search

tukaani-project / xz

XZ Utils
https://tukaani.org/xz/
Other
503 stars 40 forks source link

Have you changed your pubkey? #110

Closed baybal closed 3 months ago

baybal commented 3 months ago

Hello,

Have you changed your key on https://tukaani.org/misc/lasse_collin_pubkey.txt ?

>>> Emerging (1 of 2) sec-keys/openpgp-keys-lassecollin-20230213::gentoo
 * Fetching files in the background.
 * To view fetch progress, run in another terminal:
 * tail -f /var/log/emerge-fetch.log
>>> Downloading 'https://mirror.isoc.org.il/pub/gentoo/distfiles/layout.conf'
--2024-04-16 03:45:15--  https://mirror.isoc.org.il/pub/gentoo/distfiles/layout.conf
Resolving mirror.isoc.org.il (mirror.isoc.org.il)... 2a01:4280:2:20::2, 192.115.2.70
Connecting to mirror.isoc.org.il (mirror.isoc.org.il)|2a01:4280:2:20::2|:443... connected.
ERROR: cannot verify mirror.isoc.org.il's certificate, issued by ‘CN=ZeroSSL RSA Domain Secure Site CA,O=ZeroSSL,C=AT’:
  Issued certificate has expired.
To connect to mirror.isoc.org.il insecurely, use `--no-check-certificate'.
!!! Couldn't download '.layout.conf.mirror.isoc.org.il'. Aborting.
>>> Downloading 'https://mirror.isoc.org.il/pub/gentoo/distfiles/openpgp-keys-lassecollin-20230213-lasse_collin_pubkey.txt'
--2024-04-16 03:45:17--  https://mirror.isoc.org.il/pub/gentoo/distfiles/openpgp-keys-lassecollin-20230213-lasse_collin_pubkey.txt
Resolving mirror.isoc.org.il (mirror.isoc.org.il)... 2a01:4280:2:20::2, 192.115.2.70
Connecting to mirror.isoc.org.il (mirror.isoc.org.il)|2a01:4280:2:20::2|:443... connected.
ERROR: cannot verify mirror.isoc.org.il's certificate, issued by ‘CN=ZeroSSL RSA Domain Secure Site CA,O=ZeroSSL,C=AT’:
  Issued certificate has expired.
To connect to mirror.isoc.org.il insecurely, use `--no-check-certificate'.
>>> Downloading 'https://tukaani.org/misc/lasse_collin_pubkey.txt'
--2024-04-16 03:45:19--  https://tukaani.org/misc/lasse_collin_pubkey.txt
Resolving tukaani.org (tukaani.org)... 5.44.245.25
Connecting to tukaani.org (tukaani.org)|5.44.245.25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3151 (3.1K) [text/plain]
Saving to: ‘/usr/portage/distfiles/openpgp-keys-lassecollin-20230213-lasse_collin_pubkey.txt.__download__’

/usr/portage/distfi 100%[===================>]   3.08K  --.-KB/s    in 0s      

2024-04-16 03:45:20 (1.43 GB/s) - ‘/usr/portage/distfiles/openpgp-keys-lassecollin-20230213-lasse_collin_pubkey.txt.__download__’ saved [3151/3151]

!!! Fetched file: openpgp-keys-lassecollin-20230213-lasse_collin_pubkey.txt VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got:      3151
!!! Expected: 4658
Refetching... File renamed to '/usr/portage/distfiles/openpgp-keys-lassecollin-20230213-lasse_collin_pubkey.txt._checksum_failure_.hi7__t65'

!!! Couldn't download 'openpgp-keys-lassecollin-20230213-lasse_collin_pubkey.txt'. Aborting.
 * Fetch failed for 'sec-keys/openpgp-keys-lassecollin-20230213', Log file:
 *  '/var/tmp/portage/sec-keys/openpgp-keys-lassecollin-20230213/temp/build.log'
floscher commented 3 months ago

Here is the difference: https://web.archive.org/web/diff/20240330212225/20240413042118/https://tukaani.org/misc/lasse_collin_pubkey.txt

Jia Tan's signature was removed. Otherwise the key looks the same (has same fingerprint). This can be seen when doing gpg --show-key ‹filename› and gpg --list-packets ‹filename› on the files:

pub   rsa4096 2010-10-24 [SC] [expires: 2025-02-07]
      3690C240CE51B4670D30AD1C38EE757D69184620
uid                      Lasse Collin <lasse.collin@tukaani.org>
sub   rsa4096 2010-10-24 [E] [expires: 2025-02-07]
--- /2024-03-30.asc 2024-03-30 21:22:25.000000000 +0000
+++ /2024-04-13.asc 2024-04-13 04:21:18.000000000 +0000
@@ -1,47 +1,39 @@
-t # off=0 ctb=99 tag=6 hlen=3 plen=525
+ # off=0 ctb=99 tag=6 hlen=3 plen=525
 :public key packet:
    version 4, algo 1, created 1287928210, expires 0
    pkey[0]: [4096 bits]
    pkey[1]: [17 bits]
    keyid: 38EE757D69184620
 # off=528 ctb=b4 tag=13 hlen=2 plen=39
 :user ID packet: "Lasse Collin <lasse.collin@tukaani.org>"
 # off=569 ctb=89 tag=2 hlen=3 plen=593
 :signature packet: algo 1, keyid 38EE757D69184620
    version 4, created 1704724937, md5len 0, sigclass 0x13
    digest algo 10, begin of digest 4e 2a
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 30 len 1 (features: 01)
    hashed subpkt 23 len 1 (keyserver preferences: 80)
    hashed subpkt 11 len 3 (pref-sym-algos: 9 8 7)
    hashed subpkt 21 len 2 (pref-hash-algos: 10 8)
    hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
    hashed subpkt 33 len 21 (issuer fpr v4 3690C240CE51B4670D30AD1C38EE757D69184620)
    hashed subpkt 2 len 4 (sig created 2024-01-08)
    hashed subpkt 9 len 4 (key expires after 14y110d0h52m)
    subpkt 16 len 8 (issuer key ID 38EE757D69184620)
    data: [4094 bits]
-# off=1165 ctb=89 tag=2 hlen=3 plen=563
-:signature packet: algo 1, keyid 59FCF207FEA7F445
-   version 4, created 1705067517, md5len 0, sigclass 0x10
-   digest algo 10, begin of digest f2 f9
-   hashed subpkt 33 len 21 (issuer fpr v4 22D465F2B4C173803B20C6DE59FCF207FEA7F445)
-   hashed subpkt 2 len 4 (sig created 2024-01-12)
-   subpkt 16 len 8 (issuer key ID 59FCF207FEA7F445)
-   data: [4096 bits]
-# off=1731 ctb=b9 tag=14 hlen=3 plen=525
+# off=1165 ctb=b9 tag=14 hlen=3 plen=525
 :public sub key packet:
    version 4, algo 1, created 1287928210, expires 0
    pkey[0]: [4096 bits]
    pkey[1]: [17 bits]
    keyid: 5923A9D358ADF744
-# off=2259 ctb=89 tag=2 hlen=3 plen=572
+# off=1693 ctb=89 tag=2 hlen=3 plen=572
 :signature packet: algo 1, keyid 38EE757D69184620
    version 4, created 1704724914, md5len 0, sigclass 0x18
    digest algo 10, begin of digest bb 26
    hashed subpkt 27 len 1 (key flags: 0C)
    hashed subpkt 33 len 21 (issuer fpr v4 3690C240CE51B4670D30AD1C38EE757D69184620)
    hashed subpkt 2 len 4 (sig created 2024-01-08)
    hashed subpkt 9 len 4 (key expires after 14y110d0h51m)
    subpkt 16 len 8 (issuer key ID 38EE757D69184620)
    data: [4096 bits]

keyid 59FCF207FEA7F445 is the key of @JiaT75: https://keyserver.ubuntu.com/pks/lookup?search=59FCF207FEA7F445&fingerprint=on&op=index

Larhzu commented 3 months ago

Jia Tan's signature was removed.

Yes, I did exactly this. They key is now on https://keys.openpgp.org/ and at https://github.com/Larhzu.gpg as well.