having trouble checking the signature of a downloaded file

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

having trouble checking the signature of a downloaded file

Henry
I downloaded a tarball ***6.4.tar.gz, it's signature file
***6.4.tar.gz.sig, and the author's public key ******.pgp from a
well-known site.

I imported the public key: `gpg --import ******.pgp`.
For some reason, two keys were "skipped":
   gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to missing keys
   gpg: key 0C0B590E80CA15A7: "Author's Name <[hidden email]>
   gpg: Total number processed: 3
   gpg:     skipped PGP-2 keys: 2
   gpg:              unchanged: 1

I tried to verify the downloaded file, but the check failed:
`gpg --verify ***6.4.tar.gz.sig ***6.4.tar.gz`
   gpg: Signature made Tue May  4 23:03:11 2004 JST
   gpg:                using RSA key DC80F2A6D5327CB9
   gpg: Can't check signature: No public key

This is the first time for this to happen, so I have no idea what I
might be doing
wrong.  Any help or suggestions much appreciated.  TIA

Henry

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: having trouble checking the signature of a downloaded file

Kristian Fiskerstrand-6
On 02/21/2018 10:37 AM, Henry wrote:

> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key ******.pgp from a
> well-known site.
>
> I imported the public key: `gpg --import ******.pgp`.
> For some reason, two keys were "skipped":
>    gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to missing keys
>    gpg: key 0C0B590E80CA15A7: "Author's Name <[hidden email]>
>    gpg: Total number processed: 3
>    gpg:     skipped PGP-2 keys: 2
              ^^^^^^^^^^^^^^^^^^^^^
              note this and see below

>    gpg:              unchanged: 1
>
> I tried to verify the downloaded file, but the check failed:
> `gpg --verify ***6.4.tar.gz.sig ***6.4.tar.gz`
>    gpg: Signature made Tue May  4 23:03:11 2004 JST
>    gpg:                using RSA key DC80F2A6D5327CB9
>    gpg: Can't check signature: No public key
>

The above RSA key is in v3 format which is not supported in GnuPG >=2.1
for security reasons, hence not imported, and hence the output you see.

> This is the first time for this to happen, so I have no idea what I
> might be doing
> wrong.  Any help or suggestions much appreciated.  TIA

The author should sign the package using a more modern and secure keyblock.

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Aut disce aut discede
Either learn or leave


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: having trouble checking the signature of a downloaded file

Peter Lebbing
On 21/02/18 10:48, Kristian Fiskerstrand wrote:
>>    gpg: Signature made Tue May  4 23:03:11 2004 JST
> [...]
>
> The author should sign the package using a more modern and secure keyblock.

Note that not the key, but the /signature/ is made 14 years ago. So
we're talking about verifying the integrity of a really old file. The
author might not be available anymore or willing to expend any effort.

GnuPG 1.4 is kept around to verify such old files. So perhaps the OP
could use GnuPG 1.4 to verify the file; without further information
about the system he is using it is hard to explain how exactly to do
this. However, I get the feeling his OS is NetBSD :-). So if somebody
knows how GnuPG is installed there... (I don't)

This all comes with a major caveat. The reason you can't do it with
modern GnuPG is that the security of PGP-2 keys and signatures is no
longer at a sufficient level. So while it gives some confidence when the
signature verifies positively, a well-equipped attacker might have faked
it anyway!

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: having trouble checking the signature of a downloaded file

Peter Lebbing
On 21/02/18 11:53, Peter Lebbing wrote:
> The
> author might not be available anymore or willing to expend any effort.

(Or the author might not have a more authentic copy of the file anymore
either. This is not the reason I'm self-replying though).

> This all comes with a major caveat.

Make that two. The OP writes:

On 21/02/18 10:37, Henry wrote:
> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key ******.pgp from a
> well-known site.

This sounds like there is no more assurance that the downloaded key is
authentic than that the downloaded file is authentic. When to decide
that a key is authentic is one of the more difficult problems of
practical cryptography use. Some people take confidence from downloading
identical copies of the key from multiple HTTPS websites. There are
still ways for an attacker to serve you the wrong one each time, but
it's better than nothing... The best is direct personal contact with the
owner of the key, but it seems a long shot.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: having trouble checking the signature of a downloaded file

Kristian Fiskerstrand-6
In reply to this post by Peter Lebbing
On 02/21/2018 11:53 AM, Peter Lebbing wrote:
> On 21/02/18 10:48, Kristian Fiskerstrand wrote:
>>>    gpg: Signature made Tue May  4 23:03:11 2004 JST
>> [...]
>>
>> The author should sign the package using a more modern and secure keyblock.
> Note that not the key, but the /signature/ is made 14 years ago. So
> we're talking about verifying the integrity of a really old file. The
> author might not be available anymore or willing to expend any effort.

Touché :) Indeed, didn't notice it was an old file/signature , then
gnupg 1.4 is the recommended official suggestion presuming established
validity of key material etc etc.

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Dura necessitas
Necessity is harsh


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: having trouble checking the signature of a downloaded file

Henry
2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand
<[hidden email]>:
> On 02/21/2018 11:53 AM, Peter Lebbing wrote:
> Touché :) Indeed, didn't notice it was an old file/signature , then
> gnupg 1.4 is the recommended official suggestion presuming established
> validity of key material etc etc.

gpg (GnuPG) 1.4.22 does give more information, but no success; see
below.  May I assume that nothing
can be done other than to request the author to remedy the situation?
Thanks all.

Henry

result of using gnupg 1.4:
% gpg1 --import D5327CB9.key
gpg: key D5327CB9: "author <[hidden email]>" not changed
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: key D5327CB9: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 2
gpg:           w/o user IDs: 1
gpg:              unchanged: 1

% gpg1 --verify ***6.4.tar.gz.sig ***6.4.tar.gz
gpg: Signature made Tue May  4 23:03:11 2004 JST using RSA key ID D5327CB9
gpg: Can't check signature: public key not found

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: having trouble checking the signature of a downloaded file

Kristian Fiskerstrand-6
On 02/22/2018 11:03 PM, Henry wrote:

> 2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand
> <[hidden email]>:
>> On 02/21/2018 11:53 AM, Peter Lebbing wrote:
>> Touché :) Indeed, didn't notice it was an old file/signature , then
>> gnupg 1.4 is the recommended official suggestion presuming established
>> validity of key material etc etc.
>
> gpg (GnuPG) 1.4.22 does give more information, but no success; see
> below.  May I assume that nothing
> can be done other than to request the author to remedy the situation?
> Thanks all.
>
--allow-weak-digest-algos
Signatures made with known-weak digest algorithms are normally
allows the verification of signatures made with such weak algorithms.
MD5 is the only digest algorithm considered weak by default.

> Henry
>
> result of using gnupg 1.4:
> % gpg1 --import D5327CB9.key
> gpg: key D5327CB9: "author <[hidden email]>" not changed
> gpg: Note: signatures using the MD5 algorithm are rejected
> gpg: key D5327CB9: no valid user IDs
> gpg: this may be caused by a missing self-signature
> gpg: Total number processed: 2
> gpg:           w/o user IDs: 1
> gpg:              unchanged: 1
>
> % gpg1 --verify ***6.4.tar.gz.sig ***6.4.tar.gz
> gpg: Signature made Tue May  4 23:03:11 2004 JST using RSA key ID D5327CB9
> gpg: Can't check signature: public key not found
>

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"The laws of Australia prevail in Australia, I can assure you of that.
The laws of mathematics are very commendable, but the only laws that
applies in Australia is the law of Australia."
(Malcolm Turnbull, Prime Minister of Australia).


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: having trouble checking the signature of a downloaded file

Kristian Fiskerstrand-6
On 02/22/2018 11:13 PM, Kristian Fiskerstrand wrote:

> On 02/22/2018 11:03 PM, Henry wrote:
>> 2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand
>> <[hidden email]>:
>>> On 02/21/2018 11:53 AM, Peter Lebbing wrote:
>>> Touché :) Indeed, didn't notice it was an old file/signature , then
>>> gnupg 1.4 is the recommended official suggestion presuming established
>>> validity of key material etc etc.
>> gpg (GnuPG) 1.4.22 does give more information, but no success; see
>> below.  May I assume that nothing
>> can be done other than to request the author to remedy the situation?
>> Thanks all.
>>
> --allow-weak-digest-algos
> Signatures made with known-weak digest algorithms are normally
> allows the verification of signatures made with such weak algorithms.
> MD5 is the only digest algorithm considered weak by default.
>
That was truncated;

.B  --allow-weak-digest-algos
Signatures made with known-weak digest algorithms are normally
rejected with an ``invalid digest algorithm'' message.  This option
allows the verification of signatures made with such weak algorithms.
MD5 is the only digest algorithm considered weak by default.  See also
\fB--weak-digest\fR to reject other digest algorithms.


--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Varitatio delectat
Change pleases


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment