[llvm-dev] Unable to verify of llvm sources with the .sig files

Wink Saville via llvm-dev llvm-dev at lists.llvm.org
Fri Mar 29 10:56:27 PDT 2019 

I'm on an Arch Linux system:
$ uname -a
Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33
UTC 2019 x86_64 GNU/Linux

My gpg version is:
$ gpg --version
gpg (GnuPG) 2.2.15
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <
https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/wink/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


I went to http://releases.llvm.org/download.html and downloaded llvm-8.0.0:
http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
http://releases.llvm.org/8.0.0/hans-gpg-key.asc

I tried to import hans-gpg-key.asc but got an error:
$ gpg --import hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 2 bad signatures
gpg: key 0x0FC3042E345AD05D: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Searched around and found there is ----allow-non-selfsigned-uid and
it appears to succeed:
$ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 2 bad signatures
gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans
Wennborg <hans at chromium.org>"
gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <hans at chromium.org>"
imported
gpg: Total number processed: 1
gpg:               imported: 1

But when I verify I get an error "SHA1 algorithm rejected":
$ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
gpg:                using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Bad public key


Have I done something wrong?

Is there an md5sum or some other HASH available so I could check the source
manually?

-- Wink
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20190329/2ae32556/attachment.html>

More information about the llvm-dev mailing list