Your message dated Fri, 16 Aug 2024 16:45:46 +0200
with message-id <[email protected]>
and subject line Re: Bug#1031020: sqop: Fails to verify sig on 
gnutls28_3.7.8.orig.tar.xz
has caused the Debian Bug report #1031020,
regarding sqop: Fails to verify sig on gnutls28_3.7.8.orig.tar.xz
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1031020: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031020
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sqop
Version: 0.27.2-1
Severity: normal
X-Debbugs-Cc: [email protected]

I thought this should work, but it does not:
sqop verify gnutls28_3.7.8.orig.tar.xz.asc 
gnutls-3.7.8/debian/upstream/signing-key.asc < gnutls28_3.7.8.orig.tar.xz.asc
           No acceptable signatures found

One of the signing keys (462225C3B46F34879FC8496CD605848ED7E69871) is in 
gnutls-3.7.8/debian/upstream/signing-key.asc: 

ametzler@argenau:/tmp/GNUTLS$ gpg gnutls28_3.7.8.orig.tar.xz.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'gnutls28_3.7.8.orig.tar.xz'
gpg: Signature made Di 27 Sep 2022 16:07:05 CEST
gpg:                using RSA key A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB
gpg: Good signature from "Alexander Sosedkin <[email protected]>" [unknown]
gpg:                 aka "[jpeg image of size 984]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E987 AB7F 7E89 6677 76D0  5B3B B0E9 DD20 B29F 1432
     Subkey fingerprint: A6AB 53A0 1D23 7A94 F9EE  C4D0 4127 48A4 0AFC C2FB
gpg: Signature made Di 27 Sep 2022 17:14:15 CEST
gpg:                using RSA key 462225C3B46F34879FC8496CD605848ED7E69871
gpg: Good signature from "Daiki Ueno <[email protected]>" [undefined]
gpg:                 aka "Daiki Ueno <[email protected]>" [undefined]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4622 25C3 B46F 3487 9FC8  496C D605 848E D7E6 9871
gpg: Signature made Di 27 Sep 2022 17:36:07 CEST
gpg:                using EDDSA key 5D46CB0F763405A7053556F47A75A648B3F9220C
gpg: Good signature from "Zoltan Fridrich <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5D46 CB0F 7634 05A7 0535  56F4 7A75 A648 B3F9 220C
ametzler@argenau:/tmp/GNUTLS$ gpg gnutls-3.7.8/debian/upstream/signing-key.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3104 2008-05-04 [SC] [expires: 2028-04-29]
      1F42418905D8206AA754CCDC29EE58B996865171
uid           Nikos Mavrogiannopoulos <[email protected]>
uid           Nikos Mavrogiannopoulos <[email protected]>
uid           Nikos Mavrogiannopoulos <[email protected]>
sub   rsa2048 2018-02-06 [S] [expires: 2028-02-04]
sub   rsa2048 2018-02-06 [E] [expires: 2028-02-04]
pub   rsa4096 2009-07-23 [SC] [expires: 2023-09-25]
      462225C3B46F34879FC8496CD605848ED7E69871
uid           Daiki Ueno <[email protected]>
uid           Daiki Ueno <[email protected]>
sub   rsa4096 2010-02-04 [E]


(Same behavior on sid 0.27.3-1)
cu Andreas

--- End Message ---
--- Begin Message ---
On 2024-07-21 Daniel Kahn Gillmor <[email protected]> wrote:
> Hi Andreas--

> On Fri 2023-02-10 15:38:21 +0100, Andreas Metzler wrote:
> > I thought this should work, but it does not:
> > sqop verify gnutls28_3.7.8.orig.tar.xz.asc 
> > gnutls-3.7.8/debian/upstream/signing-key.asc < 
> > gnutls28_3.7.8.orig.tar.xz.asc
> >            No acceptable signatures found
> >
> > One of the signing keys (462225C3B46F34879FC8496CD605848ED7E69871) is in 
> > gnutls-3.7.8/debian/upstream/signing-key.asc: 

> I tested this against GnuTLS 3.8.6 with sqop 0.35.0, and i got the same
> result that you did.

> Investigating it further, i found:

>  - the certificate in gnutls-3.8.6/debian/upstream/signing-key.asc that
>    signed the 3.8.6 orig tarball was expired.

>  - many of the certificates in
>    gnutls-3.8.6/debian/upstream/signing-key.asc used SHA-1 in their
>    internal certifications.  SHA-1 should have been phased out years
>    ago, and we should discourage OpenPGP certificates that rely on that
>    algorithm.
[...]

Thanks for the explanation, let's close this report.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--- End Message ---

Reply via email to