[llvm-dev] Unable to verify of llvm sources with the .sig files

Hans Wennborg via llvm-dev llvm-dev at lists.llvm.org
Fri Apr 5 00:44:19 PDT 2019 

Hi Wink,

The one bad signature warning you got is for my old sub-key used for
encryption. It doesn't matter that it's not imported since it's not
used anymore, and was never used to sign llvm releases.

I've updated my key on the key server and on the release page.

Thanks for checking!

 - Hans

On Thu, Apr 4, 2019 at 5:58 PM Wink Saville <wink at saville.com> wrote:
>
> With the new signature file I was able to verify, but there was
> still a bad signature: "gpg: key 0x0FC3042E345AD05D: 1 bad signature"
> which I highlighted below. Didn't seem to be a problem, but thought
> I'd point it out. I'd be glad to do additional tests if you'd like.
>
> $ gpg --list-keys
> /home/wink/.gnupg/pubring.kbx
> -----------------------------
> pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
>       Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032 32F9
> uid                   [ultimate] Winthrop Lyon Saville III <wink at saville.com>
> sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
> sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
> sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]
>
> pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
>       Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC
> uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
> sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]
>
> wink at wink-desktop:~
> $ gpg --import Documents/keys-crypto/hans-gpg-key.asc
> gpg: Note: signatures using the SHA1 algorithm are rejected
> gpg: key 0x0FC3042E345AD05D: 1 bad signature
> gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <hans at chromium.org>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1
> wink at wink-desktop:~
> $ echo $?
> 0
> wink at wink-desktop:~
> $ gpg --list-keys
> /home/wink/.gnupg/pubring.kbx
> -----------------------------
> pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
>       Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032 32F9
> uid                   [ultimate] Winthrop Lyon Saville III <wink at saville.com>
> sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
> sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
> sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]
>
> pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
>       Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC
> uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
> sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]
>
> pub   rsa4096/0x0FC3042E345AD05D 2015-01-20 [SC] [expires: 2023-01-15]
>       Key fingerprint = B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A D05D
> uid                   [ unknown] Hans Wennborg <hans at chromium.org>
> sub   rsa4096/0x3276ABBAE8E36D78 2019-04-04 [E] [expires: 2024-04-02]
>
> wink at wink-desktop:~
> $ gpg --verify ./Downloads/llvm-8.0.0.src.tar.xz.sig ./Downloads/llvm-8.0.0.src.tar.xz
> gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
> gpg:                using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
> gpg: Good signature from "Hans Wennborg <hans at chromium.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A D05D
> wink at wink-desktop:~
> $ echo $?
> 0
>
>
>
> On Thu, Apr 4, 2019 at 1:57 AM Hans Wennborg <hans at chromium.org> wrote:
>>
>> Hi Wink,
>>
>> Sorry for the late reply. I didn't see your email until now.
>>
>> It's the "Note: signatures using the SHA1 algorithm are rejected"
>> error that's the problem.
>>
>> It seems your gpg version doesn't like the message digest that was
>> used for the self-signature on my public key. I think the signatures
>> on the tarballs themselves should be okay, but that doesn't help if
>> you can't import my key of course.
>>
>> I've tried to created a new self signature on my key. Can you try "gpg
>> --import" on the attached file and let me know if "gpg --verify" works
>> afterwards?
>>
>> Thanks,
>> Hans
>>
>> On Fri, Mar 29, 2019 at 6:56 PM Wink Saville via llvm-dev
>> <llvm-dev at lists.llvm.org> wrote:
>> >
>> > I'm on an Arch Linux system:
>> > $ uname -a
>> > Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33 UTC 2019 x86_64 GNU/Linux
>> >
>> > My gpg version is:
>> > $ gpg --version
>> > gpg (GnuPG) 2.2.15
>> > libgcrypt 1.8.4
>> > Copyright (C) 2019 Free Software Foundation, Inc.
>> > License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
>> > This is free software: you are free to change and redistribute it.
>> > There is NO WARRANTY, to the extent permitted by law.
>> >
>> > Home: /home/wink/.gnupg
>> > Supported algorithms:
>> > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
>> > Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
>> >         CAMELLIA192, CAMELLIA256
>> > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
>> > Compression: Uncompressed, ZIP, ZLIB, BZIP2
>> >
>> >
>> > I went to http://releases.llvm.org/download.html and downloaded llvm-8.0.0:
>> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
>> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
>> > http://releases.llvm.org/8.0.0/hans-gpg-key.asc
>> >
>> > I tried to import hans-gpg-key.asc but got an error:
>> > $ gpg --import hans-gpg-key.asc
>> > gpg: Note: signatures using the SHA1 algorithm are rejected
>> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
>> > gpg: key 0x0FC3042E345AD05D: no valid user IDs
>> > gpg: this may be caused by a missing self-signature
>> > gpg: Total number processed: 1
>> > gpg:           w/o user IDs: 1
>> >
>> > Searched around and found there is ----allow-non-selfsigned-uid and
>> > it appears to succeed:
>> > $ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
>> > gpg: Note: signatures using the SHA1 algorithm are rejected
>> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
>> > gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans Wennborg <hans at chromium.org>"
>> > gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <hans at chromium.org>" imported
>> > gpg: Total number processed: 1
>> > gpg:               imported: 1
>> >
>> > But when I verify I get an error "SHA1 algorithm rejected":
>> > $ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
>> > gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
>> > gpg:                using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
>> > gpg: Note: signatures using the SHA1 algorithm are rejected
>> > gpg: Can't check signature: Bad public key
>> >
>> >
>> > Have I done something wrong?
>> >
>> > Is there an md5sum or some other HASH available so I could check the source manually?
>> >
>> > -- Wink
>> >
>> >
>> > _______________________________________________
>> > LLVM Developers mailing list
>> > llvm-dev at lists.llvm.org
>> > https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev

More information about the llvm-dev mailing list