[llvm-dev] Unable to verify of llvm sources with the .sig files

Wink Saville via llvm-dev llvm-dev at lists.llvm.org
Fri Apr 5 18:02:04 PDT 2019 

I've was able to import both yours (hans-gpg-key.asc) and Tom's
(tstellar-gpg-key.asc) signatures from the Download page and was able to
use gpg --verify llvm-8.0.0 and llvm-7.0.1.


On Fri, Apr 5, 2019 at 6:34 AM Wink Saville <wink at saville.com> wrote:

> SG, in transit now will try to validate later today or tomorrow.
>
> Note: IIRC, tstellar-gpg-key.asc for 7.0.1 had similar problems. Maybe you
> could inform all master key holders to check/update their keys too.
>
> On Fri, Apr 5, 2019, 12:44 AM Hans Wennborg <hans at chromium.org> wrote:
>
>> Hi Wink,
>>
>> The one bad signature warning you got is for my old sub-key used for
>> encryption. It doesn't matter that it's not imported since it's not
>> used anymore, and was never used to sign llvm releases.
>>
>> I've updated my key on the key server and on the release page.
>>
>> Thanks for checking!
>>
>>  - Hans
>>
>> On Thu, Apr 4, 2019 at 5:58 PM Wink Saville <wink at saville.com> wrote:
>> >
>> > With the new signature file I was able to verify, but there was
>> > still a bad signature: "gpg: key 0x0FC3042E345AD05D: 1 bad signature"
>> > which I highlighted below. Didn't seem to be a problem, but thought
>> > I'd point it out. I'd be glad to do additional tests if you'd like.
>> >
>> > $ gpg --list-keys
>> > /home/wink/.gnupg/pubring.kbx
>> > -----------------------------
>> > pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
>> >       Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032
>> 32F9
>> > uid                   [ultimate] Winthrop Lyon Saville III <
>> wink at saville.com>
>> > sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
>> > sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
>> > sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]
>> >
>> > pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
>> >       Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741
>> E8AC
>> > uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
>> > sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]
>> >
>> > wink at wink-desktop:~
>> > $ gpg --import Documents/keys-crypto/hans-gpg-key.asc
>> > gpg: Note: signatures using the SHA1 algorithm are rejected
>> > gpg: key 0x0FC3042E345AD05D: 1 bad signature
>> > gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <
>> hans at chromium.org>" imported
>> > gpg: Total number processed: 1
>> > gpg:               imported: 1
>> > wink at wink-desktop:~
>> > $ echo $?
>> > 0
>> > wink at wink-desktop:~
>> > $ gpg --list-keys
>> > /home/wink/.gnupg/pubring.kbx
>> > -----------------------------
>> > pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
>> >       Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032
>> 32F9
>> > uid                   [ultimate] Winthrop Lyon Saville III <
>> wink at saville.com>
>> > sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
>> > sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
>> > sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]
>> >
>> > pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
>> >       Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741
>> E8AC
>> > uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
>> > sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]
>> >
>> > pub   rsa4096/0x0FC3042E345AD05D 2015-01-20 [SC] [expires: 2023-01-15]
>> >       Key fingerprint = B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A
>> D05D
>> > uid                   [ unknown] Hans Wennborg <hans at chromium.org>
>> > sub   rsa4096/0x3276ABBAE8E36D78 2019-04-04 [E] [expires: 2024-04-02]
>> >
>> > wink at wink-desktop:~
>> > $ gpg --verify ./Downloads/llvm-8.0.0.src.tar.xz.sig
>> ./Downloads/llvm-8.0.0.src.tar.xz
>> > gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
>> > gpg:                using RSA key
>> B6C8F98282B944E3B0D5C2530FC3042E345AD05D
>> > gpg: Good signature from "Hans Wennborg <hans at chromium.org>" [unknown]
>> > gpg: WARNING: This key is not certified with a trusted signature!
>> > gpg:          There is no indication that the signature belongs to the
>> owner.
>> > Primary key fingerprint: B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A
>> D05D
>> > wink at wink-desktop:~
>> > $ echo $?
>> > 0
>> >
>> >
>> >
>> > On Thu, Apr 4, 2019 at 1:57 AM Hans Wennborg <hans at chromium.org> wrote:
>> >>
>> >> Hi Wink,
>> >>
>> >> Sorry for the late reply. I didn't see your email until now.
>> >>
>> >> It's the "Note: signatures using the SHA1 algorithm are rejected"
>> >> error that's the problem.
>> >>
>> >> It seems your gpg version doesn't like the message digest that was
>> >> used for the self-signature on my public key. I think the signatures
>> >> on the tarballs themselves should be okay, but that doesn't help if
>> >> you can't import my key of course.
>> >>
>> >> I've tried to created a new self signature on my key. Can you try "gpg
>> >> --import" on the attached file and let me know if "gpg --verify" works
>> >> afterwards?
>> >>
>> >> Thanks,
>> >> Hans
>> >>
>> >> On Fri, Mar 29, 2019 at 6:56 PM Wink Saville via llvm-dev
>> >> <llvm-dev at lists.llvm.org> wrote:
>> >> >
>> >> > I'm on an Arch Linux system:
>> >> > $ uname -a
>> >> > Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23
>> 21:00:33 UTC 2019 x86_64 GNU/Linux
>> >> >
>> >> > My gpg version is:
>> >> > $ gpg --version
>> >> > gpg (GnuPG) 2.2.15
>> >> > libgcrypt 1.8.4
>> >> > Copyright (C) 2019 Free Software Foundation, Inc.
>> >> > License GPLv3+: GNU GPL version 3 or later <
>> https://gnu.org/licenses/gpl.html>
>> >> > This is free software: you are free to change and redistribute it.
>> >> > There is NO WARRANTY, to the extent permitted by law.
>> >> >
>> >> > Home: /home/wink/.gnupg
>> >> > Supported algorithms:
>> >> > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
>> >> > Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>> CAMELLIA128,
>> >> >         CAMELLIA192, CAMELLIA256
>> >> > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
>> >> > Compression: Uncompressed, ZIP, ZLIB, BZIP2
>> >> >
>> >> >
>> >> > I went to http://releases.llvm.org/download.html and downloaded
>> llvm-8.0.0:
>> >> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
>> >> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
>> >> > http://releases.llvm.org/8.0.0/hans-gpg-key.asc
>> >> >
>> >> > I tried to import hans-gpg-key.asc but got an error:
>> >> > $ gpg --import hans-gpg-key.asc
>> >> > gpg: Note: signatures using the SHA1 algorithm are rejected
>> >> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
>> >> > gpg: key 0x0FC3042E345AD05D: no valid user IDs
>> >> > gpg: this may be caused by a missing self-signature
>> >> > gpg: Total number processed: 1
>> >> > gpg:           w/o user IDs: 1
>> >> >
>> >> > Searched around and found there is ----allow-non-selfsigned-uid and
>> >> > it appears to succeed:
>> >> > $ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
>> >> > gpg: Note: signatures using the SHA1 algorithm are rejected
>> >> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
>> >> > gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans
>> Wennborg <hans at chromium.org>"
>> >> > gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <
>> hans at chromium.org>" imported
>> >> > gpg: Total number processed: 1
>> >> > gpg:               imported: 1
>> >> >
>> >> > But when I verify I get an error "SHA1 algorithm rejected":
>> >> > $ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
>> >> > gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
>> >> > gpg:                using RSA key
>> B6C8F98282B944E3B0D5C2530FC3042E345AD05D
>> >> > gpg: Note: signatures using the SHA1 algorithm are rejected
>> >> > gpg: Can't check signature: Bad public key
>> >> >
>> >> >
>> >> > Have I done something wrong?
>> >> >
>> >> > Is there an md5sum or some other HASH available so I could check the
>> source manually?
>> >> >
>> >> > -- Wink
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > LLVM Developers mailing list
>> >> > llvm-dev at lists.llvm.org
>> >> > https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20190405/864cbe67/attachment.html>

More information about the llvm-dev mailing list