The release artifact for 9.2.1 can not be authenticated with the accompanying OpenPGP signature Description of problem: Hi! :wave: I package this project for Arch Linux. This ticket is to inform you that the release artifact for 9.2.1 can not be validated using the accompanying OpenPGP signature. The signature has been created by the OpenPGP key with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584` (held by @mdroth). However, I am not able to validate the downloaded archive with the provided signature. Please make sure that the archive has not been tampered with and ideally do a full re-release and re-sign cycle. Steps to reproduce: Download sources and create checksum: ```bash curl -O https://download.qemu.org/qemu-9.2.1.tar.xz curl -O https://download.qemu.org/qemu-9.2.1.tar.xz.sig b2sum qemu-9.2.1.tar.xz 062b2ef336dbc488bfd9e6c6a21cd95464ab76a98ce8f66bb314101d25a5dc72815ae4eb28028507c85ddade8a28e00cf8897302645ad6ddd2c093bde1cfba9a qemu-9.2.1.tar.xz ``` Get latest version of certificate that can be used to verify the signature: ```bash gpg --recv-keys CEACC9E15534EBABB82D3FA03353C9CEF108B584 gpg: key 3353C9CEF108B584: "Michael Roth " not changed gpg: Total number processed: 1 gpg: unchanged: 1 ``` Export certificate to file: ```bash gpg --export CEACC9E15534EBABB82D3FA03353C9CEF108B584 > mdroth.pgp ``` Show info about the certificate: ``` gpg --list-sigs CEACC9E15534EBABB82D3FA03353C9CEF108B584 pub rsa2048 2013-10-18 [SC] [expires: 2026-05-11] CEACC9E15534EBABB82D3FA03353C9CEF108B584 Keygrip = D85EA26924D8B15B55C659659E2864C375F1547D uid [ unknown] Michael Roth sig 3 3353C9CEF108B584 2020-10-27 [self-signature] sig 3 3353C9CEF108B584 2024-05-11 [self-signature] uid [ unknown] Michael Roth sig 3 3353C9CEF108B584 2013-10-18 [self-signature] uid [ unknown] Michael Roth sig 3 3353C9CEF108B584 2013-10-18 [self-signature] sub rsa2048 2013-10-18 [E] Keygrip = 9561B09210E2442DEE64237DBA17A9E9D7A58B04 sig 3353C9CEF108B584 2013-10-18 [self-signature] ``` Try verifying the tarball using gpg: ```bash gpg --verify qemu-9.2.1.tar.xz.sig gpg: assuming signed data in 'qemu-9.2.1.tar.xz' gpg: Signature made 2025-02-12T03:22:55 CET gpg: using RSA key CEACC9E15534EBABB82D3FA03353C9CEF108B584 gpg: BAD signature from "Michael Roth " [unknown] ``` Try verifying the tarball using the SOP implementation rsop: ```bash rsop verify qemu-9.2.1.tar.xz.sig mdroth.pgp < qemu-9.2.1.tar.xz No acceptable signatures found ``` Try verifying the tarball using sq: ```bash sq cert import mdroth.pgp - ┌ CEACC9E15534EBABB82D3FA03353C9CEF108B584 └ Michael Roth (UNAUTHENTICATED) - imported Imported 0 new certificates, updated 0 certificates, 1 certificate unchanged, 0 errors. sq verify --signature-file qemu-9.2.1.tar.xz.sig qemu-9.2.1.tar.xz Error verifying signature made by CEACC9E15534EBABB82D3FA03353C9CEF108B584: Error: Message has been manipulated 0 authenticated signatures, 1 bad signature. Error: Verification failed: could not authenticate any signatures ``` Additional information: On Arch Linux we use the provided release tarball and verify it using the detached signature. For validation we rely on the OpenPGP certificate with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584`. The fingerprint is locked in our [build script](https://gitlab.archlinux.org/archlinux/packaging/packages/qemu/-/blob/7cddf5aa82542d6ba511a22aeaa8eca6d6e7d949/PKGBUILD#L158).