Created attachment 775763 [details] output of "gpg --check-sigs" After obtaineing the service-keys.gpg file from https://qa-reports.gentoo.org/output/service-keys.gpg I ran "gpg --check-sigs", which gave the output attached with this report. It shows that gpg: 13 good signatures gpg: 1 bad signature gpg: 12 signatures not checked due to missing keys I suspect that it is connected to this key pub rsa4096 2009-08-25 [SC] [expires: 2023-07-01] 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 uid [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> as this is the only place where a minus sign shows up ("sig-3" insted of "sig!3"). Another member of the #gentoo Channel confirmed this behaviour. Maybe a disclaimer should be added to https://www.gentoo.org/downloads/signatures/ What do you think? Kind regards and thank your for your time, Quarz
Release team, any ideas? -A
I just received another report of this happening with a friend while fetching keys from hkps://keys.gentoo.org. Told him it was likely something in gentoo infra screwing up, suggested --keyserver keyserver.ubuntu.com and it worked to pull valid signatures.
Ditto, just happened now. But this time, the keys are in `keys.gentoo.org`. GPG: 2.2.40-1.1 host: Debian 12 (Linux 6.1.0-18-amd64) I imported the Gentoo keys from Gentoo PGP keyserver: gpg --keyserver hkps://keys.gentoo.org --recv-keys 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 gpg: key BB572E0E2D182910: 1 bad signature gpg: key BB572E0E2D182910: "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" 2 new signatures gpg: Total number processed: 1 gpg: new signatures: 2 Notice the "1 bad signature"? So I listed out the keys: gpg --list-options show-unusable-subkeys --list-keys --with-fingerprint --with-subkey-fingerprints 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 pub rsa4096 2009-08-25 [SC] [expires: 2026-07-01] 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910 uid [ full ] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sub rsa2048 2019-02-23 [S] [expires: 2026-07-01] 534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6 043D and lastly, searched for the bad log as denoted by "sig-": ``` gpg --check-sigs | grep "sig-" sig-3 BB572E0E2D182910 2009-08-25 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> gpg: 144 good signatures gpg: 1 bad signature gpg: 116 signatures not checked due to missing keys ``` Just an FYI.
A continuation from my previous comment: I did a full signature check $ gpg --check-sigs [snipped unrelated output] pub rsa4096 2009-08-25 [SC] [expires: 2026-07-01] 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 uid [ full ] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 P 55D3238EC050396E 2019-04-01 Gentoo Authority Key L2 for Services <openpgp-auth+l2-srv@gentoo.org> sig!3 BB572E0E2D182910 2013-08-24 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2015-08-26 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2009-08-25 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig-3 BB572E0E2D182910 2009-08-25 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2017-08-22 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2019-02-23 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2019-04-27 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2019-10-30 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2020-04-24 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2020-09-20 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2019-02-24 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2021-11-29 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2022-06-16 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig! L 187C2337D3A97109 2024-04-04 Stephen L. Egbert <s.egbert@sbcglobal.net> sig!3 BB572E0E2D182910 2024-04-21 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sub rsa2048 2019-02-23 [S] [expires: 2026-07-01] sig! BB572E0E2D182910 2022-06-16 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig! BB572E0E2D182910 2024-04-21 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> [snipped unrelated output] gpg: 144 good signatures gpg: 1 bad signature gpg: 116 signatures not checked due to missing keys
Created attachment 893323 [details] export-13EBBDBEDE7A12775DFDB1BABB572E0E2D182910-both-2009-08-25.asc Attaching a capture of the signatures from 2009-08-25. Notice there are two with the exact same timestamp, of which one is bad. > sig-3 BB572E0E2D182910 2009-08-25 21:44:25 [self-signature] > sig!3 BB572E0E2D182910 2009-08-25 21:44:25 [self-signature]
Reproduction is interesting, because neither SKS nor hockeypuck serve the bad signature. $ ( d=/tmp/gpg-test2/ ; rm -rf $d ; install -m0700 -d $d ; GNUPGHOME=$d gpg --keyserver hkps://trogan.keys.gentoo.org --recv-keys 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 ; GNUPGHOME=$d gpg --check-sig 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 ) gpg: keybox '/tmp/gpg-test2/pubring.kbx' created gpg: /tmp/gpg-test2/trustdb.gpg: trustdb created gpg: key BB572E0E2D182910: public key "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa4096 2009-08-25 [SC] [expires: 2026-07-01] 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 uid [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sig!3 BB572E0E2D182910 2024-04-21 [self-signature] sub rsa2048 2019-02-23 [S] [expires: 2026-07-01] sig! BB572E0E2D182910 2024-04-21 [self-signature] gpg: 2 good signatures
I've done a once-off hack for now so that bad signature shouldn't be exported from qa-reports. Specifically I iterated the keyring and deleted the bad signature in the key export environment. There's no good way to prevent it from being imported again, or auto-deleted. This might happen if there's another manual export, or something causes a future keyserver to export the bad signature again. That said, the impact of the issue is tiny: that bad signature is not used for anything; only the good signatures are.