Page MenuHome GnuPG
Create Task
Maniphest T3439

error "This key is not certified with a trusted signature!" despite fully trusted key
Closed, InvalidPublic
Actions

Description

I took these steps as a debian admin:

  1. apt-key adv --recv-key 0x5145B9CD752C0197
  2. gpg --keyring /etc/apt/trusted.gpg --edit-key 0x5145B9CD752C0197 trust
  3. Selected full trust ("4")

Then ran:

gpg --verify --keyring /etc/apt/trusted.gpg <(curl -s http://wertarbyte.de/apt/Release.gpg) <(curl -s http://wertarbyte.de/apt/Release)

which resulted in:

gpg: Signature made Wed 25 May 2011 11:15:52 PM CEST
    gpg:                using DSA key 5145B9CD752C0197
    gpg: Good signature from "Wertarbyte.de (Software Signing Key) <kontakt@wertarbyte.de>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: CC49 F74C 816C 499C 899A  4288 5145 B9CD 752C 0197

The warning shouldn't be there when the key is fully trusted. This has an additional side effect of causing false errors in the aptitude package manager:

W: GPG error: tor+http://wertarbyte.de/apt ./ Release: The following signatures were invalid: CC49F74C816C499C899A42885145B9CD752C0197
E: The repository 'tor+http://wertarbyte.de/apt ./ Release' is not signed.
E: Failed to download some files

This ultimately blocks installation of the package, thus the bug is somewhat severe.

Details

Version
2.1.18

Event Timeline

cipherpunks created this task.Oct 7 2017, 11:27 AM
cipherpunks updated the task description. (Show Details)Oct 7 2017, 11:31 AM
werner added a subscriber: werner.Oct 8 2017, 8:08 PM

[it seems you are using a Debian version. Thus please report bugs to Debian - they have lots of patches over standard gpg.]

Without looking closely at you report I see that you are using gpg instead of gpgv - which would be the right tool for verification against a known list of valid keys.

gniibe closed this task as Invalid.Oct 11 2017, 8:21 AM
gniibe added a subscriber: gniibe.

It seems that you have confusion between gpgv and gpg, and using "trust".

The verification done by apt-key is by gpgv, not gpg.
Procedure 2 and 3 of putting "trust" has no effect on the validity of the key.
Please invoke again the --edit-key command to see the validity. It must be still "unknown".

If you want same effect of gpgv, please supply --trust-model=direct option to your invocation of gpg.

gniibe added a comment.Oct 12 2017, 2:24 AM

OK, I managed to replicate the failure of apt. Please note that it's not the failure of gpg.
So, your bug report is marked "Invalid", as a bug of gpg. Please understand that.

For the experiment, I put two lines to my /etc/apt/apt.conf:

Debug::Acquire::gpgv "true";
Debug::Hashes "true";

I got the debug output:

Read: [GNUPG:] NEWSIG 
Read: [GNUPG:] KEY_CONSIDERED CC49F74C816C499C899A42885145B9CD752C0197 0
Read: [GNUPG:] SIG_ID lZCwr0GtoTrWjdZlHJNvcTfutgs 2011-05-25 1306358152
Read: [GNUPG:] KEY_CONSIDERED CC49F74C816C499C899A42885145B9CD752C0197 0
Read: [GNUPG:] GOODSIG 5145B9CD752C0197 Wertarbyte.de (Software Signing Key) <kontakt@wertarbyte.de>
Got GOODSIG 5145B9CD752C0197 !
Read: [GNUPG:] VALIDSIG CC49F74C816C499C899A42885145B9CD752C0197 2011-05-25 1306358152 0 3 0 17 2 00 CC49F74C816C499C899A42885145B9CD752C0197
Got untrusted VALIDSIG, key ID: CC49F74C816C499C899A42885145B9CD752C0197
gpgv exited with status 0
Summary:
  Good: 
  Bad: 
  Worthless: CC49F74C816C499C899A42885145B9CD752C0197, 
  SoonWorthless: 
  NoPubKey: 
  NODATA: no

Apparently, gpg worked fine; It resulted "GOODSIG" for the verification.

It is apt which treated the signature as "Got untrusted VALIDSIG, key ID: CC49F74C816C499C899A42885145B9CD752C0197".
I confirmed that the digest of SHA1 used in the signature is "Untrusted" by apt in the source code of apt-1.4.8/methods/gpgv.cc.

And I found this entry in NEWS:

apt (1.4~beta1) unstable; urgency=medium

  Support for GPG signatures using the SHA1 or RIPE-MD/160 hash
  algorithms has been disabled. Repositories using Release files
  signed in such a way will stop working. This change has been made
  due to security considerations, especially with regards to possible
  further breakthroughs in SHA1 breaking during the lifetime
  of this APT release series.

  It is possible (but STRONGLY ADVISED AGAINST) to revert to the previous
  behaviour by setting the options
    APT::Hashes::SHA1::Weak "yes";
    APT::Hashes::RIPE-MD/160::Weak "yes";
  Note that setting these options only affects the verification of the overall
  repository signature.

 -- Julian Andres Klode <jak@debian.org>  Fri, 25 Nov 2016 13:19:32 +0100

Hope this helps.

cipherpunks added a comment.Oct 26 2017, 7:23 PM

Thanks!