Skip to content

/ youtube-dl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

current gpg sigs of the releases uses MD5 #9976

Closed
ghost opened this issue Jul 1, 2016 · 2 comments
Closed

current gpg sigs of the releases uses MD5 #9976

ghost opened this issue Jul 1, 2016 · 2 comments
Labels
invalid

Comments

@ghost
Copy link

@ghost ghost commented Jul 1, 2016

  • [ x] I've verified and I assure that I'm running youtube-dl 2016.07.01
  • [x ] Searched the bugtracker for similar issues including closed ones

What is the purpose of your issue?

  • Bug report (encountered problems with youtube-dl)
  • Site support request (request for adding support for a new site)
  • Feature request (request for a new functionality)
  • Question
  • [x ] Other

Description of your issue, suggested solution and other information

If trying to verify the signature from the key 18A9236D for the release as present on http://rg3.github.io/youtube-dl/download.html there are problems.

gpg --verify youtube-dl.sig youtube.dl produces:

gpg: WARNING: digest algorithm MD5 is deprecated

According to https://www.gnupg.org/faq/weak-digest-algos.html this is because of weak signature is used.

There should not be a big problem in 2016 to produce secure signatures that don't use MD5.
Also newer versions of gpg disables MD5 completely.
@dstftw
Copy link
Collaborator

@dstftw dstftw commented Jul 1, 2016

SHA256 is used for signing:

[dst@serpent tmp]$ pgpdump youtube-dl.sig
Old: Signature Packet(tag 2)(540 bytes)
    Ver 4 - new
    Sig type - Signature of a binary document(0x00).
    Pub alg - RSA Encrypt or Sign(pub 1)
    Hash alg - SHA256(hash 8)
    Hashed Sub: signature creation time(sub 2)(4 bytes)
        Time - Fri Jul  1 04:01:15 KRAT 2016
    Sub: issuer key ID(sub 16)(8 bytes)
        Key ID - 0x2C393E0F18A9236D
    Hash left 2 bytes - 4d c3
    RSA m^d mod n(4094 bits) - ...
        -> PKCS-1

Hash alg - SHA256(hash 8)

and not even any mention of MD5.

gpg --verify also works without any issue:

[dst@serpent tmp]$ gpg --verify youtube-dl.sig youtube-dl
gpg: Signature made Fri 01 Jul 2016 04:01:15 AM KRAT using RSA key ID 18A9236D
gpg: Good signature from "Sergey M. <dstftw@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ED7F 5BF4 6B3B BED8 1C87  368E 2C39 3E0F 18A9 236D

[dst@serpent tmp]$ gpg --version
gpg (GnuPG) 2.1.12
libgcrypt 1.7.0
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
@ghost
Copy link
Author

@ghost ghost commented Jul 1, 2016

True. The issue was with my keyring configuration. NO issue with the signatures of the releases. GNU PG can be very unclear on the messages.
@ghost ghost closed this Jul 1, 2016
@dstftw dstftw added invalid and removed cant-reproduce labels Jul 1, 2016
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
@dstftw
You can’t perform that action at this time.