Replies: 2 comments
-
Thank you @GSF1200S ! absolutely, I'll verify the rpms again. |
Beta Was this translation helpful? Give feedback.
0 replies
-
The problem is that the rpm were signed with my old gpg key (47f14912bcf6be9c), which is the one I've been using, until that release aprox. I've resigned the rpm packages and updated the checksums. The keyid is of a subkey:
https://keyserver.ubuntu.com/pks/lookup?search=6cd595fefd12dae2&fingerprint=on&op=index |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Describe the bug
The OpenSnitch daemon cannot be installed (unless you ignore the gpg check) because its signature cannot be verified by rpm.
Include the following information:
rpm -qpi opensnitch-1.6.2-1.x86_64.rpm shows on the signature line "Key ID 47f14912bcf6be9c". This command's output will open with:
warning: opensnitch-1.6.2-1.x86_64.rpm: Header V4 DSA/SHA512 Signature, key ID bcf6be9c: NOKEY
Incidentally I have an old copy of the 'gustavo-iniguez-goia.asc' file where this key is listed (and can therefore be imported into rpm for verification allowing the package to install). The asc files accompanying the releases now do not have this key when inspected. E.g. consider:
[gsf1200s@geekdom ~]$ gpg --keyid-format long --list-options show-keyring gustavo_iniguez_goia.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub ed25519/141D0D4E9FF44A67 2023-01-21 [SC]
F34016AC014BAAF8C90AC730141D0D4E9FF44A67
uid Gustavo Iñiguez Goya (gus) gooffy1@gmail.com
uid Gustavo Iñiguez Goya gustavo.iniguez.goya@gmail.com
sub cv25519/845F20F2496A4E2F 2023-01-21 [E]
sub ed25519/29D49F23A937434D 2023-01-22 [A]
sub ed25519/6CD595FEFD12DAE2 2023-01-22 [S]
However the latest UI package 'opensnitch-ui-1.6.4-1.noarch.rpm' lists 'Key ID 6cd595fefd12dae2' on its signature line and thus importing the above 'gustavo-iniguez-goia.asc' (released with the latest Opensnitch) file to rpm will allow this package to install without any issue.
Perhaps I am doing something wrong here? I have not really had issues with manual verification of signed packages in the past, but perhaps if I am doing this wrong it would be wise to very clearly have a section on the wiki for step-by-step package verification. This is security-oriented software so I feel like this is fairly important :)
Beta Was this translation helpful? Give feedback.
All reactions