Re: Question about repository signing

To: David Kalnischkies <david@kalnischkies.de>
Cc: deity@lists.debian.org
Subject: Re: Question about repository signing
From: "Joshua J. Kugler" <joshua@azariah.com>
Date: Mon, 11 Nov 2019 13:21:59 -0900
Message-id: <[🔎] 5238071.X1lNIxYqvE@hosanna>
In-reply-to: <[🔎] 20191109110047.bgx4xqfp6odtkehd@crossbow>
References: <[🔎] 13120953.fuEvBn5Apq@hosanna> <[🔎] 20191109110047.bgx4xqfp6odtkehd@crossbow>

On Saturday, November 9, 2019 2:00:47 AM AKST David Kalnischkies wrote:
> Hi,
> 
> On Fri, Nov 08, 2019 at 03:26:43PM -0900, Joshua J. Kugler wrote:
> > InRelease: The following signatures were invalid:
> That error part is generated for two general types of problems:
> A signature which was bad or a signature which is worthless.
> 
> You truncated the error message, so I can't be sure [aka: please include
> always the complete output], but given …
> 
> > 347D7D44139452B2214B771EC0C819FFFFFB3557

Here is the entirety of the error that I'm getting:

       Warning: apt-key output should not be parsed (stdout is not a terminal)
       W: GPG error: http://rdev-repo.jnpr.net/Ubuntu/stable/JNPR/bionic jnpr 
InRelease: The following signatures were invalid: 
347D7D44139452B2214B771EC0C819FFFFFB3557
       E: The repository 'http://rdev-repo.jnpr.net/Ubuntu/stable/JNPR/bionic 
jnpr InRelease' is not signed.

> … I assume it is the later. Worthless signatures are e.g. those made
> with (partly) broken hashing algorithms, like MD5 or SHA1. Depending on
> how and then you generated your signing key that might still be the
> default for you…

In the InRelease file, it lists md5, sha1, and sha256 hashes for the files.

If I take the InRelease file and run this:

gpg --keyring /etc/apt/trusted.gpg --verify InRelease

I get:

gpg: Signature made Mon 11 Nov 2019 09:00:58 PM UTC
gpg:                using RSA key C0C819FFFFFB3557
gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created
gpg: Good signature from "Company Packager <cmpny-pkg@company.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 347D 7D44 1394 52B2 214B  771E C0C8 19FF FFFB 3557

So, it's the right key. and that key is in known keys for apt.

> > That's obviously the key I signed it with, and that key is imported.  So,
> > if it has the key imported, why is the signature (which appears correct)
> > invalid?
> adding:
> 	-o Debug::Acquire::gpgv=1
I attached the output of running apt-get update with that option. I really 
don't know what's going on. We were using this same key, and the same methods 
(reprepro, etc.) on another machine, and it was working fine. Moved the 
process to this machine, and something is really off.

> Even https://wiki.debian.org/DebianRepository/SetupWithReprepro has
> a few pointers on that topic.
I'll take a look. Thanks!

> > PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A
> > That is a mostly unrelated sidenote, but short keyids might be short and
> easy to type, but they don't reliably identify a key anymore. It isn't
> that hard to generate keys with arbitrary short ids – keyservers are
> littered by such keys. The strongset was duplicated entirely (with
> signatures and all) years ago for example.
Maybe I'll change it to 0x68108cbb73b13b6a :)

> Good luck & best regards
Thanks for the pointers!

j

-- 
Joshua J. Kugler - Fairbanks, Alaska - joshua@azariah.com
Azariah Enterprises - Programming and Website Design
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A

# apt-get update -o Debug::Acquire::gpgv=1
Get:1 http://rdev-repo.cmpny.net/Ubuntu/emerge/cmpny/bionic cmpny InRelease [3,164 B]
0% [1 InRelease gpgv 3,164 B]inside VerifyGetSigners
Preparing to exec:  /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.6PYHY5 /tmp/apt.data.pCzH99
Read: [GNUPG:] NEWSIG

Read: [GNUPG:] KEY_CONSIDERED 347D7D44139452B2214B771EC0C819FFFFFB3557 0

Read: [GNUPG:] SIG_ID lsofMQn+jjVUlJojrXTpdkJjY1s 2019-11-11 1573506058

Read: [GNUPG:] KEY_CONSIDERED 347D7D44139452B2214B771EC0C819FFFFFB3557 0

Read: [GNUPG:] GOODSIG C0C819FFFFFB3557 company Packager <cmpny-pkg@company.net>

Got GOODSIG C0C819FFFFFB3557 !
Read: [GNUPG:] VALIDSIG 347D7D44139452B2214B771EC0C819FFFFFB3557 2019-11-11 1573506058 0 4 0 1 2 01 347D7D44139452B2214B771EC0C819FFFFFB3557

Got untrusted VALIDSIG, key ID: 347D7D44139452B2214B771EC0C819FFFFFB3557
gpgv exited with status 0
Summary:
  Good:
  Bad:
  Worthless: 347D7D44139452B2214B771EC0C819FFFFFB3557,
  SoonWorthless:
  NoPubKey:
  NODATA: no
Err:1 http://rdev-repo.cmpny.net/Ubuntu/emerge/cmpny/bionic cmpny InRelease
  The following signatures were invalid: 347D7D44139452B2214B771EC0C819FFFFFB3557
Reading package lists... Done
W: GPG error: http://rdev-repo.cmpny.net/Ubuntu/emerge/cmpny/bionic cmpny InRelease: The following signatures were invalid: 347D7D44139452B2214B771EC0C819FFFFFB3557
E: The repository 'http://rdev-repo.cmpny.net/Ubuntu/emerge/cmpny/bionic cmpny InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Reply to:

Follow-Ups:
- Re: Question about repository signing
  - From: "Joshua J. Kugler" <joshua@azariah.com>
- Re: Question about repository signing
  - From: "Joshua J. Kugler" <joshua@joshuakugler.com>
- Re: Question about repository signing
  - From: "Joshua J. Kugler" <joshua@azariah.com>
- Re: Question about repository signing
  - From: "Joshua J. Kugler" <joshua@joshuakugler.com>

References:
- Question about repository signing
  - From: "Joshua J. Kugler" <joshua@azariah.com>
- Re: Question about repository signing
  - From: David Kalnischkies <david@kalnischkies.de>

Prev by Date: Bookmark your dates for Euro Food 2020
Next by Date: Re: Question about repository signing
Previous by thread: Re: Question about repository signing
Next by thread: Re: Question about repository signing
Index(es):
- Date
- Thread