Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid self-signature on user ID for PGP key #3446

Closed
ritzmann opened this issue Jan 24, 2022 · 7 comments
Closed

Invalid self-signature on user ID for PGP key #3446

ritzmann opened this issue Jan 24, 2022 · 7 comments
Labels
bug Something isn't working packaging

Comments

@ritzmann
Copy link

Describe the bug

I am trying to import the PGP key for the Debian Bullseye repository but GnuPG 2.2.27 insists that the user ID is not properly signed:

$ gpg --verbose --no-default-keyring --keyring=~/xpra.gpg --recv-keys F18AD6BB
gpg: data source: https://162.213.33.9:443
gpg: armor header: Version: Hockeypuck ~unreleased
gpg: armor header: Comment: Hostname:
gpg: key 0x18ADB31CF18AD6BB: number of dropped non-self-signatures: 5
gpg: pub  dsa1024/0x18ADB31CF18AD6BB 2007-04-18  Antoine Martin <antoine@nagafix.co.uk>
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x18ADB31CF18AD6BB: 15 bad signatures
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB/0x00D777F76E23E963: invalid subkey binding
gpg: key 0x18ADB31CF18AD6BB/0x00D777F76E23E963: invalid subkey binding
gpg: key 0x18ADB31CF18AD6BB/0x00D777F76E23E963: invalid subkey binding
gpg: key 0x18ADB31CF18AD6BB/0x00D777F76E23E963: invalid subkey binding
gpg: key 0x18ADB31CF18AD6BB/0x00D777F76E23E963: invalid subkey binding
gpg: key 0x18ADB31CF18AD6BB: skipped user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: skipped user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB/0x00D777F76E23E963: skipped subkey
gpg: key 0x18ADB31CF18AD6BB: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

I was using hkps://keyserver.ubuntu.com as keyserver.

A manual download of the key from https://xpra.org/gpg.asc yields the same issue when imported:

$ gpg --verbose --no-default-keyring --keyring=~/xpra.gpg --import ./gpg.asc
gpg: pub  dsa1024/0x18ADB31CF18AD6BB 2007-04-18  Antoine Martin <antoine@nagafix.co.uk>
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x18ADB31CF18AD6BB: 2 signatures not checked due to missing keys
gpg: key 0x18ADB31CF18AD6BB: 7 bad signatures
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB: invalid self-signature on user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB/0x00D777F76E23E963: invalid subkey binding
gpg: key 0x18ADB31CF18AD6BB: skipped user ID "Antoine Martin <antoine@nagafix.co.uk>"
gpg: key 0x18ADB31CF18AD6BB: skipped user ID "[jpeg image of size 4992]"
gpg: key 0x18ADB31CF18AD6BB/0x00D777F76E23E963: skipped subkey
gpg: key 0x18ADB31CF18AD6BB: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

To Reproduce

see above

System Information (please complete the following information):

  • Server OS: Debian 11
  • Client OS: n/a
  • Xpra Server Version 4.3.1
  • Xpra Client Version n/a

Additional context

@ritzmann ritzmann added the bug Something isn't working label Jan 24, 2022
@totaam
Copy link
Collaborator

totaam commented Feb 16, 2022

Is there a specific reason why you're doing things this way instead of following https://github.com/Xpra-org/xpra/wiki/Download#-for-debian-based-distributions ?
This works OK:

wget -q https://xpra.org/gpg.asc -O- | sudo apt-key add -

My guess is that the problem comes from signatures using the SHA1 algorithm are rejected.
The big problem is that it doesn't look like we can have two signatures for the same key? (and why not?!)
Changing the key is not an option as there are very many systems out there relying on the existing one.

@ritzmann
Copy link
Author

$ man apt-key
...
Use of apt-key is deprecated
...
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
...

I believe you are on the right track with these SHA-1 signatures. There might be a way out of that because it looks to me like there are at least 15 signatures but you must remove the obsolete/insecure SHA-1 signatures. At least this is how I understand Fixing old SHA1-infested OpenPGP keys. I also checked the German article that is referenced and it is vital not to skip the expiration step because that forces gpg to generate new secure signatures. The expiration value is not important and can be changed back again to the original value.

@totaam
Copy link
Collaborator

totaam commented Mar 22, 2022

Done. Thanks for the details!

Until the key propagates through the pgp network. Re-importing the key fixes things:

wget -q https://xpra.org/gpg.asc -O- | sudo apt-key add -

@totaam totaam closed this as completed Mar 22, 2022
@ritzmann
Copy link
Author

Excellent, thanks, I just tried without apt-key and it works when you convert the key to the expected format:

$ curl -O https://xpra.org/gpg.asc
$ gpg --no-default-keyring --keyring=./xpra-v1.gpg --import ./gpg.asc
$ gpg --no-default-keyring --keyring=./xpra-v1.gpg --export > xpra.gpg
$ sudo mv xpra.gpg /etc/apt/trusted.gpg.d/

@totaam
Copy link
Collaborator

totaam commented Mar 24, 2022

And, as I had feared, this is causing pain: #3499

For the record, we've been using gpg --digest-algo SHA512 for years - so this whole thing should have been completely unnecessary.

@totaam
Copy link
Collaborator

totaam commented Mar 24, 2022

What a mess. To try to avoid breaking too many existing installations and instructions, I have now reverted part of the changes in this ticket:
https://xpra.org/gpg.asc points to the older version of the key again. Details here:
#3499 (comment)
And updated the download instructions:
https://github.com/Xpra-org/xpra/wiki/Download/62889d4845e76f4dc6356c79ce74f43654c7145f

@totaam
Copy link
Collaborator

totaam commented Jul 7, 2022

See also #2968 and #1830

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working packaging
Projects
None yet
Development

No branches or pull requests

2 participants