681974 – The stage 3 files are not signed with a valid Gentoo key

Bug 681974 - The stage 3 files are not signed with a valid Gentoo key

Summary: The stage 3 files are not signed with a valid Gentoo key

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Misc (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	http://distfiles.gentoo.org/releases/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-29 01:12 UTC by Nathan Shearer
Modified:	2019-03-30 04:32 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nathan Shearer 2019-03-29 01:12:00 UTC

I am trying to verify my downloads from http://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64/

The 4 keys I typically install on my system are:
	Gentoo Linux Release Engineering (Automated Weekly Release Key), expires 2020-01-01
		13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
	Gentoo ebuild repository signing key (Automated Signing Key), expires 2020-01-01
		DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
	Gentoo repository mirrors (automated git signing key), expires 2020-01-01
		EF95 38C9 E8E6 4311 A52C DEDF A13D 0EF1 914E 7A72
	Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key), expires 2020-07-01
		D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058

I have noticed that the files are now signed with a new key: 534E4209AB49EEE1C19D96162C44695DB9F6043D

When I check these pages, the old key is not expired, and the new key is not listed:
  https://www.gentoo.org/downloads/signatures/
  https://wiki.gentoo.org/wiki/Project:RelEng

When I try to lookup the new key, it is also not listed on any of the PGP global directories I have tried:
	hkps.pool.sks-keyservers.net
		502 Bad Gateway
	https://pgp.mit.edu/
		503 Service Temporarily Unavailable
	https://pgp.key-server.io
		504 gateway timeout
	https://keyserver.pgp.com
		No results were found
	https://pgp.surfnet.nl/
		No results were found
	http://hkps.pool.sks-keyservers.net/
		502 Bad Gateway

$ wget http://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64/stage3-amd64-20190327T214503Z.tar.xz.DIGESTS.asc
$ gpg --verify stage3-amd64-20190327T214503Z.tar.xz.DIGESTS.asc
gpg: Signature made Wed 27 Mar 2019 09:05:29 PM MDT
gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
gpg: Can't check signature: No public key

Comment 1 Michał Górny archtester

2019-03-29 07:28:43 UTC

This is a subkey of the regular key:

$ gpg --list-keys 534E4209AB49EEE1C19D96162C44695DB9F6043D
pub   rsa4096 2009-08-25 [SC] [expires: 2020-01-01]
      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid           [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sub   rsa2048 2019-02-23 [S] [expires: 2020-01-01]

You need to refresh keys, i.e.:

$ gpg --refresh-keys 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910

Comment 2 Robin Johnson archtester

2019-03-30 04:32:47 UTC

unrestricting, no sec concerns here.