[llvm-dev] Unable to verify of llvm sources with the .sig files

Wink Saville via llvm-dev llvm-dev at lists.llvm.org
Thu Apr 4 08:58:30 PDT 2019


With the new signature file I was able to verify, but there was
still a bad signature: "gpg: key 0x0FC3042E345AD05D: 1 bad signature"
which I highlighted below. Didn't seem to be a problem, but thought
I'd point it out. I'd be glad to do additional tests if you'd like.

$ gpg --list-keys
/home/wink/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
      Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032 32F9
uid                   [ultimate] Winthrop Lyon Saville III <wink at saville.com
>
sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]

pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
      Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC
uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]

wink at wink-desktop:~
$ gpg --import Documents/keys-crypto/hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
*gpg: key 0x0FC3042E345AD05D: 1 bad signature*
gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <hans at chromium.org>"
imported
gpg: Total number processed: 1
gpg:               imported: 1
wink at wink-desktop:~
$ echo $?
0
wink at wink-desktop:~
$ gpg --list-keys
/home/wink/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
      Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032 32F9
uid                   [ultimate] Winthrop Lyon Saville III <wink at saville.com
>
sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]

pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
      Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC
uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]

pub   rsa4096/0x0FC3042E345AD05D 2015-01-20 [SC] [expires: 2023-01-15]
      Key fingerprint = B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A D05D
uid                   [ unknown] Hans Wennborg <hans at chromium.org>
sub   rsa4096/0x3276ABBAE8E36D78 2019-04-04 [E] [expires: 2024-04-02]

wink at wink-desktop:~
$ gpg --verify ./Downloads/llvm-8.0.0.src.tar.xz.sig
./Downloads/llvm-8.0.0.src.tar.xz
gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
gpg:                using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg: Good signature from "Hans Wennborg <hans at chromium.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A D05D
wink at wink-desktop:~
$ echo $?
0



On Thu, Apr 4, 2019 at 1:57 AM Hans Wennborg <hans at chromium.org> wrote:

> Hi Wink,
>
> Sorry for the late reply. I didn't see your email until now.
>
> It's the "Note: signatures using the SHA1 algorithm are rejected"
> error that's the problem.
>
> It seems your gpg version doesn't like the message digest that was
> used for the self-signature on my public key. I think the signatures
> on the tarballs themselves should be okay, but that doesn't help if
> you can't import my key of course.
>
> I've tried to created a new self signature on my key. Can you try "gpg
> --import" on the attached file and let me know if "gpg --verify" works
> afterwards?
>
> Thanks,
> Hans
>
> On Fri, Mar 29, 2019 at 6:56 PM Wink Saville via llvm-dev
> <llvm-dev at lists.llvm.org> wrote:
> >
> > I'm on an Arch Linux system:
> > $ uname -a
> > Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33
> UTC 2019 x86_64 GNU/Linux
> >
> > My gpg version is:
> > $ gpg --version
> > gpg (GnuPG) 2.2.15
> > libgcrypt 1.8.4
> > Copyright (C) 2019 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <
> https://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> >
> > Home: /home/wink/.gnupg
> > Supported algorithms:
> > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> > Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
> >         CAMELLIA192, CAMELLIA256
> > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> > Compression: Uncompressed, ZIP, ZLIB, BZIP2
> >
> >
> > I went to http://releases.llvm.org/download.html and downloaded
> llvm-8.0.0:
> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
> > http://releases.llvm.org/8.0.0/hans-gpg-key.asc
> >
> > I tried to import hans-gpg-key.asc but got an error:
> > $ gpg --import hans-gpg-key.asc
> > gpg: Note: signatures using the SHA1 algorithm are rejected
> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
> > gpg: key 0x0FC3042E345AD05D: no valid user IDs
> > gpg: this may be caused by a missing self-signature
> > gpg: Total number processed: 1
> > gpg:           w/o user IDs: 1
> >
> > Searched around and found there is ----allow-non-selfsigned-uid and
> > it appears to succeed:
> > $ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
> > gpg: Note: signatures using the SHA1 algorithm are rejected
> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
> > gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans
> Wennborg <hans at chromium.org>"
> > gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <
> hans at chromium.org>" imported
> > gpg: Total number processed: 1
> > gpg:               imported: 1
> >
> > But when I verify I get an error "SHA1 algorithm rejected":
> > $ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
> > gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
> > gpg:                using RSA key
> B6C8F98282B944E3B0D5C2530FC3042E345AD05D
> > gpg: Note: signatures using the SHA1 algorithm are rejected
> > gpg: Can't check signature: Bad public key
> >
> >
> > Have I done something wrong?
> >
> > Is there an md5sum or some other HASH available so I could check the
> source manually?
> >
> > -- Wink
> >
> >
> > _______________________________________________
> > LLVM Developers mailing list
> > llvm-dev at lists.llvm.org
> > https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20190404/932b17e8/attachment.html>


More information about the llvm-dev mailing list