Hi all,
I am sorry for reviving this old thread, but unfortunately this is still a thing.
The science gpg key is still using dsa1024 which is considered too weak especially by Ubuntu systems.
As the key will expire soon (2021-11-11), is there any chance to upgrade to another signature algorithm?
pub dsa1024 2008-01-22 [SC] [expires: 2021-11-11]
D1DD7ACD6D68A0B43081B15801DB7302943D8BB8
Best
Christian
On 2. May 2018, at 19:11, Adrian Schröter <adrian@suse.de> wrote:
On Mittwoch, 2. Mai 2018, 18:06:08 CEST wrote Stanislav Brabec:Yes, there is DSA1024 key used in science:
osc signkey science | gpg
returns
pub dsa1024 2008-01-22 [SC] [expires: 2019-09-17]
D1DD7ACD6D68A0B43081B15801DB7302943D8BB8
uid science OBS Project <science@build.opensuse.org>
science:gr-framework inherits it from science.
The key is still valid, but DSA1024 seems to be considered as weak, so
we probably have to create a new one.
Henne, could you confirm that? Should I use:
osc signkey --create science
It will trigger rebuild of all packages in all science sub-projects.
and you should tell the users, since it will be a new key. So it willlook for someone as a breach ...(zypp is not supporting a key upgrade, it will just tell it is different and ask toto accept or refuse)
The key has to be upgraded anyway at some point. As SHA1 encryption has been
declared as completely insecure I would prefer to generate a new key asap (and revoke the
previous key but this is probably not possible).
Felder, Christian wrote:
Hi,
I am writing this mail to you guys because you are listed as maintainers
of the science namespace at opensuse build service (build.opensuse.org
<http://build.opensuse.org>)
and I could not reach you guys either on IRC or via bug reporting which
seems to be just on GitHub nowadays (previously there was some bug
tracker based on redmine).
My issue on github got just closed with the information I should contact
you guys directly…
(https://github.com/openSUSE/open-build-service/issues/4937)
Hi, we get errors on gpg signature checks using the science:
repositories (e.g. on Ubuntu 17.04, Ubuntu 18.04). Some time ago we also
got errors that the key uses weak encryption (SHA1)
|W: GPG error:
http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.04
Release: The following signatures were invalid:
D1DD7ACD6D68A0B43081B15801DB7302943D8BB8 E: The repository
'http://download.opensuse.org/repositories/science:/gr-framework/xUbuntu_18.04
Release' is not signed. N: Updating from such a repository can't be done
securely, and is therefore disabled by default. |
Is there anything we can do from our side or do you have to replace the
science: signing key?
Probably it is sufficient to renew the gpg key for science: which cannot
be done by myself.
Any help would be appreciated. Thanks in advance.
Christian
Christian Felder M. Sc.
Jülich Centre for Neutron Science JCNS
at Heinz Maier-Leibnitz Zentrum MLZ
Forschungszentrum Jülich GmbH
Lichtenbergstraße 1
85747 Garching
GERMANY
Telefon: +49 - 89 289 10 773
Telefax: +49 - 89 289 10 799
-- Adrian Schroeteremail: adrian@suse.deSUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany