Hi all,
I am sorry for reviving this old thread, but unfortunately this is still a thing.
The science gpg key is still using dsa1024 which is considered too weak especially by Ubuntu systems.
As the key will expire soon (2021-11-11), is there any chance to upgrade to another signature algorithm?
pub dsa1024 2008-01-22 [SC] [expires: 2021-11-11]
D1DD7ACD6D68A0B43081B15801DB7302943D8BB8
uid science OBS Project
On 8. May 2018, at 19:14, Felder, Christian
wrote: On 2. May 2018, at 19:11, Adrian Schröter
mailto:adrian@suse.de> wrote: On Mittwoch, 2. Mai 2018, 18:06:08 CEST wrote Stanislav Brabec:
Yes, there is DSA1024 key used in science: osc signkey science | gpg returns pub dsa1024 2008-01-22 [SC] [expires: 2019-09-17] D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 uid science OBS Project
mailto:science@build.opensuse.org> science:gr-framework inherits it from science.
The key is still valid, but DSA1024 seems to be considered as weak, so we probably have to create a new one.
Henne, could you confirm that? Should I use: osc signkey --create science
It will trigger rebuild of all packages in all science sub-projects.
and you should tell the users, since it will be a new key. So it will look for someone as a breach ...
(zypp is not supporting a key upgrade, it will just tell it is different and ask to to accept or refuse)
The key has to be upgraded anyway at some point. As SHA1 encryption has been declared as completely insecure I would prefer to generate a new key asap (and revoke the previous key but this is probably not possible).
Felder, Christian wrote:
Hi,
I am writing this mail to you guys because you are listed as maintainers of the science namespace at opensuse build service (build.opensuse.org http://build.opensuse.org/ <http://build.opensuse.org http://build.opensuse.org/>) and I could not reach you guys either on IRC or via bug reporting which seems to be just on GitHub nowadays (previously there was some bug tracker based on redmine). My issue on github got just closed with the information I should contact you guys directly… (https://github.com/openSUSE/open-build-service/issues/4937 https://github.com/openSUSE/open-build-service/issues/4937)
Hi, we get errors on gpg signature checks using the science: repositories (e.g. on Ubuntu 17.04, Ubuntu 18.04). Some time ago we also got errors that the key uses weak encryption (SHA1)
|W: GPG error: http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.0... http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.0... Release: The following signatures were invalid: D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 E: The repository 'http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.0... Release' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. |
Is there anything we can do from our side or do you have to replace the science: signing key?
Probably it is sufficient to renew the gpg key for science: which cannot be done by myself. Any help would be appreciated. Thanks in advance. Christian
Christian Felder M. Sc.
Jülich Centre for Neutron Science JCNS at Heinz Maier-Leibnitz Zentrum MLZ Forschungszentrum Jülich GmbH Lichtenbergstraße 1 85747 Garching GERMANY
Telefon: +49 - 89 289 10 773 Telefax: +49 - 89 289 10 799
--
Adrian Schroeter email: adrian@suse.de mailto:adrian@suse.de
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5 90409 Nürnberg Germany