builder-v2: fetch stage fails due to incorrect public key for `lvm2`

peakunshift commented 5 months ago

Qubes OS release

v4.2

Brief summary

When using builder-v2, Fetch stage fails with this issue:

sqv --keyring /tmp/tmp.6iZBXPWQav/keyring /home/user/Qubes/qubes-builderv2/artifacts/tmp/tmpp2l3ncip/untrusted_LVM2.2.03.09.tgz.asc /home/user/Qubes/qubes-builderv2/artifacts/tmp/tmpp2l3ncip/untrusted_LVM2.2.03.09.tgz
Verifying signature:
            Policy rejected non-revocation signature (Binary) requiring collision resistance
  because: SHA1 is not considered secure

If we replace the key by the one here (https://keys.openpgp.org/search?q=D501A478440AE2FD130A1BE8B9112431E509039F), we have this error:

Signing key on D501A478440AE2FD130A1BE8B9112431E509039F is not bound:
            No binding signature at time 2020-03-26T11:26:45Z

Steps to reproduce

Setup qubes-builder-v2 on a Fedora 40 system, using Podman to build qubes-os-r4.2
run ./qb package fetch

Expected behavior

Stage complete as expected.

Actual behavior

Fails because of current key used considered insecure.

See https://forum.qubes-os.org/t/building-qubes-trying-to-get-a-first-successful-build/26721

peakunshift commented 5 months ago

I'm willing to open a PR but I don't know where to find the correct key.

peakunshift commented 5 months ago

I think this is the exact same problem than reported here by @marmarek: https://gitlab.com/sequoia-pgp/sequoia-sqv/-/issues/4 (see https://github.com/QubesOS/qubes-builderv2/commit/fae0db1811367abf8057c8c320f444baf23dc7e3). Should we go back to gpgv again?

marmarek commented 5 months ago

What sqv version do you have?

peakunshift commented 5 months ago

sqv 1.2.1 (sequoia-openpgp 1.20.0, using OpenSSL)

QubesOS / qubes-issues

builder-v2: fetch stage fails due to incorrect public key for `lvm2` #9290

Qubes OS release

Brief summary

Steps to reproduce

Expected behavior

Actual behavior