subject:"\[Touch\-packages\] \[Bug 1649097\] Re\: 'linux' source package signature is not valid"

[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid

2016-12-12 Thread Vyacheslav

Reality check:
that means that all source packages received via 'apt-get source' are not 
trusted by Ubuntu clean installation ?

Is there a safe way to get full public key (not short unsafe keyid) for
a source package then?

Thanks

** Summary changed:

- 'linux' source package signature is not valid
+ any source package signature is not valid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1649097

Title:
  any source package signature is not valid

Status in apt package in Ubuntu:
  New

Bug description:
  In short:

  The GPG key 105BE7F7, with that 'linux' source package is signed,
  revoked on 08/16/16 (4 months ago!)


  How to reproduce:

  $ apt-get source linux-image-$(uname -r)
  ...
  Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic'
  ...
  Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 
4.4.0-53.74 (tar) [133 MB]
  ...
  gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
  gpgv: Can't check signature: public key not found
  dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc
  ...

  ### if you add this key:

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7
  $ apt-key list
  ...
  pub   4096R/105BE7F7 2011-09-06
  uid  Brad Figg 
  sub   4096R/F336E4D5 2011-09-06

  pub   4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
  uid  Brad Figg 

  ### THE KEY IS REVOKED 4 MONTHS AGO!

  ### Additional info:
  $ lsb_release -rd
  Description:  Ubuntu 16.04.1 LTS
  Release:  16.04

  ### My unmodified /etc/apt/sources.list in attachment.
  ### Note, /etc/apt/sources.list.d/ directory is empty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid

2016-12-12 Thread Seth Arnold

Julian, do you have any ideas how this could be handled better? I'm
short on ideas here. The gpgv output seems useful but it's also
potentially misleading.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1649097

Title:
  'linux' source package signature is not valid

Status in apt package in Ubuntu:
  New

Bug description:
  In short:

  The GPG key 105BE7F7, with that 'linux' source package is signed,
  revoked on 08/16/16 (4 months ago!)


  How to reproduce:

  $ apt-get source linux-image-$(uname -r)
  ...
  Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic'
  ...
  Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 
4.4.0-53.74 (tar) [133 MB]
  ...
  gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
  gpgv: Can't check signature: public key not found
  dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc
  ...

  ### if you add this key:

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7
  $ apt-key list
  ...
  pub   4096R/105BE7F7 2011-09-06
  uid  Brad Figg 
  sub   4096R/F336E4D5 2011-09-06

  pub   4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
  uid  Brad Figg 

  ### THE KEY IS REVOKED 4 MONTHS AGO!

  ### Additional info:
  $ lsb_release -rd
  Description:  Ubuntu 16.04.1 LTS
  Release:  16.04

  ### My unmodified /etc/apt/sources.list in attachment.
  ### Note, /etc/apt/sources.list.d/ directory is empty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid

2016-12-12 Thread Seth Arnold

Thanks for the bug report.

This isn't as dire as it looks:

APT's security model is based on signed InRelease files that have
sha256sums of all archive contents. In this case, the InRelease file
will have a sha256sum for one of the Sources files, and that file will
have a sha256sum for the linux source package files:

Checksums-Sha256:
 5c1141401c8f3468b2d5f71906aea181a8f7c9e195c4cc3252a085962bbf4f4d 9611 
linux_4.4.0-53.74.dsc
 730e75919b5d30a9bc934ccb300eaedfdf44994ca9ee1d07a46901c46c221357 132860730 
linux_4.4.0.orig.tar.gz
 5ad7a47f2bcb66858f26fb539e39e07724c676a8eca84239c850fa87c2900b0e 12162206 
linux_4.4.0-53.74.diff.gz


If these sha256sums don't match what was downloaded, apt itself would throw an 
error.

All these files are in /var/lib/apt/lists/ .

The .dsc file is signed by whoever uploads the package for building to
our buildfarm. Developers' keys change all the time. It's still useful
to have the .dsc file to see what the builders saw, regardless if the
signature on the file is from an expired key or not.

Now, where things get really interesting: You've used a 32 bit keyid to
download the key from the keyservers. 32 bit keyids are not safe to use
in this manner because it's relatively simple to generate keys with
colliding 32 bit keyids. This was done for all keys in the 'strongly
connected set' a few years ago, including Brad's key. When someone
uploaded all these keys to the SKS keyservers, it was insanely
confusing. So, the group that generated all the colliding keys generated
revocation certificates for all the keys and uploaded them all, to kill
them.

So, your command to download the key by 32 bit keyid downloaded _two_
keys -- Brad's real key, "11D6 ADA3 D9E8 3D93 ACBD  837F 0C7B 589B 105B
E7F7", is not revoked:

$ gpg --check-sigs "11D6 ADA3 D9E8 3D93 ACBD  837F 0C7B 589B 105B E7F7"
pub   4096R/0C7B589B105BE7F7 2011-09-06
uid  Brad Figg 
sig! 052F367018D5C3D8 2012-01-09  John Johansen 
sig! 5759F35001AA4A64 2011-12-10  Steve Langasek 

sig! 3D76C845FA1447CA 2011-09-06  Tim Gardner (4K key) 

sig! 8972F4DFDC6DC026 2011-12-09  Kees Cook 
sig! 2F099E8D005E81F4 2011-12-09  Steve Beattie 
sig-30C7B589B105BE7F7 2011-09-06  Brad Figg 
sig!30C7B589B105BE7F7 2011-09-06  Brad Figg 
sub   4096R/E79D7BDFF336E4D5 2011-09-06
sig! 0C7B589B105BE7F7 2011-09-06  Brad Figg 

1 bad signature
14 signatures not checked due to missing keys


My output may look different from yours because I added this to my 
~/.gnupg/gpg.conf file:

keyid-format long

For more information, see https://evil32.com/

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1649097

Title:
  'linux' source package signature is not valid

Status in apt package in Ubuntu:
  New

Bug description:
  In short:

  The GPG key 105BE7F7, with that 'linux' source package is signed,
  revoked on 08/16/16 (4 months ago!)


  How to reproduce:

  $ apt-get source linux-image-$(uname -r)
  ...
  Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic'
  ...
  Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 
4.4.0-53.74 (tar) [133 MB]
  ...
  gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
  gpgv: Can't check signature: public key not found
  dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc
  ...

  ### if you add this key:

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7
  $ apt-key list
  ...
  pub   4096R/105BE7F7 2011-09-06
  uid  Brad Figg 
  sub   4096R/F336E4D5 2011-09-06

  pub   4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
  uid  Brad Figg 

  ### THE KEY IS REVOKED 4 MONTHS AGO!

  ### Additional info:
  $ lsb_release -rd
  Description:  Ubuntu 16.04.1 LTS
  Release:  16.04

  ### My unmodified /etc/apt/sources.list in attachment.
  ### Note, /etc/apt/sources.list.d/ directory is empty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid

2016-12-12 Thread Seth Arnold

** Information type changed from Private Security to Public Security

** Package changed: ubuntu => apt (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1649097

Title:
  'linux' source package signature is not valid

Status in apt package in Ubuntu:
  New

Bug description:
  In short:

  The GPG key 105BE7F7, with that 'linux' source package is signed,
  revoked on 08/16/16 (4 months ago!)


  How to reproduce:

  $ apt-get source linux-image-$(uname -r)
  ...
  Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic'
  ...
  Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 
4.4.0-53.74 (tar) [133 MB]
  ...
  gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7
  gpgv: Can't check signature: public key not found
  dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc
  ...

  ### if you add this key:

  $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7
  $ apt-key list
  ...
  pub   4096R/105BE7F7 2011-09-06
  uid  Brad Figg 
  sub   4096R/F336E4D5 2011-09-06

  pub   4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16]
  uid  Brad Figg 

  ### THE KEY IS REVOKED 4 MONTHS AGO!

  ### Additional info:
  $ lsb_release -rd
  Description:  Ubuntu 16.04.1 LTS
  Release:  16.04

  ### My unmodified /etc/apt/sources.list in attachment.
  ### Note, /etc/apt/sources.list.d/ directory is empty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid

[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid

[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid

[Touch-packages] [Bug 1649097] Re: 'linux' source package signature is not valid

4 matches

Site Navigation

Mail list logo

Footer information