953102 – sec-keys/openpgp-keys-lassecollin-20240529: expired PGP key prevents installing security update app-arch/xz-utils-5.6.4-r1 with USE=verifiy-sig

Bug 953102 - sec-keys/openpgp-keys-lassecollin-20240529: expired PGP key prevents installing security update app-arch/xz-utils-5.6.4-r1 with USE=verifiy-sig

Summary: sec-keys/openpgp-keys-lassecollin-20240529: expired PGP key prevents installi...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	953088
	Show dependency tree

Reported:	2025-04-03 19:02 UTC by Johannes Niess
Modified:	2025-04-04 00:19 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Niess 2025-04-03 19:02:24 UTC

Thanks for updating sec-keys/openpgp-keys-lassecollin with the new key. The workaround USE=-verify-sig doesn't feel right for a security update. I increased severity for blocking the security update as per bug 953088 - app-arch/xz-utils-5.6.4-r1: security stabilisation 

Reproducible: Always

Steps to Reproduce:
Try to emerge app-arch/xz-utils-5.6.4-r1 with USE=verify-sig
Actual Results:  
* dependency graph for app-arch/xz-utils-5.6.4-r1
`--  app-arch/xz-utils-5.6.4-r1  amd64
`--  sec-keys/openpgp-keys-lassecollin-20240529  (>=sec-keys/openpgp-keys-lassecollin-20240529) amd64
`--  app-portage/elt-patches-20250306  (>=app-portage/elt-patches-20250306) amd64
`--  app-crypt/gnupg-2.4.7-r1  (app-crypt/gnupg) amd64
`--  app-portage/gemato-20.6  (>=app-portage/gemato-20) amd64
[ app-arch/xz-utils-5.6.4-r1 stats: packages (5), max depth (1) ]


>>> Jobs: 0 of 1 complete, 1 failed                                     Load avg: 1.33, 0.79, 0.94
* Package:    app-arch/xz-utils-5.6.4-r1:0
* Repository: gentoo
* Maintainer: base-system@gentoo.org
* USE:        abi_x86_64 amd64 elibc_glibc extra-filters kernel_linux nls pgo verify-sig
* FEATURES:   network-sandbox preserve-libs sandbox userpriv usersandbox
>>> Unpacking source...
* Verifying xz-5.6.4.tar.gz ...
[   INFO] File /var/tmp/portage/app-arch/xz-utils-5.6.4-r1/distdir/xz-5.6.4.tar.gz verified successfully against the signature in /var/tmp/portage/app-arch/xz-utils-5.6.4-r1/distdir/xz-5.6.4.tar.gz.sig:
[   INFO] - status: OpenPGPSignatureStatus.GOOD
[   INFO] - valid: True, trusted: True
[   INFO] - primary key: 3690C240CE51B4670D30AD1C38EE757D69184620
[   INFO] - subkey: 3690C240CE51B4670D30AD1C38EE757D69184620
[   INFO] - timestamp: 2025-01-23 17:54:34 UTC
[   INFO] - key expiration: 2025-02-07 14:42:17 UTC
* Verifying xz-cve-2025-31115.patch ...
[  ERROR] OpenPGP verification failed for <_io.BufferedReader name='/var/tmp/portage/app-arch/xz-utils-5.6.4-r1/distdir/xz-cve-2025-31115.patch'> (sig in /var/tmp/portage/app-arch/xz-utils-5.6.4-r1/distdir/xz-cve-2025-31115.patch.sig):
OpenPGP signature rejected because of expired key:
gpg: Signature made Thu Apr  3 11:43:30 2025 UTC
gpg:                using RSA key 3690C240CE51B4670D30AD1C38EE757D69184620
gpg: Good signature from "Lasse Collin <lasse.collin@tukaani.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 3690 C240 CE51 B467 0D30  AD1C 38EE 757D 6918 4620

Comment 1 Sam James archtester

2025-04-03 19:07:22 UTC

Ah, the issue is that I decided last-minute to use the downloaded patch for 5.6.x, and for 5.6.x, I hadn't updated the dep, while for 5.8.x and the live template, of course I had. Thanks.

Comment 2 Larry the Git Cow gentoo-dev

2025-04-03 19:11:23 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdd29e74a3459ea368880c73a17a76818d8ea7ae

commit bdd29e74a3459ea368880c73a17a76818d8ea7ae
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-04-03 19:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-03 19:09:07 +0000

    app-arch/xz-utils: update verify-sig dep for 5.6.x
    
    The issue is that I decided last-minute to use the downloaded patch for 5.6.x,
    and for 5.6.x, I hadn't updated the dep, while for 5.8.x and the live template,
    of course I had.
    
    Closes: https://bugs.gentoo.org/953102
    Bug: https://bugs.gentoo.org/953088
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c560a1fa8b0c07664809678374db07b4ee7a795e

commit c560a1fa8b0c07664809678374db07b4ee7a795e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-04-03 19:08:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-03 19:08:51 +0000

    sec-keys/openpgp-keys-lassecollin: stabilize 20250313-r1 for ALLARCHES
    
    Bug: https://bugs.gentoo.org/953088
    Bug: https://bugs.gentoo.org/953102
    Signed-off-by: Sam James <sam@gentoo.org>

 .../openpgp-keys-lassecollin-20250313-r1.ebuild                         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 3 Sam James archtester

2025-04-03 19:11:45 UTC

Sorry for the bother and possible panic ;)

Comment 4 Johannes Niess 2025-04-03 20:44:32 UTC

Thanks for swiftly taking care of this. sec-keys/openpgp-keys-lassecollin-20250313-r1 already landed on my box and I have successfully emerged app-arch/xz-utils-5.6.4-r1 with USE=verify-sig