[llvm-dev] Unable to verify of llvm sources with the .sig files

Wink Saville via llvm-dev llvm-dev at lists.llvm.org
Fri Apr 5 06:34:14 PDT 2019 

SG, in transit now will try to validate later today or tomorrow.

Note: IIRC, tstellar-gpg-key.asc for 7.0.1 had similar problems. Maybe you
could inform all master key holders to check/update their keys too.

On Fri, Apr 5, 2019, 12:44 AM Hans Wennborg <hans at chromium.org> wrote:

> Hi Wink,
>
> The one bad signature warning you got is for my old sub-key used for
> encryption. It doesn't matter that it's not imported since it's not
> used anymore, and was never used to sign llvm releases.
>
> I've updated my key on the key server and on the release page.
>
> Thanks for checking!
>
>  - Hans
>
> On Thu, Apr 4, 2019 at 5:58 PM Wink Saville <wink at saville.com> wrote:
> >
> > With the new signature file I was able to verify, but there was
> > still a bad signature: "gpg: key 0x0FC3042E345AD05D: 1 bad signature"
> > which I highlighted below. Didn't seem to be a problem, but thought
> > I'd point it out. I'd be glad to do additional tests if you'd like.
> >
> > $ gpg --list-keys
> > /home/wink/.gnupg/pubring.kbx
> > -----------------------------
> > pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
> >       Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032
> 32F9
> > uid                   [ultimate] Winthrop Lyon Saville III <
> wink at saville.com>
> > sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
> > sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
> > sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]
> >
> > pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
> >       Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741
> E8AC
> > uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
> > sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]
> >
> > wink at wink-desktop:~
> > $ gpg --import Documents/keys-crypto/hans-gpg-key.asc
> > gpg: Note: signatures using the SHA1 algorithm are rejected
> > gpg: key 0x0FC3042E345AD05D: 1 bad signature
> > gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <
> hans at chromium.org>" imported
> > gpg: Total number processed: 1
> > gpg:               imported: 1
> > wink at wink-desktop:~
> > $ echo $?
> > 0
> > wink at wink-desktop:~
> > $ gpg --list-keys
> > /home/wink/.gnupg/pubring.kbx
> > -----------------------------
> > pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
> >       Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032
> 32F9
> > uid                   [ultimate] Winthrop Lyon Saville III <
> wink at saville.com>
> > sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
> > sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
> > sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]
> >
> > pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
> >       Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741
> E8AC
> > uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
> > sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]
> >
> > pub   rsa4096/0x0FC3042E345AD05D 2015-01-20 [SC] [expires: 2023-01-15]
> >       Key fingerprint = B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A
> D05D
> > uid                   [ unknown] Hans Wennborg <hans at chromium.org>
> > sub   rsa4096/0x3276ABBAE8E36D78 2019-04-04 [E] [expires: 2024-04-02]
> >
> > wink at wink-desktop:~
> > $ gpg --verify ./Downloads/llvm-8.0.0.src.tar.xz.sig
> ./Downloads/llvm-8.0.0.src.tar.xz
> > gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
> > gpg:                using RSA key
> B6C8F98282B944E3B0D5C2530FC3042E345AD05D
> > gpg: Good signature from "Hans Wennborg <hans at chromium.org>" [unknown]
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:          There is no indication that the signature belongs to the
> owner.
> > Primary key fingerprint: B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A
> D05D
> > wink at wink-desktop:~
> > $ echo $?
> > 0
> >
> >
> >
> > On Thu, Apr 4, 2019 at 1:57 AM Hans Wennborg <hans at chromium.org> wrote:
> >>
> >> Hi Wink,
> >>
> >> Sorry for the late reply. I didn't see your email until now.
> >>
> >> It's the "Note: signatures using the SHA1 algorithm are rejected"
> >> error that's the problem.
> >>
> >> It seems your gpg version doesn't like the message digest that was
> >> used for the self-signature on my public key. I think the signatures
> >> on the tarballs themselves should be okay, but that doesn't help if
> >> you can't import my key of course.
> >>
> >> I've tried to created a new self signature on my key. Can you try "gpg
> >> --import" on the attached file and let me know if "gpg --verify" works
> >> afterwards?
> >>
> >> Thanks,
> >> Hans
> >>
> >> On Fri, Mar 29, 2019 at 6:56 PM Wink Saville via llvm-dev
> >> <llvm-dev at lists.llvm.org> wrote:
> >> >
> >> > I'm on an Arch Linux system:
> >> > $ uname -a
> >> > Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23
> 21:00:33 UTC 2019 x86_64 GNU/Linux
> >> >
> >> > My gpg version is:
> >> > $ gpg --version
> >> > gpg (GnuPG) 2.2.15
> >> > libgcrypt 1.8.4
> >> > Copyright (C) 2019 Free Software Foundation, Inc.
> >> > License GPLv3+: GNU GPL version 3 or later <
> https://gnu.org/licenses/gpl.html>
> >> > This is free software: you are free to change and redistribute it.
> >> > There is NO WARRANTY, to the extent permitted by law.
> >> >
> >> > Home: /home/wink/.gnupg
> >> > Supported algorithms:
> >> > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> >> > Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
> CAMELLIA128,
> >> >         CAMELLIA192, CAMELLIA256
> >> > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> >> > Compression: Uncompressed, ZIP, ZLIB, BZIP2
> >> >
> >> >
> >> > I went to http://releases.llvm.org/download.html and downloaded
> llvm-8.0.0:
> >> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
> >> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
> >> > http://releases.llvm.org/8.0.0/hans-gpg-key.asc
> >> >
> >> > I tried to import hans-gpg-key.asc but got an error:
> >> > $ gpg --import hans-gpg-key.asc
> >> > gpg: Note: signatures using the SHA1 algorithm are rejected
> >> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
> >> > gpg: key 0x0FC3042E345AD05D: no valid user IDs
> >> > gpg: this may be caused by a missing self-signature
> >> > gpg: Total number processed: 1
> >> > gpg:           w/o user IDs: 1
> >> >
> >> > Searched around and found there is ----allow-non-selfsigned-uid and
> >> > it appears to succeed:
> >> > $ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
> >> > gpg: Note: signatures using the SHA1 algorithm are rejected
> >> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
> >> > gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans
> Wennborg <hans at chromium.org>"
> >> > gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <
> hans at chromium.org>" imported
> >> > gpg: Total number processed: 1
> >> > gpg:               imported: 1
> >> >
> >> > But when I verify I get an error "SHA1 algorithm rejected":
> >> > $ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
> >> > gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
> >> > gpg:                using RSA key
> B6C8F98282B944E3B0D5C2530FC3042E345AD05D
> >> > gpg: Note: signatures using the SHA1 algorithm are rejected
> >> > gpg: Can't check signature: Bad public key
> >> >
> >> >
> >> > Have I done something wrong?
> >> >
> >> > Is there an md5sum or some other HASH available so I could check the
> source manually?
> >> >
> >> > -- Wink
> >> >
> >> >
> >> > _______________________________________________
> >> > LLVM Developers mailing list
> >> > llvm-dev at lists.llvm.org
> >> > https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20190405/8863bb29/attachment.html>

More information about the llvm-dev mailing list