<div dir="ltr"><div dir="ltr">I've was able to import both yours (hans-gpg-key.asc) and Tom's (tstellar-gpg-key.asc) signatures from the Download page and was able to use gpg --verify llvm-8.0.0 and llvm-7.0.1.<div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 5, 2019 at 6:34 AM Wink Saville <<a href="mailto:wink@saville.com" target="_blank">wink@saville.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">SG, in transit now will try to validate later today or tomorrow.<div dir="auto"><br></div><div dir="auto">Note: IIRC, tstellar-gpg-key.asc for 7.0.1 had similar problems. Maybe you could inform all master key holders to check/update their keys too.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 5, 2019, 12:44 AM Hans Wennborg <<a href="mailto:hans@chromium.org" target="_blank">hans@chromium.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Wink,<br>
<br>
The one bad signature warning you got is for my old sub-key used for<br>
encryption. It doesn't matter that it's not imported since it's not<br>
used anymore, and was never used to sign llvm releases.<br>
<br>
I've updated my key on the key server and on the release page.<br>
<br>
Thanks for checking!<br>
<br>
- Hans<br>
<br>
On Thu, Apr 4, 2019 at 5:58 PM Wink Saville <<a href="mailto:wink@saville.com" rel="noreferrer" target="_blank">wink@saville.com</a>> wrote:<br>
><br>
> With the new signature file I was able to verify, but there was<br>
> still a bad signature: "gpg: key 0x0FC3042E345AD05D: 1 bad signature"<br>
> which I highlighted below. Didn't seem to be a problem, but thought<br>
> I'd point it out. I'd be glad to do additional tests if you'd like.<br>
><br>
> $ gpg --list-keys<br>
> /home/wink/.gnupg/pubring.kbx<br>
> -----------------------------<br>
> pub rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]<br>
> Key fingerprint = 0B15 37E2 6423 4EF7 7934 7A79 9F79 B9CE B032 32F9<br>
> uid [ultimate] Winthrop Lyon Saville III <<a href="mailto:wink@saville.com" rel="noreferrer" target="_blank">wink@saville.com</a>><br>
> sub rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]<br>
> sub rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]<br>
> sub rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]<br>
><br>
> pub rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]<br>
> Key fingerprint = 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC<br>
> uid [ unknown] Pierre Schmitz <<a href="mailto:pierre@archlinux.de" rel="noreferrer" target="_blank">pierre@archlinux.de</a>><br>
> sub rsa2048/0xE9B9D36A54211796 2011-04-10 [E]<br>
><br>
> wink@wink-desktop:~<br>
> $ gpg --import Documents/keys-crypto/hans-gpg-key.asc<br>
> gpg: Note: signatures using the SHA1 algorithm are rejected<br>
> gpg: key 0x0FC3042E345AD05D: 1 bad signature<br>
> gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <<a href="mailto:hans@chromium.org" rel="noreferrer" target="_blank">hans@chromium.org</a>>" imported<br>
> gpg: Total number processed: 1<br>
> gpg: imported: 1<br>
> wink@wink-desktop:~<br>
> $ echo $?<br>
> 0<br>
> wink@wink-desktop:~<br>
> $ gpg --list-keys<br>
> /home/wink/.gnupg/pubring.kbx<br>
> -----------------------------<br>
> pub rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]<br>
> Key fingerprint = 0B15 37E2 6423 4EF7 7934 7A79 9F79 B9CE B032 32F9<br>
> uid [ultimate] Winthrop Lyon Saville III <<a href="mailto:wink@saville.com" rel="noreferrer" target="_blank">wink@saville.com</a>><br>
> sub rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]<br>
> sub rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]<br>
> sub rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]<br>
><br>
> pub rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]<br>
> Key fingerprint = 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC<br>
> uid [ unknown] Pierre Schmitz <<a href="mailto:pierre@archlinux.de" rel="noreferrer" target="_blank">pierre@archlinux.de</a>><br>
> sub rsa2048/0xE9B9D36A54211796 2011-04-10 [E]<br>
><br>
> pub rsa4096/0x0FC3042E345AD05D 2015-01-20 [SC] [expires: 2023-01-15]<br>
> Key fingerprint = B6C8 F982 82B9 44E3 B0D5 C253 0FC3 042E 345A D05D<br>
> uid [ unknown] Hans Wennborg <<a href="mailto:hans@chromium.org" rel="noreferrer" target="_blank">hans@chromium.org</a>><br>
> sub rsa4096/0x3276ABBAE8E36D78 2019-04-04 [E] [expires: 2024-04-02]<br>
><br>
> wink@wink-desktop:~<br>
> $ gpg --verify ./Downloads/llvm-8.0.0.src.tar.xz.sig ./Downloads/llvm-8.0.0.src.tar.xz<br>
> gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT<br>
> gpg: using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D<br>
> gpg: Good signature from "Hans Wennborg <<a href="mailto:hans@chromium.org" rel="noreferrer" target="_blank">hans@chromium.org</a>>" [unknown]<br>
> gpg: WARNING: This key is not certified with a trusted signature!<br>
> gpg: There is no indication that the signature belongs to the owner.<br>
> Primary key fingerprint: B6C8 F982 82B9 44E3 B0D5 C253 0FC3 042E 345A D05D<br>
> wink@wink-desktop:~<br>
> $ echo $?<br>
> 0<br>
><br>
><br>
><br>
> On Thu, Apr 4, 2019 at 1:57 AM Hans Wennborg <<a href="mailto:hans@chromium.org" rel="noreferrer" target="_blank">hans@chromium.org</a>> wrote:<br>
>><br>
>> Hi Wink,<br>
>><br>
>> Sorry for the late reply. I didn't see your email until now.<br>
>><br>
>> It's the "Note: signatures using the SHA1 algorithm are rejected"<br>
>> error that's the problem.<br>
>><br>
>> It seems your gpg version doesn't like the message digest that was<br>
>> used for the self-signature on my public key. I think the signatures<br>
>> on the tarballs themselves should be okay, but that doesn't help if<br>
>> you can't import my key of course.<br>
>><br>
>> I've tried to created a new self signature on my key. Can you try "gpg<br>
>> --import" on the attached file and let me know if "gpg --verify" works<br>
>> afterwards?<br>
>><br>
>> Thanks,<br>
>> Hans<br>
>><br>
>> On Fri, Mar 29, 2019 at 6:56 PM Wink Saville via llvm-dev<br>
>> <<a href="mailto:llvm-dev@lists.llvm.org" rel="noreferrer" target="_blank">llvm-dev@lists.llvm.org</a>> wrote:<br>
>> ><br>
>> > I'm on an Arch Linux system:<br>
>> > $ uname -a<br>
>> > Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33 UTC 2019 x86_64 GNU/Linux<br>
>> ><br>
>> > My gpg version is:<br>
>> > $ gpg --version<br>
>> > gpg (GnuPG) 2.2.15<br>
>> > libgcrypt 1.8.4<br>
>> > Copyright (C) 2019 Free Software Foundation, Inc.<br>
>> > License GPLv3+: GNU GPL version 3 or later <<a href="https://gnu.org/licenses/gpl.html" rel="noreferrer noreferrer" target="_blank">https://gnu.org/licenses/gpl.html</a>><br>
>> > This is free software: you are free to change and redistribute it.<br>
>> > There is NO WARRANTY, to the extent permitted by law.<br>
>> ><br>
>> > Home: /home/wink/.gnupg<br>
>> > Supported algorithms:<br>
>> > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA<br>
>> > Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,<br>
>> > CAMELLIA192, CAMELLIA256<br>
>> > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224<br>
>> > Compression: Uncompressed, ZIP, ZLIB, BZIP2<br>
>> ><br>
>> ><br>
>> > I went to <a href="http://releases.llvm.org/download.html" rel="noreferrer noreferrer" target="_blank">http://releases.llvm.org/download.html</a> and downloaded llvm-8.0.0:<br>
>> > <a href="http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz" rel="noreferrer noreferrer" target="_blank">http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz</a><br>
>> > <a href="http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig" rel="noreferrer noreferrer" target="_blank">http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig</a><br>
>> > <a href="http://releases.llvm.org/8.0.0/hans-gpg-key.asc" rel="noreferrer noreferrer" target="_blank">http://releases.llvm.org/8.0.0/hans-gpg-key.asc</a><br>
>> ><br>
>> > I tried to import hans-gpg-key.asc but got an error:<br>
>> > $ gpg --import hans-gpg-key.asc<br>
>> > gpg: Note: signatures using the SHA1 algorithm are rejected<br>
>> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures<br>
>> > gpg: key 0x0FC3042E345AD05D: no valid user IDs<br>
>> > gpg: this may be caused by a missing self-signature<br>
>> > gpg: Total number processed: 1<br>
>> > gpg: w/o user IDs: 1<br>
>> ><br>
>> > Searched around and found there is ----allow-non-selfsigned-uid and<br>
>> > it appears to succeed:<br>
>> > $ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc<br>
>> > gpg: Note: signatures using the SHA1 algorithm are rejected<br>
>> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures<br>
>> > gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans Wennborg <<a href="mailto:hans@chromium.org" rel="noreferrer" target="_blank">hans@chromium.org</a>>"<br>
>> > gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <<a href="mailto:hans@chromium.org" rel="noreferrer" target="_blank">hans@chromium.org</a>>" imported<br>
>> > gpg: Total number processed: 1<br>
>> > gpg: imported: 1<br>
>> ><br>
>> > But when I verify I get an error "SHA1 algorithm rejected":<br>
>> > $ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz<br>
>> > gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT<br>
>> > gpg: using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D<br>
>> > gpg: Note: signatures using the SHA1 algorithm are rejected<br>
>> > gpg: Can't check signature: Bad public key<br>
>> ><br>
>> ><br>
>> > Have I done something wrong?<br>
>> ><br>
>> > Is there an md5sum or some other HASH available so I could check the source manually?<br>
>> ><br>
>> > -- Wink<br>
>> ><br>
>> ><br>
>> > _______________________________________________<br>
>> > LLVM Developers mailing list<br>
>> > <a href="mailto:llvm-dev@lists.llvm.org" rel="noreferrer" target="_blank">llvm-dev@lists.llvm.org</a><br>
>> > <a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" rel="noreferrer noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a><br>
</blockquote></div>
</blockquote></div>