[ragrew]

Hey, folks!

Since the latest upgrade of package gnupg I can't upgrade/install any packages anymore.
It seems that one of the three master signing keys was created with SHA-1, which is not supported by gnupg anymore.
This only occurs if the pacman gnupg keyring was recreated or a new system was installed with the new gnupg.

Maybe some of you could also have a look this.

Many thanks!
ragrew


# docker run --rm -ti agners/archlinuxarm

# pacman -Syu

# rm -r /etc/pacman.d/gnupg/

# pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
==> Generating pacman master key. This may take some time.
gpg: Generating pacman keyring master key...
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/etc/pacman.d/gnupg/openpgp-revocs.d/17CA8C2A3EE9F2805AC03E5D80444110B29BDB6B.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

# pacman-key --populate
==> Appending keys from archlinuxarm.gpg...
==> Locally signing trusted keys in keyring...
-> Locally signed 3 keys.
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
==> Updating trust database...
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 3 signed: 1 trust: 0-, 0q, 0n, 3m, 0f, 0u

# pacman -S vim
resolving dependencies...
looking for conflicting packages...

Packages (4) gpm-1.20.7.r38.ge82d1a6-5 procps-ng-4.0.4-2 vim-runtime-9.0.2167-1 vim-9.0.2167-1

Total Download Size: 9.17 MiB
Total Installed Size: 43.19 MiB

:: Proceed with installation? [Y/n]
warning: no /var/cache/pacman/pkg/ cache exists, creating...
:: Retrieving packages...
vim-runtime-9.0.2167-1-aarch64 6.4 MiB 5.04 MiB/s 00:01 [########################################################################################] 100%
vim-9.0.2167-1-aarch64 1799.1 KiB 7.57 MiB/s 00:00 [########################################################################################] 100%
procps-ng-4.0.4-2-aarch64 876.7 KiB 1024 KiB/s 00:01 [########################################################################################] 100%
gpm-1.20.7.r38.ge82d1a6-5-aarch64 131.2 KiB 631 KiB/s 00:00 [########################################################################################] 100%
Total (4/4) 9.2 MiB 3.11 MiB/s 00:03 [########################################################################################] 100%
(4/4) checking keys in keyring [########################################################################################] 100%
(4/4) checking package integrity [########################################################################################] 100%
error: vim-runtime: signature from "Arch Linux ARM Build System <builder@archlinuxarm.org>" is marginal trust
:: File /var/cache/pacman/pkg/vim-runtime-9.0.2167-1-aarch64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

# pacman-key --list-keys 69DD6C8FD314223E14362848BF7EEF7A9C6B5765
pub rsa4096 2014-01-18 [SC]
69DD6C8FD314223E14362848BF7EEF7A9C6B5765
uid [ full ] Michael Brown (ArchLinux ARM Master Key) <mbrown@master-key.archlinuxarm.org>
sub rsa4096 2014-01-18 [E]

# pacman-key -e 69DD6C8FD314223E14362848BF7EEF7A9C6B5765 | gpg --list-packets
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1390087373, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: BF7EEF7A9C6B5765
# off=528 ctb=b4 tag=13 hlen=2 plen=77
:user ID packet: "Michael Brown (ArchLinux ARM Master Key) <mbrown@master-key.archlinuxarm.org>"
# off=607 ctb=89 tag=2 hlen=3 plen=568
:signature packet: algo 1, keyid BF7EEF7A9C6B5765
version 4, created 1390087373, md5len 0, sigclass 0x13
digest algo 2, begin of digest 05 8d
hashed subpkt 2 len 4 (sig created 2014-01-18)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID BF7EEF7A9C6B5765)
data: [4095 bits]
# off=1178 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
version 4, algo 1, created 1390087373, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: BBA6D0BB6FFCD98C
# off=1706 ctb=89 tag=2 hlen=3 plen=543
:signature packet: algo 1, keyid BF7EEF7A9C6B5765
version 4, created 1390087373, md5len 0, sigclass 0x18
digest algo 2, begin of digest c8 ed
hashed subpkt 2 len 4 (sig created 2014-01-18)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID BF7EEF7A9C6B5765)
data: [4096 bits]


digest algo 2 should be SHA-1, according to next link.
make_clickable_callback(MAGIC_URL_FULL, '
', 'https://datatracker.ietf.org/doc/html/rfc4880#section-9.4', '', ' class="postlink"')

[baslking]

I have the same issue. I downgraded gnupg to gnupg-2.2.41-2, reinitialized gnupg with pacman-key and I can now do installs. That's not a fix but a workaround.

[hnhman]

Hi, could someone maybe please please post the 2.2.41-2 pkg version for those of us who didn't cache? AFAIK we don't have a package archive and I've tried building 2.2.41-2 from the archlinux repo and it doesn't work.

EDIT: Also note this is likely the cause behind my issues =>make_clickable_callback(MAGIC_URL_LOCAL, ' ', 'https://archlinuxarm.org/forum', 'viewtopic.php?f=15&t=16701', ' class="postlink-local"')

[baslking]

This isn't a very elegant way to share this, here's a link for a copy of gnupg-2.2.41-2-aarch64 [url]https://1drv.ms/u/s!Av0aTWNfupTkirgOML8NWztqEq87Sw?e=1tXyw7[/url]

[hnhman]

Thank you very much, after installing the older gnupg package and doing:

[code]
rm -rf /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate
[/code]

Package installation works again!

[ragrew]

Does someone have the power to update the master key at archlinuxarm-keyring to prevent workarounds with pacman-key?

[vindicator]

For those who rolledback, does --finger 68B3537F39A313B3E574D06777193F152BDBE6A6 show as "marginal" or "full"?
Without rolling back, I used --lsign-key (going bymake_clickable_callback(MAGIC_URL_FULL, ' ', 'https://wiki.archlinux.org/title/Pacman/Package_signing#Adding_unofficial_keys', '', ' class="postlink"')) and it's showing "full" for me, whereas it was "marginal" before.

[mocknen]

As the warning message indicates, one can prevent signatures that use SHA1 from being rejected by adding the option as follows.

[code]
sudo rm -v /etc/pacman.d/gnupg/*.gpg
sudo sed -i '1iallow-weak-key-signatures' /etc/pacman.d/gnupg/gpg.conf
sudo pacman-key --init
sudo pacman-key --populate
[/code]