg/pubring.kbx
-----------------------------
pub rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
Key fingerprint = 0B15 37E2 6423 4EF7 7934 7A79 9F79 B9CE B032 32F9
uid [ultimate] Winthrop Lyon Saville III <wi...@saville.com>
sub rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
sub rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
sub rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]
pub rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
Key fingerprint = 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
uid [ unknown] Pierre Schmitz <pie...@archlinux.de>
sub rsa2048/0xE9B9D36A54211796 2011-04-10 [E]
wink@wink-desktop:~
$ gpg --import Documents/keys-crypto/hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 1 bad signature
gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <ha...@chromium.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
wink@wink-desktop:~
$ echo $?
0
wink@wink-desktop:~
$ gpg --list-keys
/home/wink/.gnupg/pubring.kbx
-----------------------------
pub rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
Key fingerprint = 0B15 37E2 6423 4EF7 7934 7A79 9F79 B9CE B032 32F9
uid [ultimate] Winthrop Lyon Saville III <wi...@saville.com>
sub rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
sub rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
sub rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]
pub rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
Key fingerprint = 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
uid [ unknown] Pierre Schmitz <pie...@archlinux.de>
sub rsa2048/0xE9B9D36A54211796 2011-04-10 [E]
pub rsa4096/0x0FC3042E345AD05D 2015-01-20 [SC] [expires: 2023-01-15]
Key fingerprint = B6C8 F982 82B9 44E3 B0D5 C253 0FC3 042E 345A D05D
uid [ unknown] Hans Wennborg <ha...@chromium.org>
sub rsa4096/0x3276ABBAE8E36D78 2019-04-04 [E] [expires: 2024-04-02]
wink@wink-desktop:~
$ gpg --verify ./Downloads/llvm-8.0.0.src.tar.xz.sig ./Downloads/llvm-8.0.0.src.tar.xz
gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
gpg: using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg: Good signature from "Hans Wennborg <ha...@chromium.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B6C8 F982 82B9 44E3 B0D5 C253 0FC3 042E 345A D05D
wink@wink-desktop:~
$ echo $?
0
Hans Wennborg via llvm-dev
Apr 5, 2019, 3:44:58 AM4/5/19
to Wink Saville, llvm-dev
Hi Wink,
The one bad signature warning you got is for my old sub-key used for
encryption. It doesn't matter that it's not imported since it's not
used anymore, and was never used to sign llvm releases.
I've updated my key on the key server and on the release page.
Thanks for checking!
- Hans
Wink Saville via llvm-dev
Apr 5, 2019, 9:34:41 AM4/5/19
to Hans Wennborg, llvm-dev
SG, in transit now will try to validate later today or tomorrow.
Note: IIRC, tstellar-gpg-key.asc for 7.0.1 had similar problems. Maybe you could inform all master key holders to check/update their keys too.
Wink Saville via llvm-dev
Apr 5, 2019, 9:02:26 PM4/5/19
to Hans Wennborg, llvm-dev
I've was able to import both yours (hans-gpg-key.asc) and Tom's (tstellar-gpg-key.asc) signatures from the Download page and was able to use gpg --verify llvm-8.0.0 and llvm-7.0.1.
Reply all
Reply to author
Forward
0 new messages