gustavo-iniguez-goya
commented
7 months ago Thank you @GSF1200S ! absolutely, I'll verify the rpms again.
Closed GSF1200S closed 7 months ago
gustavo-iniguez-goya
commented
7 months ago Thank you @GSF1200S ! absolutely, I'll verify the rpms again.
gustavo-iniguez-goya
commented
7 months ago The problem is that the rpm were signed with my old gpg key (47f14912bcf6be9c), which is the one I've been using, until that release aprox. I resigned the deb packages, and updated the checksums, but no the rpms because rpm --checksigs just validated them.
I've resigned the rpm packages and updated the checksums. The keyid is of a subkey:
$ rpm -q --qf "%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none}|}| %{NVRA}\n" -p bins/opensnitch-*rpm
EdDSA/SHA512, mié 29 nov 2023 00:51:27, Key ID 6cd595fefd12dae2 opensnitch-1.6.2-1.aarch64
EdDSA/SHA512, mié 29 nov 2023 00:52:00, Key ID 6cd595fefd12dae2 opensnitch-1.6.2-1.armv7hnl
EdDSA/SHA512, mié 29 nov 2023 00:52:01, Key ID 6cd595fefd12dae2 opensnitch-1.6.2-1.i386
EdDSA/SHA512, mié 29 nov 2023 00:52:01, Key ID 6cd595fefd12dae2 opensnitch-1.6.2-1.x86_64
EdDSA/SHA512, mié 29 nov 2023 00:52:01, Key ID 6cd595fefd12dae2 opensnitch-ui-1.6.2-1.noarch
EdDSA/SHA512, mié 29 nov 2023 00:52:02, Key ID 6cd595fefd12dae2 opensnitch-ui-1.6.2-1.noarchhttps://keyserver.ubuntu.com/pks/lookup?search=6cd595fefd12dae2&fingerprint=on&op=index
Describe the bug The OpenSnitch daemon cannot be installed (unless you ignore the gpg check) because its signature cannot be verified by rpm.
Include the following information:
rpm -qpi opensnitch-1.6.2-1.x86_64.rpm shows on the signature line "Key ID 47f14912bcf6be9c". This command's output will open with:
warning: opensnitch-1.6.2-1.x86_64.rpm: Header V4 DSA/SHA512 Signature, key ID bcf6be9c: NOKEY
Incidentally I have an old copy of the 'gustavo-iniguez-goia.asc' file where this key is listed (and can therefore be imported into rpm for verification allowing the package to install). The asc files accompanying the releases now do not have this key when inspected. E.g. consider:
[gsf1200s@geekdom ~]$ gpg --keyid-format long --list-options show-keyring gustavo_iniguez_goia.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... pub ed25519/141D0D4E9FF44A67 2023-01-21 [SC] F34016AC014BAAF8C90AC730141D0D4E9FF44A67 uid Gustavo Iñiguez Goya (gus) gooffy1@gmail.com uid Gustavo Iñiguez Goya gustavo.iniguez.goya@gmail.com sub cv25519/845F20F2496A4E2F 2023-01-21 [E] sub ed25519/29D49F23A937434D 2023-01-22 [A] sub ed25519/6CD595FEFD12DAE2 2023-01-22 [S]
However the latest UI package 'opensnitch-ui-1.6.4-1.noarch.rpm' lists 'Key ID 6cd595fefd12dae2' on its signature line and thus importing the above 'gustavo-iniguez-goia.asc' (released with the latest Opensnitch) file to rpm will allow this package to install without any issue.
Perhaps I am doing something wrong here? I have not really had issues with manual verification of signed packages in the past, but perhaps if I am doing this wrong it would be wise to very clearly have a section on the wiki for step-by-step package verification. This is security-oriented software so I feel like this is fairly important :)