Comments (20)
arjendekorte
commented on May 24, 2024
1
@arjendekorte @atsampson : Can you please re-check if https://networkupstools.org/source/2.8/nut-2.8.2.tar.gz.sig now fits https://networkupstools.org/source/2.8/nut-2.8.2.tar.gz for you per https://networkupstools.org/docs/user-manual.chunked/NUT_Security.html#verifySourceSig instructions, so this issue can be closed?
PS: Hope to learn more about this before future release cycles :)
New signature validates fine, so problem is resolved
from nut.
atsampson
commented on May 24, 2024
1
Yep, that validates fine for me now with GPG 2.2.17 and 2.4.5. The new signature uses SHA256/ed25519 like the 2.8.0 and 2.8.1 signatures, rather than SHA512/rsa4096 like the broken one. Thanks!
from nut.
jimklimov
commented on May 24, 2024
Thanks for the heads-up, I'll recheck which key carrier got used this time.
from nut.
jimklimov
commented on May 24, 2024
It seems the key chains were updated on nut-source-archive but did not get published to "production" repo which GH renders websites from.
To confirm: did your gpg import only see two keys from Arnaud Quette?
(Note: now it should see 3 keys, adding mine)
from nut.
jimklimov
commented on May 24, 2024
Cross-checking vs. older releases:
$ gpg --verify nut-2.8.1.tar.gz.sig
gpg: assuming signed data in 'nut-2.8.1.tar.gz'
gpg: Signature made 2023-10-31 23:30:24 +0100 CET
gpg: using EDDSA key BFA06D7C653B64C11DFDAF0442061031267D11B1
gpg: Good signature from "Jim Klimov (Doing FOSS since last millennium) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Jenkins CI plugin contributor and maintainer) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Network UPS Tools maintainer) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Illumos-based OS collaborator) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B834 59F7 76B9 0224 988F 36C0 DE01 84DA 7043 DCF7
Subkey fingerprint: BFA0 6D7C 653B 64C1 1DFD AF04 4206 1031 267D 11B1
and
gpg --verify nut-2.8.0.tar.gz.sig
gpg: assuming signed data in 'nut-2.8.0.tar.gz'
gpg: Signature made 2023-06-01 00:10:16 +0200 CEST
gpg: using EDDSA key BFA06D7C653B64C11DFDAF0442061031267D11B1
gpg: Good signature from "Jim Klimov (Doing FOSS since last millennium) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Jenkins CI plugin contributor and maintainer) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Network UPS Tools maintainer) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Illumos-based OS collaborator) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B834 59F7 76B9 0224 988F 36C0 DE01 84DA 7043 DCF7
Subkey fingerprint: BFA0 6D7C 653B 64C1 1DFD AF04 4206 1031 267D 11B1
but indeed, still
$ gpg --verify nut-2.8.2.tar.gz.sig
gpg: assuming signed data in 'nut-2.8.2.tar.gz'
gpg: Signature made 2024-04-02 03:25:26 +0200 CEST
gpg: using RSA key C8F2DB717B416C4DDAB2ED9BFFA7A68295C8BA96
gpg: BAD signature from "Jim Klimov (Doing FOSS since last millennium) <[email protected]>" [unknown]
so probably got the wrong machine signing it.
from nut.
jimklimov
commented on May 24, 2024
Oddly, it seems the key factually used is a sub-key listed in the published chain. Maybe that way of import falters somehow.
It also seems I can't pick a way to sign with the main key itself - as the previous releases seem to have been done, although the sub keys were made early on (before the other 2.8.x sigs) :\
Gotta scratch my head some more about this a bit later...
from nut.
jimklimov
commented on May 24, 2024
:; gpg --list-packets < nut-key.gpg
# off=0 ctb=99 tag=6 hlen=3 plen=418
:public key packet:
version 4, algo 17, created 1026746276, expires 0
pkey[0]: [1024 bits]
pkey[1]: [160 bits]
pkey[2]: [1022 bits]
pkey[3]: [1024 bits]
keyid: DB6414CA204DDF1B
# off=421 ctb=b4 tag=13 hlen=2 plen=37
:user ID packet: "Arnaud Quette <[email protected]>"
# off=460 ctb=88 tag=2 hlen=2 plen=94
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1127129449, md5len 0, sigclass 0x13
digest algo 2, begin of digest e0 2c
hashed subpkt 2 len 4 (sig created 2005-09-19)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 2 (pref-hash-algos: 2 3)
hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
data: [155 bits]
data: [160 bits]
# off=556 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 3A936196C095D941
version 4, created 1260809411, md5len 0, sigclass 0x10
digest algo 10, begin of digest 15 94
hashed subpkt 2 len 4 (sig created 2009-12-14)
subpkt 16 len 8 (issuer key ID 3A936196C095D941)
data: [4096 bits]
# off=1099 ctb=b4 tag=13 hlen=2 plen=34
:user ID packet: "Arnaud Quette <[email protected]>"
# off=1135 ctb=88 tag=2 hlen=2 plen=97
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1178388895, md5len 0, sigclass 0x13
digest algo 2, begin of digest 9f 5f
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 2 (pref-hash-algos: 2 3)
hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 2 len 4 (sig created 2007-05-05)
hashed subpkt 25 len 1 (primary user ID)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
data: [159 bits]
data: [157 bits]
# off=1234 ctb=88 tag=2 hlen=2 plen=94
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1065988349, md5len 0, sigclass 0x13
digest algo 2, begin of digest 69 d1
hashed subpkt 2 len 4 (sig created 2003-10-12)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 2 (pref-hash-algos: 2 3)
hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
data: [156 bits]
data: [160 bits]
# off=1330 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 3A936196C095D941
version 4, created 1260809411, md5len 0, sigclass 0x10
digest algo 10, begin of digest c9 05
hashed subpkt 2 len 4 (sig created 2009-12-14)
subpkt 16 len 8 (issuer key ID 3A936196C095D941)
data: [4095 bits]
# off=1873 ctb=b4 tag=13 hlen=2 plen=40
:user ID packet: "Arnaud Quette <[email protected]>"
# off=1915 ctb=88 tag=2 hlen=2 plen=95
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1026833967, md5len 0, sigclass 0x13
digest algo 2, begin of digest 5c 5f
hashed subpkt 2 len 4 (sig created 2002-07-16)
hashed subpkt 11 len 4 (pref-sym-algos: 7 10 3 4)
hashed subpkt 21 len 2 (pref-hash-algos: 3 2)
hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
subpkt 101 len 6 (experimental / private subpacket)
data: [157 bits]
data: [155 bits]
# off=2012 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid C26C97906D4FC66F
version 4, created 1027106470, md5len 0, sigclass 0x10
digest algo 2, begin of digest 5b ba
hashed subpkt 2 len 4 (sig created 2002-07-19)
subpkt 16 len 8 (issuer key ID C26C97906D4FC66F)
data: [160 bits]
data: [160 bits]
# off=2084 ctb=b4 tag=13 hlen=2 plen=37
:user ID packet: "Arnaud Quette <[email protected]>"
# off=2123 ctb=88 tag=2 hlen=2 plen=95
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1026746277, md5len 0, sigclass 0x13
digest algo 2, begin of digest 5c 1e
hashed subpkt 2 len 4 (sig created 2002-07-15)
hashed subpkt 11 len 4 (pref-sym-algos: 7 10 3 4)
hashed subpkt 21 len 2 (pref-hash-algos: 3 2)
hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
subpkt 101 len 6 (experimental / private subpacket)
data: [160 bits]
data: [160 bits]
# off=2220 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid C26C97906D4FC66F
version 4, created 1027106464, md5len 0, sigclass 0x10
digest algo 2, begin of digest 28 03
hashed subpkt 2 len 4 (sig created 2002-07-19)
subpkt 16 len 8 (issuer key ID C26C97906D4FC66F)
data: [159 bits]
data: [158 bits]
# off=2292 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid 07DC563D1F41B907
version 4, created 1027685272, md5len 0, sigclass 0x13
digest algo 2, begin of digest 48 f5
hashed subpkt 2 len 4 (sig created 2002-07-26)
subpkt 16 len 8 (issuer key ID 07DC563D1F41B907)
data: [159 bits]
data: [159 bits]
# off=2364 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 3A936196C095D941
version 4, created 1260809411, md5len 0, sigclass 0x10
digest algo 10, begin of digest 1c ec
hashed subpkt 2 len 4 (sig created 2009-12-14)
subpkt 16 len 8 (issuer key ID 3A936196C095D941)
data: [4095 bits]
# off=2907 ctb=b4 tag=13 hlen=2 plen=38
:user ID packet: "Arnaud Quette <[email protected]>"
# off=2947 ctb=88 tag=2 hlen=2 plen=96
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1221725232, md5len 0, sigclass 0x13
digest algo 2, begin of digest 97 e4
hashed subpkt 2 len 4 (sig created 2008-09-18)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
data: [156 bits]
data: [158 bits]
# off=3045 ctb=b9 tag=14 hlen=3 plen=269
:public sub key packet:
version 4, algo 16, created 1026746306, expires 0
pkey[0]: [1024 bits]
pkey[1]: [3 bits]
pkey[2]: [1022 bits]
keyid: C3293473D8B1B6B4
# off=3317 ctb=88 tag=2 hlen=2 plen=78
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1026746306, md5len 0, sigclass 0x18
digest algo 2, begin of digest ba 35
hashed subpkt 2 len 4 (sig created 2002-07-15)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
subpkt 101 len 6 (experimental / private subpacket)
data: [156 bits]
data: [160 bits]
# off=3397 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1398154322, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: ACC0E41055CA5976
# off=3925 ctb=b4 tag=13 hlen=2 plen=37
:user ID packet: "Arnaud Quette <[email protected]>"
# off=3964 ctb=89 tag=2 hlen=3 plen=567
:signature packet: algo 1, keyid ACC0E41055CA5976
version 4, created 1401815492, md5len 0, sigclass 0x13
digest algo 8, begin of digest 5a 79
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 2 len 4 (sig created 2014-06-03)
subpkt 16 len 8 (issuer key ID ACC0E41055CA5976)
data: [4096 bits]
# off=4534 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1400691037, md5len 0, sigclass 0x10
digest algo 8, begin of digest 13 90
hashed subpkt 2 len 4 (sig created 2014-05-21)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
data: [160 bits]
data: [159 bits]
# off=4606 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 5C808C2B65558117
version 4, created 1400589939, md5len 0, sigclass 0x10
digest algo 8, begin of digest af 4f
hashed subpkt 2 len 4 (sig created 2014-05-20)
subpkt 16 len 8 (issuer key ID 5C808C2B65558117)
data: [4094 bits]
# off=5149 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid 4F1E0907AEBCE71F
version 4, created 1401138708, md5len 0, sigclass 0x10
digest algo 8, begin of digest df e5
hashed subpkt 2 len 4 (sig created 2014-05-26)
subpkt 16 len 8 (issuer key ID 4F1E0907AEBCE71F)
data: [159 bits]
data: [157 bits]
# off=5221 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 6B982DEBBFE91C29
version 4, created 1401138747, md5len 0, sigclass 0x10
digest algo 8, begin of digest ad bb
hashed subpkt 2 len 4 (sig created 2014-05-26)
subpkt 16 len 8 (issuer key ID 6B982DEBBFE91C29)
data: [4096 bits]
# off=5764 ctb=b4 tag=13 hlen=2 plen=34
:user ID packet: "Arnaud Quette <[email protected]>"
# off=5800 ctb=89 tag=2 hlen=3 plen=570
:signature packet: algo 1, keyid ACC0E41055CA5976
version 4, created 1401815498, md5len 0, sigclass 0x13
digest algo 8, begin of digest ca 64
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 3)
hashed subpkt 21 len 4 (pref-hash-algos: 10 9 8 11)
hashed subpkt 22 len 4 (pref-zip-algos: 2 3 1 0)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 2 len 4 (sig created 2014-06-03)
hashed subpkt 25 len 1 (primary user ID)
subpkt 16 len 8 (issuer key ID ACC0E41055CA5976)
data: [4095 bits]
# off=6373 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid DB6414CA204DDF1B
version 4, created 1400691037, md5len 0, sigclass 0x10
digest algo 8, begin of digest 55 80
hashed subpkt 2 len 4 (sig created 2014-05-21)
subpkt 16 len 8 (issuer key ID DB6414CA204DDF1B)
data: [160 bits]
data: [156 bits]
# off=6445 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 5C808C2B65558117
version 4, created 1400589939, md5len 0, sigclass 0x10
digest algo 8, begin of digest 65 05
hashed subpkt 2 len 4 (sig created 2014-05-20)
subpkt 16 len 8 (issuer key ID 5C808C2B65558117)
data: [4096 bits]
# off=6988 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid 4F1E0907AEBCE71F
version 4, created 1401138708, md5len 0, sigclass 0x10
digest algo 8, begin of digest 2a db
hashed subpkt 2 len 4 (sig created 2014-05-26)
subpkt 16 len 8 (issuer key ID 4F1E0907AEBCE71F)
data: [160 bits]
data: [159 bits]
# off=7060 ctb=89 tag=2 hlen=3 plen=540
:signature packet: algo 1, keyid 6B982DEBBFE91C29
version 4, created 1401138747, md5len 0, sigclass 0x10
digest algo 8, begin of digest 69 5b
hashed subpkt 2 len 4 (sig created 2014-05-26)
subpkt 16 len 8 (issuer key ID 6B982DEBBFE91C29)
data: [4094 bits]
# off=7603 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
version 4, algo 1, created 1398154322, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: 4C4CCFA0F3AA7FEA
# off=8131 ctb=89 tag=2 hlen=3 plen=543
:signature packet: algo 1, keyid ACC0E41055CA5976
version 4, created 1398154322, md5len 0, sigclass 0x18
digest algo 8, begin of digest 54 49
hashed subpkt 2 len 4 (sig created 2014-04-22)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID ACC0E41055CA5976)
data: [4093 bits]
# off=8677 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
version 4, algo 1, created 1398155050, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: C53E98620E515A22
# off=9205 ctb=89 tag=2 hlen=3 plen=543
:signature packet: algo 1, keyid ACC0E41055CA5976
version 4, created 1398155050, md5len 0, sigclass 0x18
digest algo 8, begin of digest 98 d4
hashed subpkt 2 len 4 (sig created 2014-04-22)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID ACC0E41055CA5976)
data: [4095 bits]
# off=9751 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1685533521, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: DE0184DA7043DCF7
# off=10279 ctb=b4 tag=13 hlen=2 plen=67
:user ID packet: "Jim Klimov (Doing FOSS since last millennium) <[email protected]>"
# off=10348 ctb=89 tag=2 hlen=3 plen=593
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1686783269, md5len 0, sigclass 0x13
digest algo 10, begin of digest 19 57
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-06-14)
hashed subpkt 25 len 1 (primary user ID)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
data: [4093 bits]
# off=10944 ctb=89 tag=2 hlen=3 plen=590
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1685533521, md5len 0, sigclass 0x13
digest algo 10, begin of digest 28 6d
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-05-31)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
data: [4094 bits]
# off=11537 ctb=b4 tag=13 hlen=2 plen=89
:user ID packet: "Jim Klimov (Jenkins CI plugin contributor and maintainer) <[email protected]>"
# off=11628 ctb=89 tag=2 hlen=3 plen=590
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1686782739, md5len 0, sigclass 0x13
digest algo 10, begin of digest fc d4
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-06-14)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
data: [4094 bits]
# off=12221 ctb=b4 tag=13 hlen=2 plen=67
:user ID packet: "Jim Klimov (Network UPS Tools maintainer) <[email protected]>"
# off=12290 ctb=89 tag=2 hlen=3 plen=590
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1685629657, md5len 0, sigclass 0x13
digest algo 10, begin of digest d7 14
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-06-01)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
data: [4096 bits]
# off=12883 ctb=b4 tag=13 hlen=2 plen=72
:user ID packet: "Jim Klimov (Illumos-based OS collaborator) <[email protected]>"
# off=12957 ctb=89 tag=2 hlen=3 plen=590
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1685629701, md5len 0, sigclass 0x13
digest algo 10, begin of digest 37 d8
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-06-01)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2)
hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
data: [4095 bits]
# off=13550 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
version 4, algo 1, created 1685533521, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: B016F4F8B235270C
# off=14078 ctb=89 tag=2 hlen=3 plen=566
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1685533521, md5len 0, sigclass 0x18
digest algo 10, begin of digest 0a 38
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-05-31)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
data: [4095 bits]
# off=14647 ctb=b8 tag=14 hlen=2 plen=51
:public sub key packet:
version 4, algo 22, created 1685534539, expires 0
pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
pkey[1]: [263 bits]
keyid: 5484E1C503BCDC6E
# off=14700 ctb=89 tag=2 hlen=3 plen=685
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1685534539, md5len 0, sigclass 0x18
digest algo 10, begin of digest e4 e7
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-05-31)
hashed subpkt 27 len 1 (key flags: 02)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
subpkt 32 len 117 (signature: v4, class 0x19, algo 22, digest algo 8)
data: [4091 bits]
# off=15388 ctb=b8 tag=14 hlen=2 plen=51
:public sub key packet:
version 4, algo 22, created 1685534626, expires 0
pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
pkey[1]: [263 bits]
keyid: 42061031267D11B1
# off=15441 ctb=89 tag=2 hlen=3 plen=685
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1685534626, md5len 0, sigclass 0x18
digest algo 10, begin of digest af 31
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-05-31)
hashed subpkt 27 len 1 (key flags: 02)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
subpkt 32 len 117 (signature: v4, class 0x19, algo 22, digest algo 8)
data: [4095 bits]
# off=16129 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
version 4, algo 1, created 1685535949, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: D91C7D29DFE743BD
# off=16657 ctb=89 tag=2 hlen=3 plen=1132
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1685535949, md5len 0, sigclass 0x18
digest algo 10, begin of digest 1d 75
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-05-31)
hashed subpkt 27 len 1 (key flags: 02)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
subpkt 32 len 563 (signature: v4, class 0x19, algo 1, digest algo 10)
data: [4094 bits]
# off=17792 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
version 4, algo 1, created 1685536245, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: FFA7A68295C8BA96
# off=18320 ctb=89 tag=2 hlen=3 plen=1132
:signature packet: algo 1, keyid DE0184DA7043DCF7
version 4, created 1685536245, md5len 0, sigclass 0x18
digest algo 10, begin of digest cc 99
hashed subpkt 33 len 21 (issuer fpr v4 B83459F776B90224988F36C0DE0184DA7043DCF7)
hashed subpkt 2 len 4 (sig created 2023-05-31)
hashed subpkt 27 len 1 (key flags: 02)
subpkt 16 len 8 (issuer key ID DE0184DA7043DCF7)
subpkt 32 len 563 (signature: v4, class 0x19, algo 1, digest algo 10)
data: [4093 bits]
# Trying to make it use main key - no banana :
:; gpg -s -u 0xDE0184DA7043DCF7 --default-key 0xDE0184DA7043DCF7 -bv nut-2.8.2.tar.gz
gpg: using subkey FFA7A68295C8BA96 instead of primary key DE0184DA7043DCF7
File 'nut-2.8.2.tar.gz.sig' exists. Overwrite? (y/N) y
gpg: writing to 'nut-2.8.2.tar.gz.sig'
gpg: RSA/SHA512 signature from: "FFA7A68295C8BA96 Jim Klimov (Doing FOSS since last millennium) <[email protected]>"
:; gpg --verify *sig
gpg: assuming signed data in 'nut-2.8.2.tar.gz'
gpg: Signature made Thu Apr 4 02:48:29 2024 CEST
gpg: using RSA key C8F2DB717B416C4DDAB2ED9BFFA7A68295C8BA96
gpg: Good signature from "Jim Klimov (Doing FOSS since last millennium) <[email protected]>" [ultimate]
gpg: aka "Jim Klimov (Jenkins CI plugin contributor and maintainer) <[email protected]>" [ultimate]
gpg: aka "Jim Klimov (Network UPS Tools maintainer) <[email protected]>" [ultimate]
gpg: aka "Jim Klimov (Illumos-based OS collaborator) <[email protected]>" [ultimate]
from nut.
jimklimov
commented on May 24, 2024
Note the short keyids are tails fo the long, so FFA7A68295C8BA96 is C8F2DB717B416C4DDAB2ED9BFFA7A68295C8BA96.
from nut.
arjendekorte
commented on May 24, 2024
Where can I find the new signature file?
from nut.
jimklimov
commented on May 24, 2024
Long time, no see, hi! It is in github release artifacts and on nut website download section.
from nut.
arjendekorte
commented on May 24, 2024
In that case, I'm probably looking in the wrong location. In https://github.com/networkupstools/nut/releases I still see the (wrong) signature from three days ago. Is it located elsewhere?
from nut.
jimklimov
commented on May 24, 2024
Ah, you mean the very new one, per "screenshots" above? It was not published yet, as it used the same subkey and so did not fix the apparent issue. Maybe I should focus on documenting some way to get subkeys trusted - they are mentioned in the (published) nut-key gpg chain anyhow, rather than finding a way to re-sign with master key.
On the road this week though, so it can take some time to materialize.
from nut.
atsampson
commented on May 24, 2024
Looking more carefully at the output above, I think I misdiagnosed the problem originally - sorry! Signing with the subkey should work - 2.8.0 and 2.8.1 used a subkey and those verify fine:
$ gpg -vv --always-trust --verify nut-2.8.1.tar.gz.sig
# off=0 ctb=88 tag=2 hlen=2 plen=117
:signature packet: algo 22, keyid 42061031267D11B1
version 4, created 1698791424, md5len 0, sigclass 0x00
digest algo 8, begin of digest 46 d9
hashed subpkt 33 len 21 (issuer fpr v4 BFA06D7C653B64C11DFDAF0442061031267D11B1)
hashed subpkt 2 len 4 (sig created 2023-10-31)
subpkt 16 len 8 (issuer key ID 42061031267D11B1)
data: [254 bits]
data: [255 bits]
gpg: assuming signed data in 'nut-2.8.1.tar.gz'
gpg: Signature made Tue 31 Oct 2023 22:30:24 GMT
gpg: using EDDSA key BFA06D7C653B64C11DFDAF0442061031267D11B1
gpg: using subkey 42061031267D11B1 instead of primary key DE0184DA7043DCF7
gpg: using subkey 42061031267D11B1 instead of primary key DE0184DA7043DCF7
gpg: Good signature from "Jim Klimov (Doing FOSS since last millennium) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Jenkins CI plugin contributor and maintainer) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Network UPS Tools maintainer) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Illumos-based OS collaborator) <[email protected]>" [unknown]
gpg: using subkey 42061031267D11B1 instead of primary key DE0184DA7043DCF7
gpg: WARNING: Using untrusted key!
gpg: binary signature, digest algorithm SHA256, key algorithm ed25519
But there's something about the 2.8.2 signature that GPG doesn't like (I tried Debian's GPG 2.2.27 and GPG 2.4.5 built from source):
$ gpg -vv --always-trust --verify nut-2.8.2.tar.gz.sig
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid FFA7A68295C8BA96
version 4, created 1712021126, md5len 0, sigclass 0x00
digest algo 10, begin of digest cd 97
hashed subpkt 33 len 21 (issuer fpr v4 C8F2DB717B416C4DDAB2ED9BFFA7A68295C8BA96)
hashed subpkt 2 len 4 (sig created 2024-04-02)
subpkt 16 len 8 (issuer key ID FFA7A68295C8BA96)
data: [4095 bits]
gpg: assuming signed data in 'nut-2.8.2.tar.gz'
gpg: Signature made Tue 02 Apr 2024 02:25:26 BST
gpg: using RSA key C8F2DB717B416C4DDAB2ED9BFFA7A68295C8BA96
gpg: using subkey FFA7A68295C8BA96 instead of primary key DE0184DA7043DCF7
gpg: using subkey FFA7A68295C8BA96 instead of primary key DE0184DA7043DCF7
gpg: BAD signature from "Jim Klimov (Doing FOSS since last millennium) <[email protected]>" [unknown]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
Note the "BAD signature" there, which you also got when you tried to verify it. When you regenerated the sig file with the same subkey and algorithms, you got "Good signature" instead...
from nut.
jimklimov
commented on May 24, 2024
Ha, thanks for the re-check. My rough criterion was that the older signatures were 120 or so bytes long, and 2.8.2's keeps being 560 or so - thus the rough feeling was that it is still not what we wanted.
It may be that the bad/good detection differs on my computers/containers that only did the gpg --fetch-keys ... into a clean slate as per NUT docs, vs. those that actually have the keys locally and/or imported them back from the internet key shares I uploaded to a year ago or so.
from nut.
jimklimov
commented on May 24, 2024
Updated in nut-source-archive, rendered website, and github release artifacts.
from nut.
jimklimov
commented on May 24, 2024
On a clean system that had only the maintainer keyring imported (per docs), the newly posted signature file passes the checks:
~/tmp $ gpg --verify nut-2.8.2.tar.gz.sig
gpg: assuming signed data in 'nut-2.8.2.tar.gz'
gpg: Signature made 2024-04-01 22:20:21 +0200 CEST
gpg: using EDDSA key BFA06D7C653B64C11DFDAF0442061031267D11B1
gpg: Good signature from "Jim Klimov (Doing FOSS since last millennium) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Jenkins CI plugin contributor and maintainer) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Network UPS Tools maintainer) <[email protected]>" [unknown]
gpg: aka "Jim Klimov (Illumos-based OS collaborator) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B834 59F7 76B9 0224 988F 36C0 DE01 84DA 7043 DCF7
Subkey fingerprint: BFA0 6D7C 653B 64C1 1DFD AF04 4206 1031 267D 11B1
(date fixed thanks to libfaketime)
from nut.
jimklimov
commented on May 24, 2024
Not quite sure what differed on this workstation - it also has a subkey of its own and used it:
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 FAKETIME="-5d" gpg -svb nut-2.8.2.tar.gz
gpg: using pgp trust model
gpg: using subkey 42061031267D11B1 instead of primary key DE0184DA7043DCF7
gpg: writing to 'nut-2.8.2.tar.gz.sig'
gpg: EDDSA/SHA256 signature from: "42061031267D11B1 Jim Klimov (Doing FOSS since last millennium) <[email protected]>"
The ring is generally similar to all other workstations:
gpg -K
/home/jim/.gnupg/pubring.kbx
----------------------------
sec# rsa4096 2023-05-31 [SC]
B83459F776B90224988F36C0DE0184DA7043DCF7
uid [ unknown] Jim Klimov (Doing FOSS since last millennium) <[email protected]>
uid [ unknown] Jim Klimov (Jenkins CI plugin contributor and maintainer) <[email protected]>
uid [ unknown] Jim Klimov (Network UPS Tools maintainer) <[email protected]>
uid [ unknown] Jim Klimov (Illumos-based OS collaborator) <[email protected]>
ssb# rsa4096 2023-05-31 [S]
ssb# rsa4096 2023-05-31 [S]
ssb# rsa4096 2023-05-31 [E]
ssb# ed25519 2023-05-31 [S]
ssb ed25519 2023-05-31 [S]
But for whatever reason, the file generated here was 119 bytes like for earlier releases (perhaps reflecting the RSA vs. EDDSA key difference).
FWIW, gpg seems the same on both boxes:
:; gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
MAYBE the issue is that the initially used system has more private keys and this one just its own (note the ssb vs ssb#), which happens to be liked? But otherwise, the set of known keys is the same and should have been conveyed by the keyring...
from nut.
jimklimov
commented on May 24, 2024
@arjendekorte @atsampson : Can you please re-check if https://networkupstools.org/source/2.8/nut-2.8.2.tar.gz.sig now fits https://networkupstools.org/source/2.8/nut-2.8.2.tar.gz and https://networkupstools.org/source/nut-key.gpg for you, per https://networkupstools.org/docs/user-manual.chunked/NUT_Security.html#verifySourceSig instructions, so this issue can be closed?
PS: Hope to learn more about this before future release cycles :)
from nut.
jimklimov
commented on May 24, 2024
@arjendekorte : while our paths have crossed, would you mind adding your older e-mail to github known aliases for your account, so that early NUT commits are properly attributed, please? :)
As a random example, see e.g. 390da12
And how come you don't have a nut repo fork? :)
from nut.
jimklimov
commented on May 24, 2024
Huh, so one trick to force use of desired key is to suffix it with !
And to look up the IDs (not shown by default in current versions), colons are the way: gpg --list-secret-keys --with-colons | grep ssb
- How gpg ignores the requested ID:
:; gpg -sv -u '0x5484E1C503BCDC6E' -b nut-2.8.2.tar.gz
gpg: using subkey FFA7A68295C8BA96 instead of primary key DE0184DA7043DCF7
...
- How it finally does what its yelled to do:
:; gpg -sv -u '0x5484E1C503BCDC6E!' -b nut-2.8.2.tar.gz
gpg: using subkey 5484E1C503BCDC6E instead of primary key DE0184DA7043DCF7
...
from nut.
Related Issues (20)
- Summary PowerWalker VFI 3000 CG PF1 HOT 10
- blazer_usb failing after apt-get upgrade HOT 4
- Support of linux hwmon (ina219) HOT 1
- Issues with Bookworm and NUT upscode2 > 2.7.4 HOT 9
- usbhid-ups: Eaton battery.voltage value is missing
- CI: Add a test case for NUT with musl libc implementation (and non-fatally, a recent collectd source for good measure)
- CPS FAQ - quick discharge (from IRC)
- [HCL] APC Back-UPS RS 1200 aka APC Back-UPS Pro 1200VA/720W (NUT 2.8.2)
- blazer_usb:how display battery.runtime on NUT HOT 10
- Driver riello_ser have the same issue #1685 of riello_usb about battery capacity and runtime HOT 5
- Driver `main.c`: use Unix socket protocol to kill off "Duplicate other instance" HOT 2
- NUT systemd unit journals duplicate some lines
- UPS Visench C1K not support HOT 30
- Use `upsdebug_with_errno()` instead of a few cases calling `upsdebugx(..., errno, strerror())` explicitly
- Support for CyberPower Smart App online double conversion UPS HOT 2
- New device FSP FP650 HOT 2
- logging "nut_libusb_get_string: Success" every 12 seconds HOT 9
- strange data in logs, `file_report_buffer: expected 2 bytes, but got 512 ` HOT 2
- The dictionary in NUT sources also stores keywords for spell-checking nut-website
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nut.