Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

debsig: Failed verification for msft-git.deb. #706

Open
alexanderilyin opened this issue Nov 15, 2024 · 2 comments
Open

debsig: Failed verification for msft-git.deb. #706

alexanderilyin opened this issue Nov 15, 2024 · 2 comments

Comments

@alexanderilyin
Copy link

alexanderilyin commented Nov 15, 2024

Snippet from readme doesn't work out of the box:

⬢ [Docker] ❯ lsb_release -d
No LSB modules are available.
Description:    Debian GNU/Linux 12 (bookworm)
⬢ [Docker] ❯ grep FROM .devcontainer/Dockerfile 
FROM mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm
⬢ [Docker] ❯ .devcontainer/git.sh
+ sudo apt-get install -y curl debsig-verify
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.88.1-10+deb12u8).
Suggested packages:
  debian-keyring debsigs
The following NEW packages will be installed:
  debsig-verify
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 37.1 kB of archives.
After this operation, 102 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 debsig-verify amd64 0.28+b3 [37.1 kB]
Fetched 37.1 kB in 0s (197 kB/s)         
Selecting previously unselected package debsig-verify.
(Reading database ... 48238 files and directories currently installed.)
Preparing to unpack .../debsig-verify_0.28+b3_amd64.deb ...
Unpacking debsig-verify (0.28+b3) ...
Setting up debsig-verify (0.28+b3) ...
Processing triggers for man-db (2.11.2-2) ...
+ curl -s https://api.github.com/repos/microsoft/git/releases/latest
+ grep -E 'browser_download_url.*msft-git-public.asc'
+ cut -d : -f 2,3
+ tr -d '"'
+ xargs -I url curl -L -o msft-git-public.asc url
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  2468  100  2468    0     0   3592      0 --:--:-- --:--:-- --:--:--  6652
+ gpg --output msft-git-public.gpg --dearmor msft-git-public.asc
+ gpg --show-keys msft-git-public.asc
+ head -n 2
+ tail -n 1
+ tail -c 17
B8F12E25441124E1
+ sudo mkdir /usr/share/debsig/keyrings/B8F12E25441124E1
+ sudo mv msft-git-public.gpg /usr/share/debsig/keyrings/B8F12E25441124E1/
+ sudo mkdir /etc/debsig/policies/B8F12E25441124E1
+ cat
+ sudo mv generic.pol /etc/debsig/policies/B8F12E25441124E1/generic.pol
+ curl -s https://api.github.com/repos/microsoft/git/releases/latest
+ grep 'browser_download_url.*deb'
+ cut -d : -f 2,3
+ xargs -I url curl -L -o msft-git.deb url
+ tr -d '"'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:08 --:--:--     0
100 66.2M  100 66.2M    0     0  5700k      0  0:00:11  0:00:11 --:--:-- 25.0M
+ debsig-verify msft-git.deb
debsig: Failed verification for msft-git.deb.

I came from here:

@salaman
Copy link
Member

salaman commented Nov 19, 2024

It looks like debsig-verify >=0.24 is rejecting SHA1 signatures.

debsig-verify (0.24) unstable; urgency=medium

  * Switch keyring parser from gpg --list-packets to --show-keys --with-colons.
  * Use fingerprint and fallback to use long keyIDs for database filenames.
  * Reject weak RIPEMD160 and SHA1 algorithms.

and the deb file is signed using a SHA1 digest:

chris ~/dev % debsig-verify -v -d msft-git.deb
[...]
gpg: Signature made Tue 22 Oct 2024 01:20:37 PM PDT
gpg:                using RSA key 02A148FB2E0D16E17F4B1E32B8F12E25441124E1
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm
debsig: sigVerify: gpg exited abnormally or with non-zero exit status
chris ~/dev % gpg -vv --show-key _gpgorigin
# off=0 ctb=89 tag=2 hlen=3 plen=435
:signature packet: algo 1, keyid B8F12E25441124E1
        version 4, created 1729628437, md5len 0, sigclass 0x00
        digest algo 2, begin of digest bc e8

a workaround is to allow the weak algo in gnupg: echo "allow-weak-digest-algos" >> /etc/gnupg/gpg.conf but the build signing should be updated by the maintainers.

@alexanderilyin
Copy link
Author

alexanderilyin commented Nov 19, 2024

This did it for me:

sudo mkdir -pv /etc/gnupg/
echo "allow-weak-digest-algos" | sudo tee /etc/gnupg/gpg.conf

but still having troubles registering scalar: #709

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants