On Tue, Jan 16, 2024 at 11:02:28AM +0100, Julian Andres Klode wrote: > Control: severity -1 important > > On Thu, Jul 27, 2023 at 12:16:54PM +0200, Julian Andres Klode wrote: > > Package: gpgv > > Version: 2.2.40-1.1ubuntu1 > > Severity: normal > > X-Debbugs-Cc: [email protected] > > > > I believe this allows APT to request a safe minimum RSA length from gpgv for > > verification purposes, and then we could even run gpgv a 2nd time > > without the flag and print a diagnostic for an orderly transition to > > at least 2048R. > > Bumping this. 1024R keys are becoming increasingly unsafe, and this > will eventually become release critical for trixie because we shouldn't > ship it with trust for those keys. > > And APT is not capable of checking the key size itself because gpg > status fd doesn't expose it - that'd be an alternative solution.
OK the option does not do what it said back then. Logs are below; tl,dr is: 1. Without de-vs compliance setting, it is ignored silently 2. With de-vs compliance setting it is still a good signature 3. Only way to notice it is to also set --require-compliance For APT we want to just ban sub-2048R keys, possibly sub-3072R keys (apparently 2048R is no longer considered safe enough for some draft standards). -- logs: root@n:~# gpg --compliance de-vs --require-compliance --min-rsa-length 4096 --status-fd 2 --no-options --homedir /tmp/x --keyring /root/vlc.gpg --verify /var/lib/apt/lists/ppa.launchpadcontent.net_videolan_master-daily_ubuntu_dists_noble_InRelease ; echo $? gpg: WARNING: unsafe permissions on homedir '/tmp/x' [GNUPG:] NEWSIG gpg: Signature made Tue Jan 16 10:30:22 2024 UTC gpg: using RSA key 3361E59FF5029E6B90A9A80D09589874801DF724 [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] SIG_ID sSNe0v8YekIqvdODJR2bHE3DiZY 2024-01-16 1705401022 [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] GOODSIG 09589874801DF724 Launchpad Daily Build of master branch gpg: Good signature from "Launchpad Daily Build of master branch" [unknown] [GNUPG:] VALIDSIG 3361E59FF5029E6B90A9A80D09589874801DF724 2024-01-16 1705401022 0 4 0 1 10 01 3361E59FF5029E6B90A9A80D09589874801DF724 gpg: WARNING: This key is not suitable for signing in --compliance=de-vs mode [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] TRUST_UNDEFINED 0 pgp gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3361 E59F F502 9E6B 90A9 A80D 0958 9874 801D F724 [GNUPG:] FAILURE compliance-check 33554683 gpg: operation forced to fail due to unfulfilled compliance rules 2 root@n:~# gpg --compliance de-vs --min-rsa-length 4096 --status-fd 2 --no-options --homedir /tmp/x --keyring /root/vlc.gpg --verify /var/lib/apt/lists/ppa.launchpadcontent.net_videolan_master-daily_ubuntu_dists_noble_InRelease ; echo $? gpg: WARNING: unsafe permissions on homedir '/tmp/x' [GNUPG:] NEWSIG gpg: Signature made Tue Jan 16 10:30:22 2024 UTC gpg: using RSA key 3361E59FF5029E6B90A9A80D09589874801DF724 [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] SIG_ID sSNe0v8YekIqvdODJR2bHE3DiZY 2024-01-16 1705401022 [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] GOODSIG 09589874801DF724 Launchpad Daily Build of master branch gpg: Good signature from "Launchpad Daily Build of master branch" [unknown] [GNUPG:] VALIDSIG 3361E59FF5029E6B90A9A80D09589874801DF724 2024-01-16 1705401022 0 4 0 1 10 01 3361E59FF5029E6B90A9A80D09589874801DF724 gpg: WARNING: This key is not suitable for signing in --compliance=de-vs mode [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] TRUST_UNDEFINED 0 pgp gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3361 E59F F502 9E6B 90A9 A80D 0958 9874 801D F724 0 root@n:~# gpg --require-compliance --min-rsa-length 4096 --status-fd 2 --no-options --homedir /tmp/x --keyring /root/vlc.gpg --verify /var/lib/apt/lists/ppa.launchpadcontent.net_videolan_master-daily_ubuntu_dists_noble_InRelease ; echo $? gpg: WARNING: unsafe permissions on homedir '/tmp/x' [GNUPG:] NEWSIG gpg: Signature made Tue Jan 16 10:30:22 2024 UTC gpg: using RSA key 3361E59FF5029E6B90A9A80D09589874801DF724 [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] SIG_ID sSNe0v8YekIqvdODJR2bHE3DiZY 2024-01-16 1705401022 [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] GOODSIG 09589874801DF724 Launchpad Daily Build of master branch gpg: Good signature from "Launchpad Daily Build of master branch" [unknown] [GNUPG:] VALIDSIG 3361E59FF5029E6B90A9A80D09589874801DF724 2024-01-16 1705401022 0 4 0 1 10 01 3361E59FF5029E6B90A9A80D09589874801DF724 [GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0 [GNUPG:] TRUST_UNDEFINED 0 pgp gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3361 E59F F502 9E6B 90A9 A80D 0958 9874 801D F724 0 -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
