[Pkg-rust-maintainers] Bug#1031020: sqop: Fails to verify sig on gnutls28_3.7.8.orig.tar.xz
Daniel Kahn Gillmor
dkg at debian.org
Sun Jul 21 22:43:54 BST 2024
Hi Andreas--
On Fri 2023-02-10 15:38:21 +0100, Andreas Metzler wrote:
> I thought this should work, but it does not:
> sqop verify gnutls28_3.7.8.orig.tar.xz.asc gnutls-3.7.8/debian/upstream/signing-key.asc < gnutls28_3.7.8.orig.tar.xz.asc
> No acceptable signatures found
>
> One of the signing keys (462225C3B46F34879FC8496CD605848ED7E69871) is in gnutls-3.7.8/debian/upstream/signing-key.asc:
I tested this against GnuTLS 3.8.6 with sqop 0.35.0, and i got the same
result that you did.
Investigating it further, i found:
- the certificate in gnutls-3.8.6/debian/upstream/signing-key.asc that
signed the 3.8.6 orig tarball was expired.
- many of the certificates in
gnutls-3.8.6/debian/upstream/signing-key.asc used SHA-1 in their
internal certifications. SHA-1 should have been phased out years
ago, and we should discourage OpenPGP certificates that rely on that
algorithm.
It turns out that the relevant certificates have all been fixed
upstream, but they were not included in the debian packaging.
I refreshed the debian packaging to use up-to-date certificates, and
pushed that change here:
https://salsa.debian.org/gnutls-team/gnutls/-/merge_requests/4
I hope this is useful,
--dkg
More information about the Pkg-rust-maintainers
mailing list