thr3ads.net - llvm dev - [llvm-dev] Unable to verify of llvm sources with the .sig files [Mar 2019]

If this information is useful, please help other people find it:
Share via:

Wink Saville via llvm-dev

2019-Mar-29 17:56 UTC

[llvm-dev] Unable to verify of llvm sources with the .sig files

I'm on an Arch Linux system:
$ uname -a
Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33
UTC 2019 x86_64 GNU/Linux

My gpg version is:
$ gpg --version
gpg (GnuPG) 2.2.15
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <
https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/wink/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


I went to http://releases.llvm.org/download.html and downloaded llvm-8.0.0:
http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
http://releases.llvm.org/8.0.0/hans-gpg-key.asc

I tried to import hans-gpg-key.asc but got an error:
$ gpg --import hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 2 bad signatures
gpg: key 0x0FC3042E345AD05D: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Searched around and found there is ----allow-non-selfsigned-uid and
it appears to succeed:
$ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 2 bad signatures
gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans
Wennborg <hans at chromium.org>"
gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <hans at
chromium.org>"
imported
gpg: Total number processed: 1
gpg:               imported: 1

But when I verify I get an error "SHA1 algorithm rejected":
$ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
gpg:                using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Bad public key


Have I done something wrong?

Is there an md5sum or some other HASH available so I could check the source
manually?

-- Wink
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20190329/2ae32556/attachment.html>

Hans Wennborg via llvm-dev

2019-Apr-04 08:57 UTC

head link

[llvm-dev] Unable to verify of llvm sources with the .sig files

Hi Wink,

Sorry for the late reply. I didn't see your email until now.

It's the "Note: signatures using the SHA1 algorithm are rejected"
error that's the problem.

It seems your gpg version doesn't like the message digest that was
used for the self-signature on my public key. I think the signatures
on the tarballs themselves should be okay, but that doesn't help if
you can't import my key of course.

I've tried to created a new self signature on my key. Can you try "gpg
--import" on the attached file and let me know if "gpg --verify"
works
afterwards?

Thanks,
Hans

On Fri, Mar 29, 2019 at 6:56 PM Wink Saville via llvm-dev
<llvm-dev at lists.llvm.org> wrote:>
> I'm on an Arch Linux system:
> $ uname -a
> Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33
UTC 2019 x86_64 GNU/Linux
>
> My gpg version is:
> $ gpg --version
> gpg (GnuPG) 2.2.15
> libgcrypt 1.8.4
> Copyright (C) 2019 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Home: /home/wink/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
>         CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
>
>
> I went to http://releases.llvm.org/download.html and downloaded llvm-8.0.0:
> http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
> http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
> http://releases.llvm.org/8.0.0/hans-gpg-key.asc
>
> I tried to import hans-gpg-key.asc but got an error:
> $ gpg --import hans-gpg-key.asc
> gpg: Note: signatures using the SHA1 algorithm are rejected
> gpg: key 0x0FC3042E345AD05D: 2 bad signatures
> gpg: key 0x0FC3042E345AD05D: no valid user IDs
> gpg: this may be caused by a missing self-signature
> gpg: Total number processed: 1
> gpg:           w/o user IDs: 1
>
> Searched around and found there is ----allow-non-selfsigned-uid and
> it appears to succeed:
> $ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
> gpg: Note: signatures using the SHA1 algorithm are rejected
> gpg: key 0x0FC3042E345AD05D: 2 bad signatures
> gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID "Hans
Wennborg <hans at chromium.org>"
> gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <hans at
chromium.org>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1
>
> But when I verify I get an error "SHA1 algorithm rejected":
> $ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
> gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
> gpg:                using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
> gpg: Note: signatures using the SHA1 algorithm are rejected
> gpg: Can't check signature: Bad public key
>
>
> Have I done something wrong?
>
> Is there an md5sum or some other HASH available so I could check the source
manually?
>
> -- Wink
>
>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev-------------- next part --------------
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFS+1SABEACnmkESkY7eZq0GhDjbkWpKmURGk9+ycsfAhA44NqUvf4tk1GPM
5SkJ/fYedYZJaDVhIp98fHgucD0O+vjOzghtgwtITusYjiPHPFBd/MN+MQqSEAP+
LUa/kjHLjgyXxKhFUIDGVaDWL5tKOA7/AQKl1TyJ8lz89NHQoUHFsF/hu10+qhJe
V65d32MXFehIUSvegh8DrPuExrliSiORO4HOhuc6151dWA4YBWVg4rX5kfKrGMMT
pTWnSSZtgoRhkKW2Ey8cmZUqPuUJIfWyeNVu1e4SFtAivLvu/Ymz2WBJcNA1ZlTr
RCOR5SIRgZ453pQnI/Bzna2nnJ/TV1gGJIGRahj/ini0cs2x1CILfS/YJQ3rWGGo
OxwG0BVmPk0cmLVtyTq8gUPwxcPUd6WcBKhot3TDMlrffZACnQwQjlVjk5S1dEEz
atUfpEuNitU9WOM4jr/gjv36ZNCOWm95YwLhsuci/NddBN8HXhyvs+zYTVZEXa2W
l/FqOdQsQqZBcJjjWckGKhESdd7934+cesGD3O8KaeSGxww7slJrS0+6QJ8oBoAB
P/WCn/y2AiY2syEKp3wYIGJyAbsm542zMZ4nc7pYfSu49mcyhQQICmqN5QvOyYUx
OSqwbAOUNtlOyeRLZNIKoXtTqWDEu5aEiDROTw6Rkq+dIcxPNgOLdeQ3HwARAQAB
tCFIYW5zIFdlbm5ib3JnIDxoYW5zQGNocm9taXVtLm9yZz6JAlQEEwEKAD4WIQS2
yPmCgrlE47DVwlMPwwQuNFrQXQUCXKW+LwIbAwUJDwUmjQULCQgHAgYVCgkICwIE
FgIDAQIeAQIXgAAKCRAPwwQuNFrQXXw+EACc4n7pYF89qmi6k4u1H5PLPcRVw4Ch
zY293N5JT8dM7c5Q0opPcgSS625SzAzEA8I3kRakFMsYZmJ7NFeFwIV7iJnaolft
iGCinbnB6bF8NnaEUOU0Pl4ByAuPiZqq8t5ORWUnZX/iRtOFEmCyRWHJPxCPFcJG
XCmQHTwnucePFdvNoIHN8vbkrHU32SUQ3iL4aEH92Y2s4D3WoNMW7g3b7srRynO1
pzrT+bhihrl1MAnR6FiS4lSjw7VaEon1PJyaxs6OYO2x/fEz+uUnNPYZGhHQDTQ8
DUyXNlXQ1mOOTMAwxg5JmqWfA2y1pmgJGpKe92t6vpVe9E90GBS9oCvSFXzItNg+
p+9ogNDxMWnT48fygCqDVpk/PLdlyuNAQfuvtcZb8h5y1bzcwwBGHWb9McG12Z/K
JpcWvSQe/eZ9uHcyj2+b7SQHIJL9eaBsyhgvv573PK62Rc8fze+HtwZMWMvw5Fsc
+q5pJ8JS8y3s/EZYJ8URQ00QWOL6DDN1ik0vjxZ6zf+dpK1/3jToSrTnsY5TxXAM
gxeoFVhAtccnoAYY2zp2Dp7JonGNqXrE8rjMe67QBWzVUADgWMlCvFZ4W7ZGcj9y
2XgA4DbOgJVsx3xAGA6FuEIV0UDwDo4WweWnD4Jo+KVC3nWGW8AjNQb9EAn33WlI
K/mivl/oxH2rx7kCDQRUvtUgARAA7EHGtB6wKGOsKoqNjk+dKxJil5vh+ui5ysLz
3wAXDYOA39nP5bvC1JNu3P8ZFwK6uPNm83ujasK42TSPT6zWyBlmbYF2V2VpsvL5
QX+RJbWtvmqF9dwYa5u7jw4x21J+iT2U5zRDUvgc2UYTiVQGRnOYjtiSp+X4HCub
2umLniDi5r08iKIcgCYyhkhxu04bUpoOvoKhdGT/eDZmIZTCGreMUauiIGwoRqnY
UnVuHk0mTYSDylXt8w4XuFRAoFms060g+7yEDlYSCS7dTdViNFIjdIOLpBecMv7E
fFqOJakq0XcmNmHzL8IJMPw/I/fhiN9m4WaR2yR7lx3HofRXZQKIfjnedyAVV1AN
eRjif7QxPOHLbG7QhVWcHFgNg2GL7cyNMcl30LjEyL237ki4S8MA+GB9mMOlBqQQ
/PqFWaCPSaUoiBGKUFEr3+Q7GTL260GkaTeMQkau7+Eo2WgU2ymhi1jrMBMCvwRw
6CgIVATSciS1yDfAX344ISdXbz9rtdnBRnsaX+p84e12vfvjCjyR3xHdXx3Yb2rn
DT+4JX001DR8ZZkM8Ohi3rCc8vqBm/+ckzyhlj67SsLbhbBJxkieJqvILgkcNqwC
GvZLYK2AK8GCyUrp/eAPXoofE9kwGlfvdPM5giEwQ/+9eBUltQPp1iG35T1zg6EQ
MmjCfR0AEQEAAYkCPAQYAQIAJgIbDBYhBLbI+YKCuUTjsNXCUw/DBC40WtBdBQJa
XfpLBQkPBSarAAoJEA/DBC40WtBdPX8P/1ilEM2BomXdhUO1Vmh5DCHsFDpQtlN5
cU+iBiQXaPdVaDyz1SYCziyD/hr70otJqe1eNf4kWxG/SVB7kav9WXxVDgsoRcF+
IaZKK+Mhnt6il13dg/bDoblPdIDh3YJB+yDiuck+dciPMo2JI6LfrzJue318vRja
vZqotOY/pjuKywNQ74nVNbVcebfj0k9HQeXhxO42dabgm5fabYIkRzlcGUMCFr2l
RWz4nkLYPRQUWTJ47N4k/DLrHkClYebzifwCOFBKm7WpErEpd3B6Lq2RBZYwe6L5
OBJj/MKSYP3+hjXkSLlq8nhaAhtMslShkyLvSuI+ZTxOGOnMDtL42TSDusw+r5eX
XCGMpT+7S52WysgmPOSHp+2opSYiRvFhOmOGcS6M2sSvmbZLpnrHfL0TlBqAExF3
FGF+T4dvIAJw/+n2tc7OXgzb3UOgp4AAfvQYeeIbHI2z2sCgyv+EPldb9avPd1wo
xzaznnkToxkgsTZmKiVxGf5tg4w9m1aVvH3y3y6ox/j2BjgUZAFkDA+CUyvHuaub
sdMiJdqFOFAY4mDqLMkMAPlHBIQaUBwvbxPwoC4zoIsuSGUF9DCIqxQE2eH2vzBX
eUH6lXQaEv7eLTvuBNh9kFHAvOMV2Gb3FQoRpnqs3UFf2XOLHh5I0rmeWfSNSrXr
sfYgf//ax/x3uQINBFylxXABEAC2Qt89UYDndAxNoCIJktuSBWh9BxC1JPPQtmLd
XTsG5vd2h63rBN64ZYTGuW2AQxGV24ngP8rv5F1QzSPY0UgOt25r7pS3+1MZbv+d
sZTtN4LWTXRdIVU+wcqKX1FZCGDSuGs5EpyElnKHxxGh7Wi0KFZMN64t83WPrbzq
aiKrpp9/QHMUtrNqPgUBNKvH8k5g/AGa21+fF1kRsUtmsZbre4IK9bakIjmAfNMA
ZA/YnJy0Ou06HcFWzkfTRLMrQHINUzOzNOhhXuYx3h4qSrvcJnqoGMJ9pZkOfrEJ
VPQexYq3hvL1jwMLdFKDozViUx520/7K8frusf+Df0RlucEVF4QjAV4RAuHBtrzP
LkH/0v6U3u1rX+5VMK8otud43cXcNet/cZ97jRm2rPzviRgYI9EljjD9vGPCIzmo
aJYs+eNJRIJGPqzVV+AELiH9Bc9jCad8XeECBsTCVNx+kEijKclQWr+3y610SXNY
JRKzlPBlMrqJ0U+/vNo59TUgZlwC8KdbiWtxEQ3JYFT7rHVH9cQeAlLXAE0yIfZK
+ss2HpIXgBvJ4nNyNBcFzoqF/iKBcH6yYRILNSGLEKOBnX3/XpAlvnOB1gcTSOQY
frNoXHpA7yzpGh1MeypdCeOqOicZZRF/xX1KR6YDC5YDOFM2paydDNS1ql0Wp0VW
WcIp1wARAQABiQI8BBgBCgAmFiEEtsj5goK5ROOw1cJTD8MELjRa0F0FAlylxXAC
GwwFCQlmAYAACgkQD8MELjRa0F3Quw/+MVB3lHyIORyth4q9KsTUUXBW11UtjKqq
SML0nMuNiqHefNd9P1+zVougyF002TfjkSnOpOoH2Uub3iCX0Cfyigo0rcjBXAvO
j9N9g8eL1xBenTdxYiiHvvIm0BadikfsdoqQebv3ONFda7eoQl689LqMKZ9ZEOxi
w7xQKcIPiNEt2WvBVv4mpEFx1pDbLZ/bUgbR3t7v/t6ijAVdIOjQvW/WPemyRTcB
7iJd68H6Uou/Ofy5EPUH4c/heyCw+eUUFnC9msDIvwtTbkz0Aaa7awbpoegFMz2L
LmSRMLybFn5lQTRR7TizzUvrprOx+UalbUASJS+TONZmVltz0eVVeJ3IHylUM/24
cBh2wXqR63osDCZZkXVxbN9AtyoezEVvg8+XhDLyXeh+o05A/lRjMA33BkwyoKzi
5nZb7iaVYWlKM8Zs6PrB8zq9ErDGcka7gikvUuJ2KLKjJqj19/6Z90oCtJQa9ifi
glN+ER3y4hLHFmKI6ns+GNf0FwpgwD7WD9XBQR9uxBPCrVjXXv4IT9rBidzXT8rK
iXYX9tHBHn2wAk28uJOtdDNcsOdOEqfdmIVfBXNv2df6r8ewEzpNd2MpEOZRW8mc
cn+5dkF+W2mGn8Vky04ewU2+Bo9rApv3zJ76s0Skt2c8axKKtLhHY/H5HPiLNC29
Qk8uiuyeUfE=H/uX
-----END PGP PUBLIC KEY BLOCK-----

Wink Saville via llvm-dev

2019-Apr-04 15:58 UTC

head link

[llvm-dev] Unable to verify of llvm sources with the .sig files

With the new signature file I was able to verify, but there was
still a bad signature: "gpg: key 0x0FC3042E345AD05D: 1 bad signature"
which I highlighted below. Didn't seem to be a problem, but thought
I'd point it out. I'd be glad to do additional tests if you'd like.

$ gpg --list-keys
/home/wink/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
      Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032 32F9
uid                   [ultimate] Winthrop Lyon Saville III <wink at
saville.com>sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]

pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
      Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC
uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]

wink at wink-desktop:~
$ gpg --import Documents/keys-crypto/hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
*gpg: key 0x0FC3042E345AD05D: 1 bad signature*
gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <hans at
chromium.org>"
imported
gpg: Total number processed: 1
gpg:               imported: 1
wink at wink-desktop:~
$ echo $?
0
wink at wink-desktop:~
$ gpg --list-keys
/home/wink/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096/0x9F79B9CEB03232F9 2018-04-18 [C] [expires: 2019-04-18]
      Key fingerprint = 0B15 37E2 6423 4EF7 7934  7A79 9F79 B9CE B032 32F9
uid                   [ultimate] Winthrop Lyon Saville III <wink at
saville.com>sub   rsa4096/0xD232788D248BCF0E 2018-04-18 [S] [expires: 2019-04-18]
sub   rsa4096/0x9220D48FF6008D0D 2018-04-18 [E] [expires: 2019-04-18]
sub   rsa4096/0x92BB19D0D4F68457 2018-04-18 [A] [expires: 2019-04-18]

pub   rsa2048/0x7F2D434B9741E8AC 2011-04-10 [SC]
      Key fingerprint = 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC
uid                   [ unknown] Pierre Schmitz <pierre at archlinux.de>
sub   rsa2048/0xE9B9D36A54211796 2011-04-10 [E]

pub   rsa4096/0x0FC3042E345AD05D 2015-01-20 [SC] [expires: 2023-01-15]
      Key fingerprint = B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A D05D
uid                   [ unknown] Hans Wennborg <hans at chromium.org>
sub   rsa4096/0x3276ABBAE8E36D78 2019-04-04 [E] [expires: 2024-04-02]

wink at wink-desktop:~
$ gpg --verify ./Downloads/llvm-8.0.0.src.tar.xz.sig
./Downloads/llvm-8.0.0.src.tar.xz
gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
gpg:                using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg: Good signature from "Hans Wennborg <hans at chromium.org>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: B6C8 F982 82B9 44E3 B0D5  C253 0FC3 042E 345A D05D
wink at wink-desktop:~
$ echo $?
0



On Thu, Apr 4, 2019 at 1:57 AM Hans Wennborg <hans at chromium.org> wrote:
> Hi Wink,
>
> Sorry for the late reply. I didn't see your email until now.
>
> It's the "Note: signatures using the SHA1 algorithm are
rejected"
> error that's the problem.
>
> It seems your gpg version doesn't like the message digest that was
> used for the self-signature on my public key. I think the signatures
> on the tarballs themselves should be okay, but that doesn't help if
> you can't import my key of course.
>
> I've tried to created a new self signature on my key. Can you try
"gpg
> --import" on the attached file and let me know if "gpg
--verify" works
> afterwards?
>
> Thanks,
> Hans
>
> On Fri, Mar 29, 2019 at 6:56 PM Wink Saville via llvm-dev
> <llvm-dev at lists.llvm.org> wrote:
> >
> > I'm on an Arch Linux system:
> > $ uname -a
> > Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23
21:00:33
> UTC 2019 x86_64 GNU/Linux
> >
> > My gpg version is:
> > $ gpg --version
> > gpg (GnuPG) 2.2.15
> > libgcrypt 1.8.4
> > Copyright (C) 2019 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <
> https://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> >
> > Home: /home/wink/.gnupg
> > Supported algorithms:
> > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> > Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128,
> >         CAMELLIA192, CAMELLIA256
> > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> > Compression: Uncompressed, ZIP, ZLIB, BZIP2
> >
> >
> > I went to http://releases.llvm.org/download.html and downloaded
> llvm-8.0.0:
> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
> > http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
> > http://releases.llvm.org/8.0.0/hans-gpg-key.asc
> >
> > I tried to import hans-gpg-key.asc but got an error:
> > $ gpg --import hans-gpg-key.asc
> > gpg: Note: signatures using the SHA1 algorithm are rejected
> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
> > gpg: key 0x0FC3042E345AD05D: no valid user IDs
> > gpg: this may be caused by a missing self-signature
> > gpg: Total number processed: 1
> > gpg:           w/o user IDs: 1
> >
> > Searched around and found there is ----allow-non-selfsigned-uid and
> > it appears to succeed:
> > $ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
> > gpg: Note: signatures using the SHA1 algorithm are rejected
> > gpg: key 0x0FC3042E345AD05D: 2 bad signatures
> > gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID
"Hans
> Wennborg <hans at chromium.org>"
> > gpg: key 0x0FC3042E345AD05D: public key "Hans Wennborg <
> hans at chromium.org>" imported
> > gpg: Total number processed: 1
> > gpg:               imported: 1
> >
> > But when I verify I get an error "SHA1 algorithm rejected":
> > $ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
> > gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
> > gpg:                using RSA key
> B6C8F98282B944E3B0D5C2530FC3042E345AD05D
> > gpg: Note: signatures using the SHA1 algorithm are rejected
> > gpg: Can't check signature: Bad public key
> >
> >
> > Have I done something wrong?
> >
> > Is there an md5sum or some other HASH available so I could check the
> source manually?
> >
> > -- Wink
> >
> >
> > _______________________________________________
> > LLVM Developers mailing list
> > llvm-dev at lists.llvm.org
> > https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20190404/932b17e8/attachment.html>

Maybe Matching Threads

Search for more seemingly similar threads

llvm dev - Mar 2019 - Unable to verify of llvm sources with the .sig files

[llvm-dev] Unable to verify of llvm sources with the .sig files

[llvm-dev] Unable to verify of llvm sources with the .sig files

[llvm-dev] Unable to verify of llvm sources with the .sig files

Maybe Matching Threads