search

msys2 / MSYS2-keyring

Master and packager keys for MSYS2 official Pacman repositories
24 stars 10 forks source link

Some key signatures are considered weak with gnupg 2.4 #45

Open lazka opened 9 months ago

lazka commented 9 months ago

Updating to gnupg 2.4 results in the Alexey's packager key losing trust:

error: perl-Error: signature from "Alexey Pavlov (Alexpux) <alexpux@gmail.com>" is marginal trust
:: File /var/cache/pacman/pkg/perl-Error-0.17029-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
error: perl-LWP-MediaTypes: signature from "Alexey Pavlov (Alexpux) <alexpux@gmail.com>" is marginal trust
Do you want to delete it? [Y/n] 
:: File /var/cache/pacman/pkg/perl-LWP-MediaTypes-6.04-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).

This is because the packager key has 3 out of currently 4 signatures using a weak algo (SHA1), the 4. is Ray's revoked key, so ignore:

$ gpg --list-packets packager/Alexpux.asc  | grep -n2 "digest algo 2"
26-:signature packet: algo 1, keyid F40D263ECA25678A
27-     version 4, created 1411928539, md5len 0, sigclass 0x10
28:     digest algo 2, begin of digest a6 d5
29-     hashed subpkt 2 len 4 (sig created 2014-09-28)
30-     subpkt 16 len 8 (issuer key ID F40D263ECA25678A)
--
33-:signature packet: algo 1, keyid 9F418C233E652008
34-     version 4, created 1411983368, md5len 0, sigclass 0x10
35:     digest algo 2, begin of digest ed 29
36-     hashed subpkt 2 len 4 (sig created 2014-09-29)
37-     subpkt 16 len 8 (issuer key ID 9F418C233E652008)
--
40-:signature packet: algo 1, keyid BBE514E53E0D0813
41-     version 4, created 1411922751, md5len 0, sigclass 0x10
42:     digest algo 2, begin of digest 79 8e
43-     hashed subpkt 2 len 4 (sig created 2014-09-28)
44-     subpkt 16 len 8 (issuer key ID BBE514E53E0D0813)
--
47-:signature packet: algo 1, keyid DA7EF2ABAEEA755C
48-     version 4, created 1412450524, md5len 0, sigclass 0x10
49:     digest algo 2, begin of digest 95 fe
50-     hashed subpkt 2 len 4 (sig created 2014-10-04)
51-     subpkt 16 len 8 (issuer key ID DA7EF2ABAEEA755C)

In theory, Alexey could re-sign his packagers key with a better algo, and @elieux could add a signature for Alexey's packagers key, which would with mine get us back to three non-weak signatures. Not sure that's worth it.

I've added a regression test in https://github.com/msys2/msys2-tests/pull/56 as well, so we notice when the key trust fails in the future.

lazka commented 8 months ago

As of today the repos no longer contain packages signed by the weak key. Older versions still do of course..

lazka commented 3 months ago

672 packages left on the server, 226 come from i686.