* [gentoo-dev] Signature found, but from unknown key (see push-cert)
@ 2017-01-01 11:12 grozin
2017-01-01 13:31 ` Andrew Savchenko
0 siblings, 1 reply; 3+ messages in thread
From: grozin @ 2017-01-01 11:12 UTC (permalink / raw
To: gentoo-dev
Happy new year to *,
Yesterday I've changed expiration dates of my gpg key and its subkeys. And
today I cannot push to Gentoo repo:
remote: Signature found, but from unknown key (see push-cert)
remote: Your push was not signed with a known key.
remote: You MUST use git push --signed with a known key.
remote: If you just updated your key, please wait 15 minutes for sync.
remote: git-receive-pack variables:
remote: GIT_PUSH_CERT='ef16430106a13fa3758d2211100be5b9f2bd88d8'
remote: GIT_PUSH_CERT_KEY=''
remote: GIT_PUSH_CERT_NONCE='1483268914-e0cd9c07e06304c00a64'
remote: GIT_PUSH_CERT_NONCE_SLOP=''
remote: GIT_PUSH_CERT_NONCE_STATUS='OK'
remote: GIT_PUSH_CERT_SIGNER=''
remote: GIT_PUSH_CERT_STATUS='N'
remote: A push-cert was found, and follows:
remote: =====
remote: certificate version 0.1
remote: pusher 0x3AFFCE974D34BD8C 1483268914 +0700
remote: pushee git+ssh://git.gentoo.org/repo/gentoo.git
remote: nonce 1483268914-e0cd9c07e06304c00a64
remote:
remote: 49db3be908c03b9b9346490c9a6ba639a910e32d
f6339d7e027335688c7f5906ff63c563ceca9c58 refs/heads/master
remote: -----BEGIN PGP SIGNATURE-----
remote: Version: GnuPG v2
remote:
remote: iQKTBAABCgB9FiEECMTt9mnFpjD+feuUOv/Ol000vYwFAlho4zJfFIAAAAAALgAo
remote: aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDA4
remote: QzRFREY2NjlDNUE2MzBGRTdERUI5NDNBRkZDRTk3NEQzNEJEOEMACgkQOv/Ol000
remote: vYzlmQ//euQcx5CtvprpeDD//D/p2csBbxE8YtTdIARtGKXcGzjOFgP7AGWP5VVW
remote: A14zJpVDsmm9orVT/3vvZ10OlrWqqoChbrS1fFa2sjK06uhw6cHdW3xFtx+eccnS
remote: VgFqOR/OLksWFqYwv0Vz3/vF34QFj84pMcMjgju3rI9/q6rmQ0dbfnJODk5ncrmp
remote: zDwRcgQ9BINd58RweKLraep4o+Jp8vthEjgnT5T9U2eqfKniUWCoCKj8rxtfv84s
remote: TLboiCRgYu6CaPGlSli+Ro4KQYjS8i/gbyCA0znREydy6u3vQYJP0d4Uv2WwCS3a
remote: YPgopzfV1XCmV5R/dfl/HuqVm1IbVBdXmuh/8BPsIlCiZ5x5nWKkdv+aAtOLlc24
remote: SlG9wimv5tJ9p0KB8TY0/HSJuL8mKHD0IJ68WLtMXlyIGQ1dQQBlbwYwvHhrhdY4
remote: 1C6FLAQD/rdAk+uXLBSu/BVWc0gDZWTCmbCBk6wV3Np7Nboiek8D3VxSceJRCLSO
remote: Xa5h01tK1mYFlm35KLpZKO5b9T2oRfswxMqWtZYkQmhwFc/k8tXfNGn/2tRqEnXz
remote: Qhcay6WgsXC3PnMI3oYR/1hPIo8ZAxR3nfZXoo+jwSUP+Sdxyq07//z+EwsZqs5V
remote: 6Pm7bchI0n/J/Ly2mjr2WS7vS+8M5KgavofoJ0iTtDqnthtzsVE=
remote: =Yxfy
remote: -----END PGP SIGNATURE-----
remote: =====
To git+ssh://git.gentoo.org/repo/gentoo.git
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to
'git+ssh://git@git.gentoo.org/repo/gentoo.git'
What should I do to be able to push to Gentoo?
Andrey
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-dev] Signature found, but from unknown key (see push-cert)
2017-01-01 11:12 [gentoo-dev] Signature found, but from unknown key (see push-cert) grozin
@ 2017-01-01 13:31 ` Andrew Savchenko
2017-01-01 17:51 ` Brian Dolbec
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Savchenko @ 2017-01-01 13:31 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]
Hi,
On Sun, 1 Jan 2017 18:12:23 +0700 (+07) grozin@gentoo.org wrote:
> Happy new year to *,
>
> Yesterday I've changed expiration dates of my gpg key and its subkeys. And
> today I cannot push to Gentoo repo:
>
> remote: Signature found, but from unknown key (see push-cert)
> remote: Your push was not signed with a known key.
> remote: You MUST use git push --signed with a known key.
> remote: If you just updated your key, please wait 15 minutes for sync.
> remote: git-receive-pack variables:
> remote: GIT_PUSH_CERT='ef16430106a13fa3758d2211100be5b9f2bd88d8'
> remote: GIT_PUSH_CERT_KEY=''
> remote: GIT_PUSH_CERT_NONCE='1483268914-e0cd9c07e06304c00a64'
> remote: GIT_PUSH_CERT_NONCE_SLOP=''
> remote: GIT_PUSH_CERT_NONCE_STATUS='OK'
> remote: GIT_PUSH_CERT_SIGNER=''
> remote: GIT_PUSH_CERT_STATUS='N'
> remote: A push-cert was found, and follows:
> remote: =====
> remote: certificate version 0.1
> remote: pusher 0x3AFFCE974D34BD8C 1483268914 +0700
Looks like git hook is still using your old key. You should wait
for a day or so in order for your change to propagate through
servers. It this doesn't help, you should probably contact infra to
update your key.
Best regards,
Andrew Savchenko
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-dev] Signature found, but from unknown key (see push-cert)
2017-01-01 13:31 ` Andrew Savchenko
@ 2017-01-01 17:51 ` Brian Dolbec
0 siblings, 0 replies; 3+ messages in thread
From: Brian Dolbec @ 2017-01-01 17:51 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 5009 bytes --]
On Sun, 1 Jan 2017 16:31:27 +0300
Andrew Savchenko <bircoph@gentoo.org> wrote:
> Hi,
>
> On Sun, 1 Jan 2017 18:12:23 +0700 (+07) grozin@gentoo.org wrote:
> > Happy new year to *,
> >
> > Yesterday I've changed expiration dates of my gpg key and its
> > subkeys. And today I cannot push to Gentoo repo:
> >
> > remote: Signature found, but from unknown key (see push-cert)
> > remote: Your push was not signed with a known key.
> > remote: You MUST use git push --signed with a known key.
> > remote: If you just updated your key, please wait 15 minutes for
> > sync. remote: git-receive-pack variables:
> > remote: GIT_PUSH_CERT='ef16430106a13fa3758d2211100be5b9f2bd88d8'
> > remote: GIT_PUSH_CERT_KEY=''
> > remote: GIT_PUSH_CERT_NONCE='1483268914-e0cd9c07e06304c00a64'
> > remote: GIT_PUSH_CERT_NONCE_SLOP=''
> > remote: GIT_PUSH_CERT_NONCE_STATUS='OK'
> > remote: GIT_PUSH_CERT_SIGNER=''
> > remote: GIT_PUSH_CERT_STATUS='N'
> > remote: A push-cert was found, and follows:
> > remote: =====
> > remote: certificate version 0.1
> > remote: pusher 0x3AFFCE974D34BD8C 1483268914 +0700
>
> Looks like git hook is still using your old key. You should wait
> for a day or so in order for your change to propagate through
> servers. It this doesn't help, you should probably contact infra to
> update your key.
>
> Best regards,
> Andrew Savchenko
No, infra has it refreshing keys several times an hour.
I just dig another gkeys run and refreshed the keys from the servers.
You did not reset the expiry on your signing subkey. See the following
reports which show the details. After you reset it and gpg --send-key
it to the keyservers again. It can take a few hours for it to
propagate and to be able to push to the gentoo repo again.
===================================================
dolsen@vulture /var/lib/gkeys $
python3.4 /var/lib/gkeys/gentoo-keys/gkeys/bin/gkeys
-c /var/lib/gkeys/gkeys.conf list-key -C gentoo-devs -n grozin
Nick.....: grozin
Name.....: Andrey Grozin
Keydir...: grozin
Gpg info.: /var/lib/gkeys/keyrings/gentoo-devs/grozin/pubring.gpg
------------------------------------------------------
pub rsa4096/53D4ABFA88DD61C4 2013-02-26 [SC] [expires:
2017-12-24] Key fingerprint = 6FCC 83E2 6D94 FB05 4B76 1016 53D4 ABFA
88DD 61C4 uid [ unknown] Andrey Grozin (science)
<grozin@gentoo.org> sub rsa4096/34966948B00C83E6 2013-02-26 [E]
[expires: 2017-12-24]
Gkey task results:
Done.
dolsen@vulture /var/lib/gkeys $
python3.4 /var/lib/gkeys/gentoo-keys/gkeys/bin/gkeys
-c /var/lib/gkeys/gkeys.conf spec-check -C gentoo-devs -n grozin
Checking keys...
grozin, Andrey Grozin: 0x53D4ABFA88DD61C4
==============================================
----------
Fingerprint......: 6FCC83E26D94FB054B76101653D4ABFA88DD61C4
Key type ........: PUB Capabilities.: scESC
Algorithm........: Pass Bit Length...: Pass
Create Date......: Pass Expire Date..: Pass
Key Version......: Pass Validity.....: -, Unknown
Days till expiry.: 356
Capability.......: Pass
Qualified ID.....: Pass
This primary key.: Pass
----------
Fingerprint......: 902F154026C4AD5055486D0234966948B00C83E6
Key type ........: SUB Capabilities.: e encrypt
Algorithm........: ---- Bit Length...: ----
Create Date......: Pass Expire Date..: Pass
Key Version......: Pass Validity.....: -, Unknown
Days till expiry.: 356
Capability.......: Pass
Qualified ID.....: Pass
This subkey......: Pass
----------
Fingerprint......: 08C4EDF669C5A630FE7DEB943AFFCE974D34BD8C
Key type ........: SUB Capabilities.: s
Algorithm........: Pass Bit Length...: Pass
Create Date......: Pass Expire Date..: Pass
Key Version......: Pass Validity.....: e, Expired
Days till expiry.: 0
Capability.......: Pass
Qualified ID.....: Pass
This subkey......: Fail
Key summary
primary..........: Pass signing subkey: Fail
encryption subkey: Yes authentication subkey: No
SPEC requirements: Fail
No signing capable subkey:
Andrey Grozin <grozin>: 6FCC83E26D94FB054B76101653D4ABFA88DD61C4
Failed to pass SPEC requirements:
Andrey Grozin <grozin>: 6FCC83E26D94FB054B76101653D4ABFA88DD61C4
Gkey task results:
Found Failures:
-------
Revoked................: 0
Invalid................: 0
No Signing subkey......: 1
No Encryption subkey...: 0
Algorithm..............: 0
Bit length.............: 0
Qualified IDs..........: 0
Expiry.................: 0
Expiry Warnings........: 0
SPEC requirements......: 1
=============================
SPEC Approved..........: 0
dolsen@vulture /var/lib/gkeys $
--
Brian Dolbec <dolsen>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 981 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-01-01 17:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-01 11:12 [gentoo-dev] Signature found, but from unknown key (see push-cert) grozin
2017-01-01 13:31 ` Andrew Savchenko
2017-01-01 17:51 ` Brian Dolbec
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox