Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 841985 - gpg --chec-sigs shows 1 bad signature
Summary: gpg --chec-sigs shows 1 bad signature
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-01 08:06 UTC by de_johannes
Modified: 2024-05-18 17:14 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
output of "gpg --check-sigs" (output,10.20 KB, text/plain)
2022-05-01 08:06 UTC, de_johannes 		Details
export-13EBBDBEDE7A12775DFDB1BABB572E0E2D182910-both-2009-08-25.asc (export-13EBBDBEDE7A12775DFDB1BABB572E0E2D182910-both-2009-08-25.asc,4.17 KB, text/plain)
2024-05-18 16:48 UTC, Robin Johnson 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description de_johannes 2022-05-01 08:06:24 UTC 
Created attachment 775763 [details]
output of "gpg --check-sigs"

After obtaineing the service-keys.gpg file from 

https://qa-reports.gentoo.org/output/service-keys.gpg

I ran "gpg --check-sigs", which gave the output attached with this report. It shows that 

gpg: 13 good signatures
gpg: 1 bad signature
gpg: 12 signatures not checked due to missing keys

I suspect that it is connected to this key 

pub   rsa4096 2009-08-25 [SC] [expires: 2023-07-01]
      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid           [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>

as this is the only place where a minus sign shows up ("sig-3" insted of "sig!3"). Another member of the #gentoo Channel confirmed this behaviour. 
Maybe a disclaimer should be added to 

https://www.gentoo.org/downloads/signatures/

What do you think? 

Kind regards and thank your for your time,
Quarz
Comment 1 Alec Warner (RETIRED) archtester gentoo-dev Security 2022-05-01 16:39:17 UTC 
Release team, any ideas?

-A
Comment 2 Joe Kappus 2022-08-25 07:01:58 UTC 
I just received another report of this happening with a friend while fetching keys from hkps://keys.gentoo.org.

Told him it was likely something in gentoo infra screwing up, suggested --keyserver keyserver.ubuntu.com and it worked to pull valid signatures.
Comment 3 Steve Egbert 2024-05-17 18:41:04 UTC 
Ditto, just happened now.  But this time, the keys are in `keys.gentoo.org`.

GPG: 2.2.40-1.1
host: Debian 12 (Linux 6.1.0-18-amd64)

I imported the Gentoo keys from Gentoo PGP keyserver:

    gpg --keyserver hkps://keys.gentoo.org --recv-keys 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
    gpg: key BB572E0E2D182910: 1 bad signature
    gpg: key BB572E0E2D182910: "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" 2 new signatures
    gpg: Total number processed: 1
    gpg:         new signatures: 2


Notice the "1 bad signature"?


So I listed out the keys:

  gpg --list-options show-unusable-subkeys --list-keys --with-fingerprint --with-subkey-fingerprints 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
  pub   rsa4096 2009-08-25 [SC] [expires: 2026-07-01]
        13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
  uid           [  full  ] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
  sub   rsa2048 2019-02-23 [S] [expires: 2026-07-01]
        534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6 043D


and lastly, searched for the bad log as denoted by "sig-":


```
gpg --check-sigs | grep "sig-"
sig-3        BB572E0E2D182910 2009-08-25  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
gpg: 144 good signatures
gpg: 1 bad signature
gpg: 116 signatures not checked due to missing keys

```

Just an FYI.
Comment 4 Steve Egbert 2024-05-17 18:43:46 UTC 
A continuation from my previous comment:

I did a full signature check

$ gpg --check-sigs

[snipped unrelated output]

pub   rsa4096 2009-08-25 [SC] [expires: 2026-07-01]
      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid           [  full  ] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3   P    55D3238EC050396E 2019-04-01  Gentoo Authority Key L2 for Services <openpgp-auth+l2-srv@gentoo.org>
sig!3        BB572E0E2D182910 2013-08-24  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2015-08-26  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2009-08-25  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig-3        BB572E0E2D182910 2009-08-25  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2017-08-22  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2019-02-23  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2019-04-27  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2019-10-30  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2020-04-24  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2020-09-20  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2019-02-24  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2021-11-29  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2022-06-16  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!  L      187C2337D3A97109 2024-04-04  Stephen L. Egbert <s.egbert@sbcglobal.net>
sig!3        BB572E0E2D182910 2024-04-21  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sub   rsa2048 2019-02-23 [S] [expires: 2026-07-01]
sig!         BB572E0E2D182910 2022-06-16  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!         BB572E0E2D182910 2024-04-21  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>

[snipped unrelated output]

gpg: 144 good signatures
gpg: 1 bad signature
gpg: 116 signatures not checked due to missing keys
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2024-05-18 16:48:18 UTC 
Created attachment 893323 [details]
export-13EBBDBEDE7A12775DFDB1BABB572E0E2D182910-both-2009-08-25.asc

Attaching a capture of the signatures from 2009-08-25.
Notice there are two with the exact same timestamp, of which one is bad.

> sig-3        BB572E0E2D182910 2009-08-25 21:44:25  [self-signature]
> sig!3        BB572E0E2D182910 2009-08-25 21:44:25  [self-signature]
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2024-05-18 16:59:36 UTC 
Reproduction is interesting, because neither SKS nor hockeypuck serve the bad signature.


$ ( d=/tmp/gpg-test2/ ; rm -rf $d ; install -m0700 -d $d ; GNUPGHOME=$d  gpg  --keyserver hkps://trogan.keys.gentoo.org --recv-keys 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 ; GNUPGHOME=$d gpg --check-sig 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 ) 
gpg: keybox '/tmp/gpg-test2/pubring.kbx' created
gpg: /tmp/gpg-test2/trustdb.gpg: trustdb created
gpg: key BB572E0E2D182910: public key "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
pub   rsa4096 2009-08-25 [SC] [expires: 2026-07-01]
      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid           [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sig!3        BB572E0E2D182910 2024-04-21  [self-signature]
sub   rsa2048 2019-02-23 [S] [expires: 2026-07-01]
sig!         BB572E0E2D182910 2024-04-21  [self-signature]

gpg: 2 good signatures
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2024-05-18 17:14:15 UTC 
I've done a once-off hack for now so that bad signature shouldn't be exported from qa-reports. Specifically I iterated the keyring and deleted the bad signature in the key export environment.

There's no good way to prevent it from being imported again, or auto-deleted.
This might happen if there's another manual export, or something causes a future keyserver to export the bad signature again.

That said, the impact of the issue is tiny: that bad signature is not used for anything; only the good signatures are.