summary refs log tree commit diff stats
path: root/gitlab/issues/target_missing/host_missing/accel_missing/2811.toml
diff options
context:
space:
mode:
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_missing/2811.toml')
-rw-r--r--gitlab/issues/target_missing/host_missing/accel_missing/2811.toml102
1 files changed, 0 insertions, 102 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_missing/2811.toml b/gitlab/issues/target_missing/host_missing/accel_missing/2811.toml
deleted file mode 100644
index 809b0a49..00000000
--- a/gitlab/issues/target_missing/host_missing/accel_missing/2811.toml
+++ /dev/null
@@ -1,102 +0,0 @@
-id = 2811
-title = "The release artifact for 9.2.1 can not be authenticated with the accompanying OpenPGP signature"
-state = "opened"
-created_at = "2025-02-13T23:03:30.409Z"
-closed_at = "n/a"
-labels = ["sysadmin"]
-url = "https://gitlab.com/qemu-project/qemu/-/issues/2811"
-host-os = "n/a"
-host-arch = "n/a"
-qemu-version = "n/a"
-guest-os = "n/a"
-guest-arch = "n/a"
-description = """Hi! :wave: 
-
-I package this project for Arch Linux.
-This ticket is to inform you that the release artifact for 9.2.1 can not be validated using the accompanying OpenPGP signature.
-The signature has been created by the OpenPGP key with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584` (held by @mdroth).
-However, I am not able to validate the downloaded archive with the provided signature.
-
-Please make sure that the archive has not been tampered with and ideally do a full re-release and re-sign cycle."""
-reproduce = """Download sources and create checksum:
-
-```bash
-curl -O https://download.qemu.org/qemu-9.2.1.tar.xz 
-curl -O https://download.qemu.org/qemu-9.2.1.tar.xz.sig
-b2sum qemu-9.2.1.tar.xz
-062b2ef336dbc488bfd9e6c6a21cd95464ab76a98ce8f66bb314101d25a5dc72815ae4eb28028507c85ddade8a28e00cf8897302645ad6ddd2c093bde1cfba9a  qemu-9.2.1.tar.xz
-```
-
-Get latest version of certificate that can be used to verify the signature:
-
-```bash
-gpg --recv-keys CEACC9E15534EBABB82D3FA03353C9CEF108B584
-gpg: key 3353C9CEF108B584: "Michael Roth <michael.roth@amd.com>" not changed
-gpg: Total number processed: 1
-gpg:              unchanged: 1
-```
-
-Export certificate to file:
-
-```bash
-gpg --export CEACC9E15534EBABB82D3FA03353C9CEF108B584 > mdroth.pgp
-```
-
-Show info about the certificate:
-
-```
-gpg --list-sigs CEACC9E15534EBABB82D3FA03353C9CEF108B584
-pub   rsa2048 2013-10-18 [SC] [expires: 2026-05-11]
-      CEACC9E15534EBABB82D3FA03353C9CEF108B584
-      Keygrip = D85EA26924D8B15B55C659659E2864C375F1547D
-uid           [ unknown] Michael Roth <michael.roth@amd.com>
-sig 3        3353C9CEF108B584 2020-10-27  [self-signature]
-sig 3        3353C9CEF108B584 2024-05-11  [self-signature]
-uid           [ unknown] Michael Roth <flukshun@gmail.com>
-sig 3        3353C9CEF108B584 2013-10-18  [self-signature]
-uid           [ unknown] Michael Roth <mdroth@utexas.edu>
-sig 3        3353C9CEF108B584 2013-10-18  [self-signature]
-sub   rsa2048 2013-10-18 [E]
-      Keygrip = 9561B09210E2442DEE64237DBA17A9E9D7A58B04
-sig          3353C9CEF108B584 2013-10-18  [self-signature]
-```
-
-Try verifying the tarball using gpg:
-
-```bash
-gpg --verify qemu-9.2.1.tar.xz.sig
-gpg: assuming signed data in 'qemu-9.2.1.tar.xz'
-gpg: Signature made 2025-02-12T03:22:55 CET
-gpg:                using RSA key CEACC9E15534EBABB82D3FA03353C9CEF108B584
-gpg: BAD signature from "Michael Roth <michael.roth@amd.com>" [unknown]
-```
-
-Try verifying the tarball using the SOP implementation rsop:
-
-```bash
-rsop verify qemu-9.2.1.tar.xz.sig mdroth.pgp < qemu-9.2.1.tar.xz
-           No acceptable signatures found
-```
-
-Try verifying the tarball using sq:
-
-```bash
-sq cert import mdroth.pgp
- - ┌ CEACC9E15534EBABB82D3FA03353C9CEF108B584
-   └ Michael Roth <michael.roth@amd.com> (UNAUTHENTICATED)
-   - imported
-
-
-Imported 0 new certificates, updated 0 certificates, 1 certificate unchanged, 0 errors.
-
-sq verify --signature-file qemu-9.2.1.tar.xz.sig qemu-9.2.1.tar.xz
-Error verifying signature made by CEACC9E15534EBABB82D3FA03353C9CEF108B584:
-
-  Error: Message has been manipulated
-0 authenticated signatures, 1 bad signature.
-
-  Error: Verification failed: could not authenticate any signatures
-```"""
-additional = """On Arch Linux we use the provided release tarball and verify it using the detached signature.
-For validation we rely on the OpenPGP certificate with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584`.
-The fingerprint is locked in our [build script](https://gitlab.archlinux.org/archlinux/packaging/packages/qemu/-/blob/7cddf5aa82542d6ba511a22aeaa8eca6d6e7d949/PKGBUILD#L158)."""