Repo: Weak digest & Invalid signatures

[tflidd]

open-suse-repo on ubuntu 16.04 packet manager (apt-get) shows this error:

W: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/Release.gpg: Signature by key F9EA4996747310AE79474F44977C43A8BA684223 uses weak digest algorithm (SHA1)
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  Release: The following signatures were invalid: KEYEXPIRED 1466936818

[jnweiger]

We currently have 1024DSA which is weak. Ubuntu 16.04 wants to see at least 2048 RSA.

osc signkey --create isv:owncloud
can be used to create a new key. Default key with recent osc is RSA 2048.
This will be a new key, all users will need to accept the new key when we roll that out.

Expired key may be a different issue. Investigating.

[psyray]

Hi,
Same problem of key expired with linux mint 17.3 (ubuntu 14.04 based)
Error is (in french)

W: Une erreur s'est produite lors du contrôle de la signature. Le dépôt n'est pas mis à jour et les fichiers d'index précédents seront utilisés. Erreur de GPG : http://download.opensuse.org  Release : Les signatures suivantes ne sont pas valables : KEYEXPIRED 1466936818

W: Impossible de récupérer http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_14.04/Release

[tflidd]

Expired key may be a different issue. Investigating.

@jnweiger : I found out how to fix the expired key. You can update the keys, first check the expired keys:

apt-key list | grep expired
pub   1024D/BA684223 2012-02-08 [expired: 2016-06-26]

Now update the key from a keyserver:
apt-key adv --recv-keys --keyserver keys.gnupg.net BA684223

Then it downloads new signatures and the expired-key warning disappears.

Two things to solve:

• Update Release.key on http://download.opensuse.org/repositories/isv:ownCloud:desktop/Ubuntu_16.04/Release.key
• weak digest algorithm warning (SHA1)

[crrodriguez]

@tflidd osc signkeys --create isv:owncloud should do that.. it is up to the obs to create proper release keys..

[jnweiger]

We can do that ourselves. question: will this result in key change warnings, vendor change errors or other nasty issues, when we do that?

[jnweiger]

Regarding the expired aspect: The key was already extended in 2015.
wget -nv httpse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_14.04/Release.key -O - | gpg -vv |& grep -B5 expire

:signature packet: algo 17, keyid 977C43A8BA684223
    version 4, created 1423491668, md5len 0, sigclass 0x13
    digest algo 2, begin of digest 29 39
    hashed subpkt 2 len 4 (sig created 2015-02-09)
    hashed subpkt 27 len 1 (key flags: 03)
    hashed subpkt 9 len 4 (key expires after 5y72d4h15m)

2015-02-09 + 5y72d4h15m would be very far in the future. Compare apt-key:

apt-key list | grep BA684223

pub   1024D/BA684223 2012-02-08 [expires: 2017-04-19]

My understanding now is:

• signature packets describe if and how a key is valid.
• This key was created 2012, It has a signature packet that was created
  2015 and has duration of 5y.
  • apt-key uses key generation timestamp applies the duration of the signature packet to compute a a 2017 expire date.
  • (I would have naively applied the duration of the signature packet to the creation timestamp of the signature packet and get a 2020 expire date... probably wrong)
  • Extending a key in obs is one thing. Sending it to keys.gnupg.net should also be done, to update outdated copies.

Expiration seems to be a non-isuse here. Removing the misleading "(Key expired)" from the subject.

[jnweiger]

@crrodriguez Please evaluate downsides of changing the key and move forward here.
I suggest the following procedure:

• announce scheduled key change via central.owncloud.org (and mailing lists??)
• wait a day or two
• create: osc signkey --create isv:ownCloud
• test: osc signkey isv:ownCloud | apt-key add -; apt-key list | grep -B1 isv:ownCloud
• publish: osc signkey isv:ownCloud | gpg --import; gpg --keyserver keys.gnupg.net --send-key NEW_KEY_ID
• notify users via central.owncloud.org about the new key.

[jnweiger]

@crrodriguez ping?

[crrodriguez]

@jnweiger My take is.. we do not create new signing keys we just --extend them.. we need to do this only every few years or when something goes horrible wrong.
That said..I have no problem with your suggested course of action. however I think It might be better if we release a package equivalent to debian-archive-keyring.. (let's call it owncloud-archive-keyring) that includes all present or past public keys, we update it before publishing packages with new keys..then there will be no need of manual importing..

[ghost]

@jnweiger @crrodriguez

however I think It might be better if we release a package equivalent to debian-archive-keyring.. (let's call it owncloud-archive-keyring) that includes all present or past public keys, we update it before publishing packages with new keys..then there will be no need of manual importing.

That might help to avoid recurring bugreports like #5156 where people missed that they need to renew keys manually.

[jnweiger]

@crrodriguez we have two issues mixed up here. One is expiry, the other is weakness.
Extending a key can fix expiry, but afik it cannot make a weak key stronger. My knowledge about these keys is limited, thus I hesitate replacing the key in hope someone can point out how to make a key stronger, -- possibly via subkeys or similar magic.

What is the effort to create an owncloud-archive-keyring?

[ghost]

Hello all,
I am also seeing two issues in one here: one for the expired and one for the weak algorithm ... :( As I am getting the "weak algorithm" message for Debian Testing as well (and it does not matter, if I use the stable or testing repo for the desktop client), I would like to see this issue to be fixed in the near future to get rid of the message. The server issue with the weak algorithm was fixed months ago ... ;)
Sorry for the inconvenience
Thomas.

[ghost]

@thackert Expired keys can be easily solved if you re-import the already renewed keys from https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client

This is something you need to actively do until something like suggested here is provided: #5055 (comment)

[ghost]

@RealRancor It seems you either got me wrong or I have expressed my concern not clear enough ... :( Either way: I am seeing this "weak key" message on my system since a longer time, and I want to get it fixed, if possible asap ... ;) But in this bug report there are two different bugs: one for the expired key, one for the weak one (this was also mentioned by @jnweiger on July 13th and 8 days ago). And if you want to start nitpicking, it is also about Ubuntu (as mentioned in @tflidd 's first report) and Linux Mint (reported from @psyray on July 14th) and Debian (reported by me). The question for me now is: is this bug about the expired key (where you can use tflidd's instruction from his comment on August 16th to get a new key. But this would not solve the problem with the weak key warning from apt-get ... ( ) or about the weak key to sign the Debian (based) packages with a 1024 bit key instead of a 2048 one? What would be the correct way to handle this? Leave this bug open, but open one for the weak algorithm for all Debian based systems and make it dependent on this bug? Waiting until apt will no longer install any owncloud-client packages because of this weak key (though Julian K. wrote in his blog, that this should not be happen (see https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/) but what would happen, if the Debian people to change this in a couple of months / years)? Do you understand my concerns now?
Sorry for the inconvenience
Thomas.

[ghost]

@thackert Yes, the issue here is about "weak key/weak signature". Everything else like the expired key is unrelated to this issue and shouldn't be discussed in here.

If you want to express that you're affected by the "weak key/weak signature" issue you can just use the emoticon icon at the first post and use the thumbs up button. This avoids that the issue gets flooded with comments as the issue is known and just needs to be fixed by some one who knows to fix it. :-)

[ghost]

And also:

You're missing the step to import the key. Your sudo -sh line won't do that automatically for you.

If people not following the steps explained at https://software.opensuse.org/download/package?project=isv:ownCloud:desktop&package=owncloud-client they shouldn't wonder why they are getting such results. :-)

[treuss]

Thanks @joaonl!
I tried your suggestion several times, but it seems that the Release.key is not bein accepted. Directly after adding it, I get a concise listing of the installed keys. There's nothing like isv:ownCloud or similar.

[ghost]

@treuss For setup help i suggest to jump over to https://central.owncloud.org/. It is not the goal to give setup specific support in an issue tracker.

[tflidd]

If you know the missing key ID, you can also try to get it from a keyserver:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 4ABE1AC7557BEFF9

[ghost]

I think its time to lock this issue to collaborators. Its just one huge mess (43+ comments) with tons of various issues mixed in one.

[treuss]

@RealRancor thanks for your help.

[jnweiger]

Bad reproducer Dockerfile:

FROM centos:centos7
RUN yum install -y wget
RUN rpm --import http://download.opensuse.org/repositories/isv:/ownCloud:/desktop//CentOS_7/repodata/repomd.xml.key
RUN wget -nv http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/CentOS_7/isv:ownCloud:desktop.repo -O /etc/yum.repos.d/isv:ownCloud:desktop.repo
RUN yum clean all && yum install -y owncloud-client

still fails. Error messages are:
warning: /var/cache/yum/x86_64/7/isv_ownCloud_desktop/packages/opt-libqt5keychain1-0.7.0-9.1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID ba684223: NOKEY
Retrieving key from http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/CentOS_7//repodata/repomd.xml.key

The GPG keys listed for the "The ownCloud Desktop Client (CentOS_7)" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.

[jnweiger]

I've triggered a rebuild of opt-libqt5keychain1-0.7.0-9.1 and now the error message occurs with libowncloudsync0-2.2.4-1.1.x86_64.rpm -- I assume rebuilding all is to be done.

[michaelstingl]

now the error message occurs with libowncloudsync0-2.2.4-1.1.x86_64.rpm

sounds like a victory! 🎉

[crrodriguez]

https://github.com/owncloud/enterprise/issues/1617 should have fixed this problem

[jnweiger]

Confirmed! The above CentOS7 reproducer is now silent.
Thank you!

[shpetros]

Hi, cant access owncloud/enterprise#1617 - Where is this fixed/what steps need to be taken?

[ghost]

@shpetros Just re-import the key as shown at the desktop client install page. If you need further help please see https://owncloud.org/support/ where to get such help.

[CodeShadower]

Yiipiieaaayeah!!! 😃

Maybe this helps the guys who followed exactly the ownCloud installation steps from Open Suse, but who had, like myself, still the "packages cannot be authenticated" error. ;)

I'm no certificate specialist, but after having read through the whole thread and tried over and over again the specified installation procedure, I began to delete the "right" key from my apt-key list, but instead of re-importing the right one right away, I checked the list again... and what did I see? Another "old" key appeared in the listing which wasn't there before!

So, this was the method to solve my issue:

1° Uninstall owncloud-client completely: sudo apt-get remove owncloud-client
2° Browse Key list: apt-key list
3° Delete owncloud key: sudo apt-key del 557BEFF9
4° Goto 2° and repeat steps until no ownCloud key is left over
5° Import official Release.key following SUSE instructions:
$ wget http://download.opensuse.org/repositories/isv:ownCloud:desktop/Ubuntu_16.04/Release.key (mind the Release.key outtput name here, because if you already have this file in your folder, it will generate a Release.key.2 and so on and so forth)
$ sudo apt-key add - < Release.key && sudo rm Release.key
6° Install ownCloud according SUSE instructions: sudo apt-get update && sudo apt-get install owncloud-client

Et voilà! 😃

@rloutrel: Thanks for pointing to the Key deletion!

Greetz

OS: Ubuntu 16.04 LTS 64 bits

[FlorianFranzen]

I did all of the recommended fixes and I am still getting the error on Ubuntu 16.04! The key is there and valid, but the packages till can not be authenticated.

Not to mention, that my keychain is still not detected, on a fresh install, which was the reason to migrate to the open suse repo in the first place. Classic owncloud!

[ghost]

@FlorianFranzen The keys are valid and known to work for a wide range of users. So either you're importing the wrong key, you're missing a step or something else is broken in you're environment.

Please note that this is a bugtracker and no support channel. Its the best to jump over to a forums dedicated to your Distro where they might be able to help you sorting this out.

[FlorianFranzen]

@RealRancor: Challenge accepted. Let's turn this into a real bug report.

This my apt key and source setup:

$ apt-key list
/etc/apt/trusted.gpg
--------------------
pub   2048R/557BEFF9 2016-09-25 [expires: 2018-12-04]
uid                  isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>

$ cat /etc/apt/sources.list.d/owncloud-client.list
deb http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04/ /

My apt cache is up to date:

$ sudo apt-get update
Ign:1 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease                                                                                
Hit:3 http://de.archive.ubuntu.com/ubuntu xenial InRelease                                                                                       
Hit:4 http://ppa.launchpad.net/seafile/seafile-client/ubuntu xenial InRelease                                                                                               
Hit:7 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  Release                                    
Get:8 http://download.opensuse.org/repositories/isv:/ownCloud:/desktop/Ubuntu_16.04  Release.gpg [481 B]  
Hit:9 http://de.archive.ubuntu.com/ubuntu xenial-updates InRelease                                                                         
Hit:11 http://de.archive.ubuntu.com/ubuntu xenial-backports InRelease                                    
Fetched 481 B in 4s (115 B/s) 
Reading package lists... Done

And this is what happens when I try to install the owncloud-client:

sudo apt-get install owncloud-client
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.4.0-38 linux-headers-4.4.0-38-generic linux-image-4.4.0-38-generic linux-image-extra-4.4.0-38-generic linux-signed-image-4.4.0-38-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libowncloudsync0 libqt5keychain1 owncloud-client-l10n
The following NEW packages will be installed:
  libowncloudsync0 libqt5keychain1 owncloud-client owncloud-client-l10n
0 upgraded, 4 newly installed, 0 to remove and 6 not upgraded.
Need to get 325 kB/1.713 kB of archives.
After this operation, 6.627 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
WARNING: The following packages cannot be authenticated!
  libqt5keychain1 libowncloudsync0 owncloud-client-l10n owncloud-client
Install these packages without verification? [y/N] 
E: Some packages could not be authenticated

So it seems like no matter if I follow the official instructions or any of the instructions here, I run into a problem.

Weirdly the Release file is signed properly if I check it by hand:

$ gpg2 --keyserver keyserver.ubuntu.com --recv-keys 4ABE1AC7557BEFF9
...
$ gpg2 --verify Release.gpg Release
gpg: Signature made Mi 12 Okt 2016 04:59:40 CEST using RSA key ID 557BEFF9
gpg: Good signature from "isv:ownCloud OBS Project <isv:ownCloud@build.opensuse.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1B07 204C D71B 690D 409F  57D2 4ABE 1AC7 557B EFF9

Also, I did a quick check of some of the checksum (Package, Package.gz and the deb itself) and they all check out.

I guess there is an important step missing to get apt back on track once you run into this problem.

[ghost]

@FlorianFranzen As explained this is a bugtracker, no support channel. The initial issue here is closed/solved as the new keys with a proper signature were deployed.

[FlorianFranzen]

@RealRancor The issue described here is not fixed and can still linger if the incorrect Release file was downloaded before. I think this is highly relevant.

Back on topic: The problem is that the Release file does not look changed to apt and therefore is not updated locally. This is either a bug in apt or more likely a bug in the way openSUSE or one of their German mirrors set up their package server or HTML caching.

I was able to fix it by removing the package source, followed by running apt-get update. After adding the source again, everything installed fine. Weirdly just running apt-get clean instead, which I thought does the same, did not fix my issue.

[ghost]

The issue described here is not fixed

It really shouldn't be hard to understand that the issue originally reported here IS fixed. To sum-up that you can understand that:

1. The bugreport original reported here was about a weak signature used in the keys
2. The keys where replaced by new keys which are using now a stronger signing algorithm
3. The original issue is closed.

Everything else doesn't belong in here. @jnweiger @crrodriguez Please lock here to avoid that this issue gets longer and longer where the initial issue is already solved. People are mixing too many issues in here.

[FlorianFranzen]

@RealRancor The title is "Weak digest & Invalid signatures". Enough said.

[ghost]

Yeah, and these are solved as already explained twice.

Weak digest: Key was updated with a new signature algorithm.
Invalid signature: Key was expired for the OP and was also updated (Which btw. even doesn't belong into this issue in the first place).

It might help to read (and understand) the actual report and not only the title.

If you think there are any additional issues which needs to be fixed create a new bugreport.

[varac]

@FlorianFranzen @RealRancor I created #5287 to track the WARNING: The following packages cannot be authenticated! issue.