blob: 55bd6a60765453311caed429c6f182eeb25eda3d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
The release artifact for 9.2.1 can not be authenticated with the accompanying OpenPGP signature
Description of problem:
Hi! :wave:
I package this project for Arch Linux.
This ticket is to inform you that the release artifact for 9.2.1 can not be validated using the accompanying OpenPGP signature.
The signature has been created by the OpenPGP key with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584` (held by @mdroth).
However, I am not able to validate the downloaded archive with the provided signature.
Please make sure that the archive has not been tampered with and ideally do a full re-release and re-sign cycle.
Steps to reproduce:
Download sources and create checksum:
```bash
curl -O https://download.qemu.org/qemu-9.2.1.tar.xz
curl -O https://download.qemu.org/qemu-9.2.1.tar.xz.sig
b2sum qemu-9.2.1.tar.xz
062b2ef336dbc488bfd9e6c6a21cd95464ab76a98ce8f66bb314101d25a5dc72815ae4eb28028507c85ddade8a28e00cf8897302645ad6ddd2c093bde1cfba9a qemu-9.2.1.tar.xz
```
Get latest version of certificate that can be used to verify the signature:
```bash
gpg --recv-keys CEACC9E15534EBABB82D3FA03353C9CEF108B584
gpg: key 3353C9CEF108B584: "Michael Roth <michael.roth@amd.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
```
Export certificate to file:
```bash
gpg --export CEACC9E15534EBABB82D3FA03353C9CEF108B584 > mdroth.pgp
```
Show info about the certificate:
```
gpg --list-sigs CEACC9E15534EBABB82D3FA03353C9CEF108B584
pub rsa2048 2013-10-18 [SC] [expires: 2026-05-11]
CEACC9E15534EBABB82D3FA03353C9CEF108B584
Keygrip = D85EA26924D8B15B55C659659E2864C375F1547D
uid [ unknown] Michael Roth <michael.roth@amd.com>
sig 3 3353C9CEF108B584 2020-10-27 [self-signature]
sig 3 3353C9CEF108B584 2024-05-11 [self-signature]
uid [ unknown] Michael Roth <flukshun@gmail.com>
sig 3 3353C9CEF108B584 2013-10-18 [self-signature]
uid [ unknown] Michael Roth <mdroth@utexas.edu>
sig 3 3353C9CEF108B584 2013-10-18 [self-signature]
sub rsa2048 2013-10-18 [E]
Keygrip = 9561B09210E2442DEE64237DBA17A9E9D7A58B04
sig 3353C9CEF108B584 2013-10-18 [self-signature]
```
Try verifying the tarball using gpg:
```bash
gpg --verify qemu-9.2.1.tar.xz.sig
gpg: assuming signed data in 'qemu-9.2.1.tar.xz'
gpg: Signature made 2025-02-12T03:22:55 CET
gpg: using RSA key CEACC9E15534EBABB82D3FA03353C9CEF108B584
gpg: BAD signature from "Michael Roth <michael.roth@amd.com>" [unknown]
```
Try verifying the tarball using the SOP implementation rsop:
```bash
rsop verify qemu-9.2.1.tar.xz.sig mdroth.pgp < qemu-9.2.1.tar.xz
No acceptable signatures found
```
Try verifying the tarball using sq:
```bash
sq cert import mdroth.pgp
- ┌ CEACC9E15534EBABB82D3FA03353C9CEF108B584
└ Michael Roth <michael.roth@amd.com> (UNAUTHENTICATED)
- imported
Imported 0 new certificates, updated 0 certificates, 1 certificate unchanged, 0 errors.
sq verify --signature-file qemu-9.2.1.tar.xz.sig qemu-9.2.1.tar.xz
Error verifying signature made by CEACC9E15534EBABB82D3FA03353C9CEF108B584:
Error: Message has been manipulated
0 authenticated signatures, 1 bad signature.
Error: Verification failed: could not authenticate any signatures
```
Additional information:
On Arch Linux we use the provided release tarball and verify it using the detached signature.
For validation we rely on the OpenPGP certificate with the fingerprint `CEACC9E15534EBABB82D3FA03353C9CEF108B584`.
The fingerprint is locked in our [build script](https://gitlab.archlinux.org/archlinux/packaging/packages/qemu/-/blob/7cddf5aa82542d6ba511a22aeaa8eca6d6e7d949/PKGBUILD#L158).
|