msys2 / MSYS2-keyring

Master and packager keys for MSYS2 official Pacman repositories
24 stars 9 forks source link

Some key signatures are considered weak with gnupg 2.4 #45

Open lazka opened 1 year ago

lazka commented 1 year ago

Updating to gnupg 2.4 results in the Alexey's packager key losing trust:

error: perl-Error: signature from "Alexey Pavlov (Alexpux) <alexpux@gmail.com>" is marginal trust
:: File /var/cache/pacman/pkg/perl-Error-0.17029-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
error: perl-LWP-MediaTypes: signature from "Alexey Pavlov (Alexpux) <alexpux@gmail.com>" is marginal trust
Do you want to delete it? [Y/n] 
:: File /var/cache/pacman/pkg/perl-LWP-MediaTypes-6.04-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).

This is because the packager key has 3 out of currently 4 signatures using a weak algo (SHA1), the 4. is Ray's revoked key, so ignore:

$ gpg --list-packets packager/Alexpux.asc  | grep -n2 "digest algo 2"
26-:signature packet: algo 1, keyid F40D263ECA25678A
27-     version 4, created 1411928539, md5len 0, sigclass 0x10
28:     digest algo 2, begin of digest a6 d5
29-     hashed subpkt 2 len 4 (sig created 2014-09-28)
30-     subpkt 16 len 8 (issuer key ID F40D263ECA25678A)
--
33-:signature packet: algo 1, keyid 9F418C233E652008
34-     version 4, created 1411983368, md5len 0, sigclass 0x10
35:     digest algo 2, begin of digest ed 29
36-     hashed subpkt 2 len 4 (sig created 2014-09-29)
37-     subpkt 16 len 8 (issuer key ID 9F418C233E652008)
--
40-:signature packet: algo 1, keyid BBE514E53E0D0813
41-     version 4, created 1411922751, md5len 0, sigclass 0x10
42:     digest algo 2, begin of digest 79 8e
43-     hashed subpkt 2 len 4 (sig created 2014-09-28)
44-     subpkt 16 len 8 (issuer key ID BBE514E53E0D0813)
--
47-:signature packet: algo 1, keyid DA7EF2ABAEEA755C
48-     version 4, created 1412450524, md5len 0, sigclass 0x10
49:     digest algo 2, begin of digest 95 fe
50-     hashed subpkt 2 len 4 (sig created 2014-10-04)
51-     subpkt 16 len 8 (issuer key ID DA7EF2ABAEEA755C)

In theory, Alexey could re-sign his packagers key with a better algo, and @elieux could add a signature for Alexey's packagers key, which would with mine get us back to three non-weak signatures. Not sure that's worth it.

I've added a regression test in https://github.com/msys2/msys2-tests/pull/56 as well, so we notice when the key trust fails in the future.

lazka commented 11 months ago

As of today the repos no longer contain packages signed by the weak key. Older versions still do of course..

lazka commented 5 months ago

672 packages left on the server, 226 come from i686.