summary refs log tree commit diff stats
path: root/results/classifier/118/none/2811
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/none/2811')
-rw-r--r--results/classifier/118/none/2811124
1 files changed, 124 insertions, 0 deletions
diff --git a/results/classifier/118/none/2811 b/results/classifier/118/none/2811
new file mode 100644
index 000000000..df7972b22
--- /dev/null
+++ b/results/classifier/118/none/2811
@@ -0,0 +1,124 @@
+user-level: 0.750
+ppc: 0.749
+permissions: 0.748
+mistranslation: 0.745
+hypervisor: 0.742
+risc-v: 0.735
+peripherals: 0.733
+KVM: 0.730
+graphic: 0.724
+TCG: 0.724
+assembly: 0.675
+register: 0.672
+VMM: 0.668
+PID: 0.659
+vnc: 0.658
+arm: 0.655
+device: 0.652
+socket: 0.642
+virtual: 0.639
+x86: 0.630
+performance: 0.624
+semantic: 0.616
+boot: 0.609
+architecture: 0.587
+files: 0.563
+debug: 0.557
+i386: 0.553
+kernel: 0.552
+network: 0.539
+
+The release artifact for 9.2.1 can not be authenticated with the accompanying OpenPGP signature
+Description of problem:
+Hi! :wave: 
+
+I package this project for Arch Linux.
+This ticket is to inform you that the release artifact for 9.2.1 can not be validated using the accompanying OpenPGP signature.
+The signature has been created by the OpenPGP key with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584` (held by @mdroth).
+However, I am not able to validate the downloaded archive with the provided signature.
+
+Please make sure that the archive has not been tampered with and ideally do a full re-release and re-sign cycle.
+Steps to reproduce:
+Download sources and create checksum:
+
+```bash
+curl -O https://download.qemu.org/qemu-9.2.1.tar.xz 
+curl -O https://download.qemu.org/qemu-9.2.1.tar.xz.sig
+b2sum qemu-9.2.1.tar.xz
+062b2ef336dbc488bfd9e6c6a21cd95464ab76a98ce8f66bb314101d25a5dc72815ae4eb28028507c85ddade8a28e00cf8897302645ad6ddd2c093bde1cfba9a  qemu-9.2.1.tar.xz
+```
+
+Get latest version of certificate that can be used to verify the signature:
+
+```bash
+gpg --recv-keys CEACC9E15534EBABB82D3FA03353C9CEF108B584
+gpg: key 3353C9CEF108B584: "Michael Roth <michael.roth@amd.com>" not changed
+gpg: Total number processed: 1
+gpg:              unchanged: 1
+```
+
+Export certificate to file:
+
+```bash
+gpg --export CEACC9E15534EBABB82D3FA03353C9CEF108B584 > mdroth.pgp
+```
+
+Show info about the certificate:
+
+```
+gpg --list-sigs CEACC9E15534EBABB82D3FA03353C9CEF108B584
+pub   rsa2048 2013-10-18 [SC] [expires: 2026-05-11]
+      CEACC9E15534EBABB82D3FA03353C9CEF108B584
+      Keygrip = D85EA26924D8B15B55C659659E2864C375F1547D
+uid           [ unknown] Michael Roth <michael.roth@amd.com>
+sig 3        3353C9CEF108B584 2020-10-27  [self-signature]
+sig 3        3353C9CEF108B584 2024-05-11  [self-signature]
+uid           [ unknown] Michael Roth <flukshun@gmail.com>
+sig 3        3353C9CEF108B584 2013-10-18  [self-signature]
+uid           [ unknown] Michael Roth <mdroth@utexas.edu>
+sig 3        3353C9CEF108B584 2013-10-18  [self-signature]
+sub   rsa2048 2013-10-18 [E]
+      Keygrip = 9561B09210E2442DEE64237DBA17A9E9D7A58B04
+sig          3353C9CEF108B584 2013-10-18  [self-signature]
+```
+
+Try verifying the tarball using gpg:
+
+```bash
+gpg --verify qemu-9.2.1.tar.xz.sig
+gpg: assuming signed data in 'qemu-9.2.1.tar.xz'
+gpg: Signature made 2025-02-12T03:22:55 CET
+gpg:                using RSA key CEACC9E15534EBABB82D3FA03353C9CEF108B584
+gpg: BAD signature from "Michael Roth <michael.roth@amd.com>" [unknown]
+```
+
+Try verifying the tarball using the SOP implementation rsop:
+
+```bash
+rsop verify qemu-9.2.1.tar.xz.sig mdroth.pgp < qemu-9.2.1.tar.xz
+           No acceptable signatures found
+```
+
+Try verifying the tarball using sq:
+
+```bash
+sq cert import mdroth.pgp
+ - ┌ CEACC9E15534EBABB82D3FA03353C9CEF108B584
+   └ Michael Roth <michael.roth@amd.com> (UNAUTHENTICATED)
+   - imported
+
+
+Imported 0 new certificates, updated 0 certificates, 1 certificate unchanged, 0 errors.
+
+sq verify --signature-file qemu-9.2.1.tar.xz.sig qemu-9.2.1.tar.xz
+Error verifying signature made by CEACC9E15534EBABB82D3FA03353C9CEF108B584:
+
+  Error: Message has been manipulated
+0 authenticated signatures, 1 bad signature.
+
+  Error: Verification failed: could not authenticate any signatures
+```
+Additional information:
+On Arch Linux we use the provided release tarball and verify it using the detached signature.
+For validation we rely on the OpenPGP certificate with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584`.
+The fingerprint is locked in our [build script](https://gitlab.archlinux.org/archlinux/packaging/packages/qemu/-/blob/7cddf5aa82542d6ba511a22aeaa8eca6d6e7d949/PKGBUILD#L158).