pbiering / ipv6calc

ipv6calc
https://www.deepspace6.net/projects/ipv6calc.html
Other
46 stars 15 forks source link

Tarball signature issues #42

Closed paravoid closed 1 year ago

paravoid commented 1 year ago
  1. The signature seems to be using the obsolete SHA1 digest algorithm:
    gpgv: Signature made Tue Jun 13 03:23:32 2023 UTC
    gpgv:                using RSA key AAB38CB797C750C778C608C6DDEB141DF7380F61
    gpgv: Note: signatures using the SHA1 algorithm are rejected
    gpgv: Can't check signature: Bad public key

    This is likely due to an older version of GnuPG as I think newer versions have improved defaults.

But you can override the defaults using --personal-cipher-preferences, I believe.

  1. It looks like your key has expired:
    $ gpg --list-keys AAB38CB797C750C778C608C6DDEB141DF7380F61
    pub   rsa4096/0xDDEB141DF7380F61 2013-11-04 [SC] [expired: 2022-02-04]
      Key fingerprint = AAB3 8CB7 97C7 50C7 78C6  08C6 DDEB 141D F738 0F61
    uid                   [ expired] Peter Bieringer (Code Signing Key 2013) <code@bieringer.de>
    uid                   [ expired] [jpeg image of size 2653]
paravoid commented 1 year ago

So both of these seem to be due to me using an older key. I think http://www.bieringer.de/ftp/pub/linux/IPv6/ipv6calc/ has your older key, but I see now that https://www.deepspace6.net/ftp/pub/ds6/sources/ipv6calc/CODE-GPG-KEY-bieringer.de-2013 has a newer version that expires in 2027.

pbiering commented 1 year ago

@paravoid : thank you for reporting outdated key, have updated them now here: http://www.bieringer.de/ftp/pub/linux/IPv6/ipv6calc/

And used signature algorithm is SHA256 for latest version.

gpg --verbose --verify ipv6calc-4.1.0.tar.gz.sig
gpg: assuming signed data in 'ipv6calc-4.1.0.tar.gz'
gpg: Signature made Tue 13 Jun 2023 05:23:35 AM CEST
gpg:                using RSA key AAB38CB797C750C778C608C6DDEB141DF7380F61
gpg: using pgp trust model
gpg: Good signature from "Peter Bieringer (Code Signing Key 2013) <code@bieringer.de>" [ultimate]
gpg:                 aka "[jpeg image of size 2653]" [ultimate]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096