24685 – gpg verification not described with changed signature method

Bug 24685 - gpg verification not described with changed signature method

Summary: gpg verification not described with changed signature method

Status:	RESOLVED FIXED

Alias:	None

Product:	Websites
Classification:	Unclassified
Component:	www.mageia.org (show other bugs)
Version:	trunk
Hardware:	All Linux

Priority:	High Severity: normal
Target Milestone:	---
Assignee:	Atelier Team
QA Contact:

URL:	https://www.mageia.org/en/downloads/g...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-04-17 21:27 CEST by diego w
Modified:	2019-07-09 23:21 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description diego w 2019-04-17 21:27:53 CEST

I just downloaded the latest beta ISO and thought I'd properly verify it. As you offer both SHA1 and md5 for me the choice was obvious, as md5 is obsolete.

I tried to adapt the commands as shown on the page for SHA1 and ran into the following problems:

1. the keyserver didn't find the key:

gpg --keyserver pgp.mit.edu --recv-keys EDCA7A90

gpg: Empfangen vom Schlüsselserver fehlgeschlagen: Keine Daten 

only  trying other keyservers helped, keys.gnupg.net also failed, pgp.uni-mainz.de finally worked.

Maybe there should be given more than just one keyserver.

2. as most people won't enjoy comparing hashes manually please include the following command for proper camparison: 

sha512sum -c Mageia-7-beta3-Live-Plasma-x86_64.iso.sha512 

and mention that the iso should be in the same dir

3. the command 

gpg --verify Mageia-7-beta3-Live-Plasma-x86_64.iso.sha512.gpg 

fails with the following messages:

gpg: keine signierten Daten
gpg: can't hash datafile: Keine Daten

the solution was as follows:

gpg --verify Mageia-7-beta3-Live-Plasma-x86_64.iso.sha512.gpg Mageia-7-beta3-Live-Plasma-x86_64.iso.sha512

I first stumbled upon this on the German page, but verified it on the English version, they are identical.

I suppose the commands for md5 are also not working as intended, but didn't try.

would be nice to fix it before the actual release of Mageia 7

Comment 1 Thomas Backlund 2019-04-17 21:38:36 CEST

(In reply to diego w from comment #0)

> 
> I tried to adapt the commands as shown on the page for SHA1 and ran into the
> following problems:
> 
> 1. the keyserver didn't find the key:
> 
> gpg --keyserver pgp.mit.edu --recv-keys EDCA7A90
> 
> gpg: Empfangen vom Schlüsselserver fehlgeschlagen: Keine Daten 
> 
> only  trying other keyservers helped, keys.gnupg.net also failed,
> pgp.uni-mainz.de finally worked.
> 
> Maybe there should be given more than just one keyserver.

The keyservers are supposed to sync the keys between them... seems that does not work so good :/

I guess I'll push the key directly to more servers..


> 3. the command 
> 
> gpg --verify Mageia-7-beta3-Live-Plasma-x86_64.iso.sha512.gpg 
> 
> fails with the following messages:
> 
> gpg: keine signierten Daten
> gpg: can't hash datafile: Keine Daten
> 
> the solution was as follows:
> 
> gpg --verify Mageia-7-beta3-Live-Plasma-x86_64.iso.sha512.gpg
> Mageia-7-beta3-Live-Plasma-x86_64.iso.sha512
> 


Yeah, since I decided to also start to sign the isos and not only the checksum files I switched to detached signatures to not duplicate the full iso data in the signed data you now need to do the:

gpg --verify <signatyre_file> <signed_file> 

as you found out

CC: (none) => tmb

Comment 2 diego w 2019-04-18 17:47:24 CEST

I recently read also that the keyservers are under constant attack, which seems to be quite easy taking into account how flawed the system seems to be (of course its easy saying so from a 2019 perspective).

I thought so, seems like a good move and once the correct commands are on the download page also those who don't feel like using manpages can verify the image. On the other hand who really verifies ISOs when not bored or adventurous.

papoteur 2019-07-09 08:22:50 CEST

CC: (none) => yves.brungard_mageia
Priority: Normal => High

Comment 3 papoteur 2019-07-09 08:24:54 CEST

Hello,
This apply to all kind of signatures: SHA1, SHA512, SHA3

Summary: gpg verification with SHA1 not described => gpg verification not described with changed signature method

Comment 4 Manuel Hiebel 2019-07-09 21:14:51 CEST

hi, sorry we missed this bug

Looks I could add again our key to pgp.mit.edu.

Can you check if you are happy with my WIP ?
https://mga.hiebel.eu/en/downloads/get/?q=Mageia-7-Live-GNOME-x86_64.iso&d=1

I moved the checksum file line at the top.

Maybe we should remove everything about MD5 ?
How do we check sha3 ? (we only have sha512, sha3, and md5 for Mageia 7 isos)

Comment 5 Filip Komar 2019-07-09 21:55:21 CEST

(In reply to Manuel Hiebel from comment #4)
> Can you check if you are happy with my WIP ?
> https://mga.hiebel.eu/en/downloads/get/?q=Mageia-7-Live-GNOME-x86_64.iso&d=1
> 
> I moved the checksum file line at the top.

It seems OK to me.

> Maybe we should remove everything about MD5 ?

For mga7 maybe a deprecation notice?


> How do we check sha3 ? (we only have sha512, sha3, and md5 for Mageia 7 isos)
This seems to work:
$ sha3-512sum -c Mageia-7-Live-GNOME-x86_64.iso.sha3
Mageia-7-Live-GNOME-x86_64.iso: OK

But note that sha3sum package needs to be installed. On LiveDVD it seems it's not :(.

CC: (none) => filip.komar

Comment 6 Manuel Hiebel 2019-07-09 23:21:04 CEST

yes thomas told me about sha3, if not easy we don't need it.

So I removed md5 from mga7 iso, updated the gpg server to a https://www.sks-keyservers.net/overview-of-pools.php and updated the commands

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.