Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repo: Weak digest & Invalid signatures #5055

Closed
tflidd opened this issue Jul 13, 2016 · 62 comments

Comments

@tflidd
Copy link

commented Jul 13, 2016

open-suse-repo on ubuntu 16.04 packet manager (apt-get) shows this error:

W: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/Release.gpg: Signature by key F9EA4996747310AE79474F44977C43A8BA684223 uses weak digest algorithm (SHA1)
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  Release: The following signatures were invalid: KEYEXPIRED 1466936818

@guruz guruz added this to the 2.2.3 milestone Jul 13, 2016

@guruz guruz added the packaging label Jul 13, 2016

@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Jul 13, 2016

We currently have 1024DSA which is weak. Ubuntu 16.04 wants to see at least 2048 RSA.

osc signkey --create isv:owncloud
can be used to create a new key. Default key with recent osc is RSA 2048.
This will be a new key, all users will need to accept the new key when we roll that out.

Expired key may be a different issue. Investigating.

@psyray

This comment has been minimized.

Copy link

commented Jul 14, 2016

Hi,
Same problem of key expired with linux mint 17.3 (ubuntu 14.04 based)
Error is (in french)

W: Une erreur s'est produite lors du contrôle de la signature. Le dépôt n'est pas mis à jour et les fichiers d'index précédents seront utilisés. Erreur de GPG : http://download.opensuse.org  Release : Les signatures suivantes ne sont pas valables : KEYEXPIRED 1466936818

W: Impossible de récupérer http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_14.04/Release

@guruz guruz modified the milestones: 2.3.0, 2.2.3 Aug 8, 2016

@tflidd

This comment has been minimized.

Copy link
Author

commented Aug 16, 2016

Expired key may be a different issue. Investigating.

@jnweiger : I found out how to fix the expired key. You can update the keys, first check the expired keys:

apt-key list | grep expired
pub   1024D/BA684223 2012-02-08 [expired: 2016-06-26]

Now update the key from a keyserver:
apt-key adv --recv-keys --keyserver keys.gnupg.net BA684223

Then it downloads new signatures and the expired-key warning disappears.

Two things to solve:

@crrodriguez

This comment has been minimized.

Copy link
Member

commented Aug 18, 2016

@tflidd osc signkeys --create isv:owncloud should do that.. it is up to the obs to create proper release keys..

@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Aug 19, 2016

We can do that ourselves. question: will this result in key change warnings, vendor change errors or other nasty issues, when we do that?

@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2016

Regarding the expired aspect: The key was already extended in 2015.
wget -nv httpse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_14.04/Release.key -O - | gpg -vv |& grep -B5 expire

:signature packet: algo 17, keyid 977C43A8BA684223
    version 4, created 1423491668, md5len 0, sigclass 0x13
    digest algo 2, begin of digest 29 39
    hashed subpkt 2 len 4 (sig created 2015-02-09)
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 9 len 4 (key expires after 5y72d4h15m)

2015-02-09 + 5y72d4h15m would be very far in the future. Compare apt-key:

apt-key list | grep BA684223

pub   1024D/BA684223 2012-02-08 [expires: 2017-04-19]

My understanding now is:

  • signature packets describe if and how a key is valid.
  • This key was created 2012, It has a signature packet that was created
    2015 and has duration of 5y.
    • apt-key uses key generation timestamp applies the duration of the signature packet to compute a a 2017 expire date.
    • (I would have naively applied the duration of the signature packet to the creation timestamp of the signature packet and get a 2020 expire date... probably wrong)
    • Extending a key in obs is one thing. Sending it to keys.gnupg.net should also be done, to update outdated copies.

Expiration seems to be a non-isuse here. Removing the misleading "(Key expired)" from the subject.

@jnweiger jnweiger changed the title Repo: Weak digest & Invalid signatures (Key expired) Repo: Weak digest & Invalid signatures Aug 22, 2016

@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2016

@crrodriguez Please evaluate downsides of changing the key and move forward here.
I suggest the following procedure:

  • announce scheduled key change via central.owncloud.org (and mailing lists??)
  • wait a day or two
  • create: osc signkey --create isv:ownCloud
  • test: osc signkey isv:ownCloud | apt-key add -; apt-key list | grep -B1 isv:ownCloud
  • publish: osc signkey isv:ownCloud | gpg --import; gpg --keyserver keys.gnupg.net --send-key NEW_KEY_ID
  • notify users via central.owncloud.org about the new key.
@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Sep 6, 2016

@crrodriguez ping?

@crrodriguez

This comment has been minimized.

Copy link
Member

commented Sep 6, 2016

@jnweiger My take is.. we do not create new signing keys we just --extend them.. we need to do this only every few years or when something goes horrible wrong.
That said..I have no problem with your suggested course of action. however I think It might be better if we release a package equivalent to debian-archive-keyring.. (let's call it owncloud-archive-keyring) that includes all present or past public keys, we update it before publishing packages with new keys..then there will be no need of manual importing..

@ghost ghost referenced this issue Sep 7, 2016

Closed

OBS key expired 2016-08-26 #5156

@ghost

This comment has been minimized.

Copy link

commented Sep 7, 2016

@jnweiger @crrodriguez

however I think It might be better if we release a package equivalent to debian-archive-keyring.. (let's call it owncloud-archive-keyring) that includes all present or past public keys, we update it before publishing packages with new keys..then there will be no need of manual importing.

That might help to avoid recurring bugreports like #5156 where people missed that they need to renew keys manually.

@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Sep 12, 2016

@crrodriguez we have two issues mixed up here. One is expiry, the other is weakness.
Extending a key can fix expiry, but afik it cannot make a weak key stronger. My knowledge about these keys is limited, thus I hesitate replacing the key in hope someone can point out how to make a key stronger, -- possibly via subkeys or similar magic.

What is the effort to create an owncloud-archive-keyring?

@ghost

This comment has been minimized.

Copy link

commented Sep 20, 2016

Hello all,
I am also seeing two issues in one here: one for the expired and one for the weak algorithm ... :( As I am getting the "weak algorithm" message for Debian Testing as well (and it does not matter, if I use the stable or testing repo for the desktop client), I would like to see this issue to be fixed in the near future to get rid of the message. The server issue with the weak algorithm was fixed months ago ... ;)
Sorry for the inconvenience
Thomas.

@ghost

This comment has been minimized.

Copy link

commented Sep 20, 2016

@thackert Expired keys can be easily solved if you re-import the already renewed keys from https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client

This is something you need to actively do until something like suggested here is provided: #5055 (comment)

@ghost

This comment has been minimized.

Copy link

commented Sep 20, 2016

@RealRancor It seems you either got me wrong or I have expressed my concern not clear enough ... :( Either way: I am seeing this "weak key" message on my system since a longer time, and I want to get it fixed, if possible asap ... ;) But in this bug report there are two different bugs: one for the expired key, one for the weak one (this was also mentioned by @jnweiger on July 13th and 8 days ago). And if you want to start nitpicking, it is also about Ubuntu (as mentioned in @tflidd 's first report) and Linux Mint (reported from @psyray on July 14th) and Debian (reported by me). The question for me now is: is this bug about the expired key (where you can use tflidd's instruction from his comment on August 16th to get a new key. But this would not solve the problem with the weak key warning from apt-get ... ( ) or about the weak key to sign the Debian (based) packages with a 1024 bit key instead of a 2048 one? What would be the correct way to handle this? Leave this bug open, but open one for the weak algorithm for all Debian based systems and make it dependent on this bug? Waiting until apt will no longer install any owncloud-client packages because of this weak key (though Julian K. wrote in his blog, that this should not be happen (see https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/) but what would happen, if the Debian people to change this in a couple of months / years)? Do you understand my concerns now?
Sorry for the inconvenience
Thomas.

@ghost

This comment has been minimized.

Copy link

commented Sep 20, 2016

@thackert Yes, the issue here is about "weak key/weak signature". Everything else like the expired key is unrelated to this issue and shouldn't be discussed in here.

If you want to express that you're affected by the "weak key/weak signature" issue you can just use the emoticon icon at the first post and use the thumbs up button. This avoids that the issue gets flooded with comments as the issue is known and just needs to be fixed by some one who knows to fix it. :-)

@ghost

This comment has been minimized.

Copy link

commented Oct 4, 2016

And also:

You're missing the step to import the key. Your sudo -sh line won't do that automatically for you.

If people not following the steps explained at https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client they shouldn't wonder why they are getting such results. :-)

@treuss

This comment has been minimized.

Copy link

commented Oct 4, 2016

Thanks @joaonl!
I tried your suggestion several times, but it seems that the Release.key is not bein accepted. Directly after adding it, I get a concise listing of the installed keys. There's nothing like isv:ownCloud or similar.

@ghost

This comment has been minimized.

Copy link

commented Oct 4, 2016

@treuss For setup help i suggest to jump over to https://central.owncloud.org/. It is not the goal to give setup specific support in an issue tracker.

@tflidd

This comment has been minimized.

Copy link
Author

commented Oct 4, 2016

If you know the missing key ID, you can also try to get it from a keyserver:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 4ABE1AC7557BEFF9

@ghost

This comment has been minimized.

Copy link

commented Oct 4, 2016

I think its time to lock this issue to collaborators. Its just one huge mess (43+ comments) with tons of various issues mixed in one.

@treuss

This comment has been minimized.

Copy link

commented Oct 4, 2016

@RealRancor thanks for your help.

@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2016

Bad reproducer Dockerfile:

FROM centos:centos7
RUN yum install -y wget
RUN rpm --import http://download.opensuse.org/repositories/isv:/ownCloud:/desktop//CentOS_7/repodata/repomd.xml.key
RUN wget -nv http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/CentOS_7/isv:ownCloud:desktop.repo -O /etc/yum.repos.d/isv:ownCloud:desktop.repo
RUN yum clean all && yum install -y owncloud-client

still fails. Error messages are:
warning: /var/cache/yum/x86_64/7/isv_ownCloud_desktop/packages/opt-libqt5keychain1-0.7.0-9.1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID ba684223: NOKEY
Retrieving key from http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/CentOS_7//repodata/repomd.xml.key

The GPG keys listed for the "The ownCloud Desktop Client (CentOS_7)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2016

I've triggered a rebuild of opt-libqt5keychain1-0.7.0-9.1 and now the error message occurs with libowncloudsync0-2.2.4-1.1.x86_64.rpm -- I assume rebuilding all is to be done.

@michaelstingl

This comment has been minimized.

Copy link
Collaborator

commented Oct 10, 2016

now the error message occurs with libowncloudsync0-2.2.4-1.1.x86_64.rpm

sounds like a victory! 🎉

@crrodriguez

This comment has been minimized.

Copy link
Member

commented Oct 12, 2016

owncloud/enterprise#1617 should have fixed this problem

@jnweiger

This comment has been minimized.

Copy link
Contributor

commented Oct 13, 2016

Confirmed! The above CentOS7 reproducer is now silent.
Thank you!

@shpetros

This comment has been minimized.

Copy link

commented Oct 14, 2016

Hi, cant access owncloud/enterprise#1617 - Where is this fixed/what steps need to be taken?

@ghost

This comment has been minimized.

Copy link

commented Oct 14, 2016

@shpetros Just re-import the key as shown at the desktop client install page. If you need further help please see https://owncloud.org/support/ where to get such help.

@CodeShadower

This comment has been minimized.

Copy link

commented Oct 17, 2016

Yiipiieaaayeah!!! 😃

Maybe this helps the guys who followed exactly the ownCloud installation steps from Open Suse, but who had, like myself, still the "packages cannot be authenticated" error. ;)

I'm no certificate specialist, but after having read through the whole thread and tried over and over again the specified installation procedure, I began to delete the "right" key from my apt-key list, but instead of re-importing the right one right away, I checked the list again... and what did I see? Another "old" key appeared in the listing which wasn't there before!

So, this was the method to solve my issue:

1° Uninstall owncloud-client completely: sudo apt-get remove owncloud-client
2° Browse Key list: apt-key list
3° Delete owncloud key: sudo apt-key del 557BEFF9
4° Goto 2° and repeat steps until no ownCloud key is left over
5° Import official Release.key following SUSE instructions:
$ wget http://download.opensuse.org/repositories/isv:ownCloud:desktop/Ubuntu_16.04/Release.key (mind the Release.key outtput name here, because if you already have this file in your folder, it will generate a Release.key.2 and so on and so forth)
$ sudo apt-key add - < Release.key && sudo rm Release.key
6° Install ownCloud according SUSE instructions: sudo apt-get update && sudo apt-get install owncloud-client

Et voilà! 😃

@rloutrel: Thanks for pointing to the Key deletion!

Greetz

OS: Ubuntu 16.04 LTS 64 bits

@FlorianFranzen

This comment has been minimized.

Copy link

commented Oct 19, 2016

I did all of the recommended fixes and I am still getting the error on Ubuntu 16.04! The key is there and valid, but the packages till can not be authenticated.

Not to mention, that my keychain is still not detected, on a fresh install, which was the reason to migrate to the open suse repo in the first place. Classic owncloud!

@ghost

This comment has been minimized.

Copy link

commented Oct 20, 2016

@FlorianFranzen The keys are valid and known to work for a wide range of users. So either you're importing the wrong key, you're missing a step or something else is broken in you're environment.

Please note that this is a bugtracker and no support channel. Its the best to jump over to a forums dedicated to your Distro where they might be able to help you sorting this out.

@FlorianFranzen

This comment has been minimized.

Copy link

commented Oct 20, 2016

@RealRancor: Challenge accepted. Let's turn this into a real bug report.

This my apt key and source setup:

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   2048R/557BEFF9 2016-09-25 [expires: 2018-12-04]
uid                  isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>
$ cat /etc/apt/sources.list.d/owncloud-client.list
deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/ /

My apt cache is up to date:

$ sudo apt-get update
Ign:1 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease                                                                                
Hit:3 http://de.archive.ubuntu.com/ubuntu xenial InRelease                                                                                       
Hit:4 http://ppa.launchpad.net/seafile/seafile-client/ubuntu xenial InRelease                                                                                               
Hit:7 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  Release                                    
Get:8 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  Release.gpg [481 B]  
Hit:9 http://de.archive.ubuntu.com/ubuntu xenial-updates InRelease                                                                         
Hit:11 http://de.archive.ubuntu.com/ubuntu xenial-backports InRelease                                    
Fetched 481 B in 4s (115 B/s) 
Reading package lists... Done

And this is what happens when I try to install the owncloud-client:

sudo apt-get install owncloud-client
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.4.0-38 linux-headers-4.4.0-38-generic linux-image-4.4.0-38-generic linux-image-extra-4.4.0-38-generic linux-signed-image-4.4.0-38-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libowncloudsync0 libqt5keychain1 owncloud-client-l10n
The following NEW packages will be installed:
  libowncloudsync0 libqt5keychain1 owncloud-client owncloud-client-l10n
0 upgraded, 4 newly installed, 0 to remove and 6 not upgraded.
Need to get 325 kB/1.713 kB of archives.
After this operation, 6.627 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
WARNING: The following packages cannot be authenticated!
  libqt5keychain1 libowncloudsync0 owncloud-client-l10n owncloud-client
Install these packages without verification? [y/N] 
E: Some packages could not be authenticated

So it seems like no matter if I follow the official instructions or any of the instructions here, I run into a problem.

Weirdly the Release file is signed properly if I check it by hand:

$ gpg2 --keyserver keyserver.ubuntu.com --recv-keys 4ABE1AC7557BEFF9
...
$ gpg2 --verify Release.gpg Release
gpg: Signature made Mi 12 Okt 2016 04:59:40 CEST using RSA key ID 557BEFF9
gpg: Good signature from "isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1B07 204C D71B 690D 409F  57D2 4ABE 1AC7 557B EFF9

Also, I did a quick check of some of the checksum (Package, Package.gz and the deb itself) and they all check out.

I guess there is an important step missing to get apt back on track once you run into this problem.

@ghost

This comment has been minimized.

Copy link

commented Oct 20, 2016

@FlorianFranzen As explained this is a bugtracker, no support channel. The initial issue here is closed/solved as the new keys with a proper signature were deployed.

@FlorianFranzen

This comment has been minimized.

Copy link

commented Oct 20, 2016

@RealRancor The issue described here is not fixed and can still linger if the incorrect Release file was downloaded before. I think this is highly relevant.

Back on topic: The problem is that the Release file does not look changed to apt and therefore is not updated locally. This is either a bug in apt or more likely a bug in the way openSUSE or one of their German mirrors set up their package server or HTML caching.

I was able to fix it by removing the package source, followed by running apt-get update. After adding the source again, everything installed fine. Weirdly just running apt-get clean instead, which I thought does the same, did not fix my issue.

@ghost

This comment has been minimized.

Copy link

commented Oct 20, 2016

The issue described here is not fixed

It really shouldn't be hard to understand that the issue originally reported here IS fixed. To sum-up that you can understand that:

  1. The bugreport original reported here was about a weak signature used in the keys
  2. The keys where replaced by new keys which are using now a stronger signing algorithm
  3. The original issue is closed.

Everything else doesn't belong in here. @jnweiger @crrodriguez Please lock here to avoid that this issue gets longer and longer where the initial issue is already solved. People are mixing too many issues in here.

@FlorianFranzen

This comment has been minimized.

Copy link

commented Oct 20, 2016

@RealRancor The title is "Weak digest & Invalid signatures". Enough said.

@ghost

This comment has been minimized.

Copy link

commented Oct 20, 2016

Yeah, and these are solved as already explained twice.

Weak digest: Key was updated with a new signature algorithm.
Invalid signature: Key was expired for the OP and was also updated (Which btw. even doesn't belong into this issue in the first place).

It might help to read (and understand) the actual report and not only the title.

If you think there are any additional issues which needs to be fixed create a new bugreport.

@varac

This comment has been minimized.

Copy link

commented Oct 30, 2016

@FlorianFranzen @RealRancor I created #5287 to track the WARNING: The following packages cannot be authenticated! issue.

@owncloud owncloud locked and limited conversation to collaborators Nov 10, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
You can’t perform that action at this time.