public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] Untrusted PGP signing key
@ 2020-05-24 17:15 Consus
  2020-05-24 17:36 ` [gentoo-user] " Nikos Chantziaras
  0 siblings, 1 reply; 4+ messages in thread
From: Consus @ 2020-05-24 17:15 UTC (permalink / raw
  To: gentoo-user

Hi guys,

I've got this today:

	$ sudo emerge --sync
	>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
	 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
	 * Refreshing keys via WKD ... [ ok ]
	Fetching most recent snapshot ...
	Trying to retrieve 20200523 snapshot from https://mirror.yandex.ru/gentoo-distfiles ...
	Fetching file gentoo-20200523.tar.xz.md5sum ...
	Fetching file gentoo-20200523.tar.xz.gpgsig ...
	Fetching file gentoo-20200523.tar.xz ...
	Checking digest ...
	Checking signature ...
	gpg: Signature made Sun 24 May 2020 03:56:07 MSK
	gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
	gpg: Good signature from "Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org>" [unknown]
	gpg:                 aka "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
	gpg: WARNING: Using untrusted key!
	...

Is this warning expected?


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [gentoo-user] Re: Untrusted PGP signing key
  2020-05-24 17:15 [gentoo-user] Untrusted PGP signing key Consus
@ 2020-05-24 17:36 ` Nikos Chantziaras
  2020-05-24 18:08   ` Michael
  0 siblings, 1 reply; 4+ messages in thread
From: Nikos Chantziaras @ 2020-05-24 17:36 UTC (permalink / raw
  To: gentoo-user

On 24/05/2020 20:15, Consus wrote:
> I've got this today:
> 
> 	$ sudo emerge --sync
> 	Checking signature ...
> 	gpg: Signature made Sun 24 May 2020 03:56:07 MSK
> 	gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
> 	gpg: Good signature from "Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org>" [unknown]
> 	gpg:                 aka "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
> 	gpg: WARNING: Using untrusted key!
> 	...
> 
> Is this warning expected?

Certainly not.



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-user] Re: Untrusted PGP signing key
  2020-05-24 17:36 ` [gentoo-user] " Nikos Chantziaras
@ 2020-05-24 18:08   ` Michael
  2020-05-24 18:13     ` Consus
  0 siblings, 1 reply; 4+ messages in thread
From: Michael @ 2020-05-24 18:08 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 4579 bytes --]

On Sunday, 24 May 2020 18:36:28 BST Nikos Chantziaras wrote:
> On 24/05/2020 20:15, Consus wrote:
> > I've got this today:
> > 	$ sudo emerge --sync
> > 	Checking signature ...
> > 	gpg: Signature made Sun 24 May 2020 03:56:07 MSK
> > 	gpg:                using RSA key
> > 	E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
> > 	gpg: Good signature from "Gentoo ebuild repository signing key 
(Automated
> > 	Signing Key) <infrastructure@gentoo.org>" [unknown] gpg:                
> > 	aka "Gentoo Portage Snapshot Signing Key (Automated Signing Key)"
> > 	[unknown] gpg: WARNING: Using untrusted key!
> > 	...
> > 
> > Is this warning expected?
> 
> Certainly not.

Check your /usr/share/openpgp-keys/gentoo-release.asc file.  This is the hash 
I get here:

$ sha512sum gentoo-release.asc
3b168b7e43ad2cf4f042be585abc761c5786f55c94592dc916d13a1ef5557f047e614a7d70827471ace113f16eceb4e455228c4a5f7b9293f6a185a8e5183781  
gentoo-release.asc

and these are the keys it contains:

$ gpg gentoo-release.asc 
gpg: enabled debug flags: memstat
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=37 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks
pub   rsa4096 2011-11-25 [C] [expires: 2021-01-01]
      DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
uid           Gentoo Portage Snapshot Signing Key (Automated Signing Key)
sig        DB6B8C1F96D8BF6D 2019-10-30   [selfsig]
sig        DB6B8C1F96D8BF6D 2011-11-25   [selfsig]
sig        DB6B8C1F96D8BF6D 2015-11-23   [selfsig]
sig        DB6B8C1F96D8BF6D 2016-07-01   [selfsig]
sig        DB6B8C1F96D8BF6D 2018-01-27   [selfsig]
sig        DB6B8C1F96D8BF6D 2019-04-27   [selfsig]
uid           Gentoo ebuild repository signing key (Automated Signing Key) 
<infrastructure@gentoo.org>
sig        DB6B8C1F96D8BF6D 2019-10-30   [selfsig]
sig        DB6B8C1F96D8BF6D 2019-01-01   [selfsig]
sig        DB6B8C1F96D8BF6D 2019-04-27   [selfsig]
sig        DB6B8C1F96D8BF6D 2018-07-04   [selfsig]
sub   rsa4096 2011-11-25 [S] [expires: 2021-01-01]
sig        DB6B8C1F96D8BF6D 2019-04-27   [keybind]
sig        DB6B8C1F96D8BF6D 2019-10-30   [keybind]
pub   dsa1024 2004-07-20 [SC] [expires: 2020-07-01]
      D99EAC7379A850BCE47DA5F29E6438C817072058
uid           Gentoo Linux Release Engineering (Gentoo Linux Release Signing 
Key) <releng@gentoo.org>
sig        9E6438C817072058 2018-06-28   [selfsig]
sig        9E6438C817072058 2006-08-16   [selfsig]
sig        9E6438C817072058 2016-07-01   [selfsig]
sig        9E6438C817072058 2004-07-20   [selfsig]
sig        9E6438C817072058 2004-07-20   [selfsig]
sub   elg2048 2004-07-20 [E] [expires: 2020-07-01]
sig        9E6438C817072058 2018-06-28   [keybind]
pub   rsa4096 2009-08-25 [SC] [expires: 2021-01-01]
      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid           Gentoo Linux Release Engineering (Automated Weekly Release Key) 
<releng@gentoo.org>
sig        BB572E0E2D182910 2019-10-30   [selfsig]
sig        BB572E0E2D182910 2013-08-24   [selfsig]
sig        BB572E0E2D182910 2015-08-26   [selfsig]
sig        BB572E0E2D182910 2009-08-25   [selfsig]
sig        BB572E0E2D182910 2009-08-25   [selfsig]
sig        BB572E0E2D182910 2017-08-22   [selfsig]
sig        BB572E0E2D182910 2019-02-23   [selfsig]
sig        BB572E0E2D182910 2019-04-27   [selfsig]
sig        BB572E0E2D182910 2019-02-24   [selfsig]
sub   rsa2048 2019-02-23 [S] [expires: 2021-01-01]
sig        BB572E0E2D182910 2019-04-27   [keybind]
sig        BB572E0E2D182910 2019-10-30   [keybind]
pub   rsa4096 2018-05-28 [C] [expires: 2021-01-01]
      EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72
uid           Gentoo repository mirrors (automated git signing key) 
<repomirrorci@gentoo.org>
sig        A13D0EF1914E7A72 2019-10-30   [selfsig]
sig        A13D0EF1914E7A72 2018-05-28   [selfsig]
sig        A13D0EF1914E7A72 2018-05-29   [selfsig]
sig        A13D0EF1914E7A72 2018-11-25   [selfsig]
sig        A13D0EF1914E7A72 2019-02-23   [selfsig]
sig        A13D0EF1914E7A72 2019-04-27   [selfsig]
sub   rsa2048 2018-05-28 [S] [expires: 2021-01-01]
sig        A13D0EF1914E7A72 2019-04-27   [keybind]
sig        A13D0EF1914E7A72 2019-10-30   [keybind]


More information:  https://www.gentoo.org/downloads/signatures/

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-user] Re: Untrusted PGP signing key
  2020-05-24 18:08   ` Michael
@ 2020-05-24 18:13     ` Consus
  0 siblings, 0 replies; 4+ messages in thread
From: Consus @ 2020-05-24 18:13 UTC (permalink / raw
  To: gentoo-user

On Sun, May 24, 2020 at 07:08:41PM +0100, Michael wrote:
> Check your /usr/share/openpgp-keys/gentoo-release.asc file.  This is the hash 
> I get here:
> 
> $ sha512sum gentoo-release.asc
> 3b168b7e43ad2cf4f042be585abc761c5786f55c94592dc916d13a1ef5557f047e614a7d70827471ace113f16eceb4e455228c4a5f7b9293f6a185a8e5183781  
> gentoo-release.asc

Same hash. Weird.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-05-24 18:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-24 17:15 [gentoo-user] Untrusted PGP signing key Consus
2020-05-24 17:36 ` [gentoo-user] " Nikos Chantziaras
2020-05-24 18:08   ` Michael
2020-05-24 18:13     ` Consus

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox