Re: [gentoo-user] Re: Untrusted PGP signing key - gentoo-user

From:	Michael <confabulate@××××××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Re: Untrusted PGP signing key
Date:	Sun, 24 May 2020 18:09:22
Message-Id:	`1726088.atdPhlSkOF@lenovo.localdomain`
In Reply to:	[gentoo-user] Re: Untrusted PGP signing key by Nikos Chantziaras

1

On Sunday, 24 May 2020 18:36:28 BST Nikos Chantziaras wrote:

2

> On 24/05/2020 20:15, Consus wrote:

3

> > I've got this today:

4

> > 	$ sudo emerge --sync

5

> > 	Checking signature ...

6

> > 	gpg: Signature made Sun 24 May 2020 03:56:07 MSK

7

> > 	gpg:                using RSA key

8

> > 	E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250

9

> > 	gpg: Good signature from "Gentoo ebuild repository signing key

10

(Automated

11

> > 	Signing Key) <infrastructure@g.o>" [unknown] gpg:

12

> > 	aka "Gentoo Portage Snapshot Signing Key (Automated Signing Key)"

13

> > 	[unknown] gpg: WARNING: Using untrusted key!

14

> > 	...

15

> >

16

> > Is this warning expected?

17

>

18

> Certainly not.

19

20

Check your /usr/share/openpgp-keys/gentoo-release.asc file.  This is the hash 

21

I get here:

22

23

$ sha512sum gentoo-release.asc

24

3b168b7e43ad2cf4f042be585abc761c5786f55c94592dc916d13a1ef5557f047e614a7d70827471ace113f16eceb4e455228c4a5f7b9293f6a185a8e5183781  

25

gentoo-release.asc

26

27

and these are the keys it contains:

28

29

$ gpg gentoo-release.asc 

30

gpg: enabled debug flags: memstat

31

gpg: WARNING: no command supplied.  Trying to guess what you mean ...

32

gpg: keydb: handles=0 locks=0 parse=0 get=0

33

gpg:        build=0 update=0 insert=0 delete=0

34

gpg:        reset=0 found=0 not=0 cache=0 not=0

35

gpg: kid_not_found_cache: count=0 peak=0 flushes=0

36

gpg: sig_cache: total=37 cached=0 good=0 bad=0

37

gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0

38

              outmix=0 getlvl1=0/0 getlvl2=0/0

39

gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0

40

gpg: secmem usage: 0/65536 bytes in 0 blocks

41

pub   rsa4096 2011-11-25 [C] [expires: 2021-01-01]

42

      DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D

43

uid           Gentoo Portage Snapshot Signing Key (Automated Signing Key)

44

sig        DB6B8C1F96D8BF6D 2019-10-30   [selfsig]

45

sig        DB6B8C1F96D8BF6D 2011-11-25   [selfsig]

46

sig        DB6B8C1F96D8BF6D 2015-11-23   [selfsig]

47

sig        DB6B8C1F96D8BF6D 2016-07-01   [selfsig]

48

sig        DB6B8C1F96D8BF6D 2018-01-27   [selfsig]

49

sig        DB6B8C1F96D8BF6D 2019-04-27   [selfsig]

50

uid           Gentoo ebuild repository signing key (Automated Signing Key) 

51

<infrastructure@g.o>

52

sig        DB6B8C1F96D8BF6D 2019-10-30   [selfsig]

53

sig        DB6B8C1F96D8BF6D 2019-01-01   [selfsig]

54

sig        DB6B8C1F96D8BF6D 2019-04-27   [selfsig]

55

sig        DB6B8C1F96D8BF6D 2018-07-04   [selfsig]

56

sub   rsa4096 2011-11-25 [S] [expires: 2021-01-01]

57

sig        DB6B8C1F96D8BF6D 2019-04-27   [keybind]

58

sig        DB6B8C1F96D8BF6D 2019-10-30   [keybind]

59

pub   dsa1024 2004-07-20 [SC] [expires: 2020-07-01]

60

      D99EAC7379A850BCE47DA5F29E6438C817072058

61

uid           Gentoo Linux Release Engineering (Gentoo Linux Release Signing 

62

Key) <releng@g.o>

63

sig        9E6438C817072058 2018-06-28   [selfsig]

64

sig        9E6438C817072058 2006-08-16   [selfsig]

65

sig        9E6438C817072058 2016-07-01   [selfsig]

66

sig        9E6438C817072058 2004-07-20   [selfsig]

67

sig        9E6438C817072058 2004-07-20   [selfsig]

68

sub   elg2048 2004-07-20 [E] [expires: 2020-07-01]

69

sig        9E6438C817072058 2018-06-28   [keybind]

70

pub   rsa4096 2009-08-25 [SC] [expires: 2021-01-01]

71

      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910

72

uid           Gentoo Linux Release Engineering (Automated Weekly Release Key) 

73

<releng@g.o>

74

sig        BB572E0E2D182910 2019-10-30   [selfsig]

75

sig        BB572E0E2D182910 2013-08-24   [selfsig]

76

sig        BB572E0E2D182910 2015-08-26   [selfsig]

77

sig        BB572E0E2D182910 2009-08-25   [selfsig]

78

sig        BB572E0E2D182910 2009-08-25   [selfsig]

79

sig        BB572E0E2D182910 2017-08-22   [selfsig]

80

sig        BB572E0E2D182910 2019-02-23   [selfsig]

81

sig        BB572E0E2D182910 2019-04-27   [selfsig]

82

sig        BB572E0E2D182910 2019-02-24   [selfsig]

83

sub   rsa2048 2019-02-23 [S] [expires: 2021-01-01]

84

sig        BB572E0E2D182910 2019-04-27   [keybind]

85

sig        BB572E0E2D182910 2019-10-30   [keybind]

86

pub   rsa4096 2018-05-28 [C] [expires: 2021-01-01]

87

      EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72

88

uid           Gentoo repository mirrors (automated git signing key) 

89

<repomirrorci@g.o>

90

sig        A13D0EF1914E7A72 2019-10-30   [selfsig]

91

sig        A13D0EF1914E7A72 2018-05-28   [selfsig]

92

sig        A13D0EF1914E7A72 2018-05-29   [selfsig]

93

sig        A13D0EF1914E7A72 2018-11-25   [selfsig]

94

sig        A13D0EF1914E7A72 2019-02-23   [selfsig]

95

sig        A13D0EF1914E7A72 2019-04-27   [selfsig]

96

sub   rsa2048 2018-05-28 [S] [expires: 2021-01-01]

97

sig        A13D0EF1914E7A72 2019-04-27   [keybind]

98

sig        A13D0EF1914E7A72 2019-10-30   [keybind]

99

100

101

More information:  https://www.gentoo.org/downloads/signatures/

Gentoo Archives: gentoo-user

Attachments

Replies

1	On Sunday, 24 May 2020 18:36:28 BST Nikos Chantziaras wrote:
2	> On 24/05/2020 20:15, Consus wrote:
3	> > I've got this today:
4	> > $ sudo emerge --sync
5	> > Checking signature ...
6	> > gpg: Signature made Sun 24 May 2020 03:56:07 MSK
7	> > gpg: using RSA key
8	> > E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
9	> > gpg: Good signature from "Gentoo ebuild repository signing key
10	(Automated
11	> > Signing Key) <infrastructure@g.o>" [unknown] gpg:
12	> > aka "Gentoo Portage Snapshot Signing Key (Automated Signing Key)"
13	> > [unknown] gpg: WARNING: Using untrusted key!
14	> > ...
15	> >
16	> > Is this warning expected?
17	>
18	> Certainly not.
19
20	Check your /usr/share/openpgp-keys/gentoo-release.asc file. This is the hash
21	I get here:
22
23	$ sha512sum gentoo-release.asc
24	3b168b7e43ad2cf4f042be585abc761c5786f55c94592dc916d13a1ef5557f047e614a7d70827471ace113f16eceb4e455228c4a5f7b9293f6a185a8e5183781
25	gentoo-release.asc
26
27	and these are the keys it contains:
28
29	$ gpg gentoo-release.asc
30	gpg: enabled debug flags: memstat
31	gpg: WARNING: no command supplied. Trying to guess what you mean ...
32	gpg: keydb: handles=0 locks=0 parse=0 get=0
33	gpg: build=0 update=0 insert=0 delete=0
34	gpg: reset=0 found=0 not=0 cache=0 not=0
35	gpg: kid_not_found_cache: count=0 peak=0 flushes=0
36	gpg: sig_cache: total=37 cached=0 good=0 bad=0
37	gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
38	outmix=0 getlvl1=0/0 getlvl2=0/0
39	gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
40	gpg: secmem usage: 0/65536 bytes in 0 blocks
41	pub rsa4096 2011-11-25 [C] [expires: 2021-01-01]
42	DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
43	uid Gentoo Portage Snapshot Signing Key (Automated Signing Key)
44	sig DB6B8C1F96D8BF6D 2019-10-30 [selfsig]
45	sig DB6B8C1F96D8BF6D 2011-11-25 [selfsig]
46	sig DB6B8C1F96D8BF6D 2015-11-23 [selfsig]
47	sig DB6B8C1F96D8BF6D 2016-07-01 [selfsig]
48	sig DB6B8C1F96D8BF6D 2018-01-27 [selfsig]
49	sig DB6B8C1F96D8BF6D 2019-04-27 [selfsig]
50	uid Gentoo ebuild repository signing key (Automated Signing Key)
51	<infrastructure@g.o>
52	sig DB6B8C1F96D8BF6D 2019-10-30 [selfsig]
53	sig DB6B8C1F96D8BF6D 2019-01-01 [selfsig]
54	sig DB6B8C1F96D8BF6D 2019-04-27 [selfsig]
55	sig DB6B8C1F96D8BF6D 2018-07-04 [selfsig]
56	sub rsa4096 2011-11-25 [S] [expires: 2021-01-01]
57	sig DB6B8C1F96D8BF6D 2019-04-27 [keybind]
58	sig DB6B8C1F96D8BF6D 2019-10-30 [keybind]
59	pub dsa1024 2004-07-20 [SC] [expires: 2020-07-01]
60	D99EAC7379A850BCE47DA5F29E6438C817072058
61	uid Gentoo Linux Release Engineering (Gentoo Linux Release Signing
62	Key) <releng@g.o>
63	sig 9E6438C817072058 2018-06-28 [selfsig]
64	sig 9E6438C817072058 2006-08-16 [selfsig]
65	sig 9E6438C817072058 2016-07-01 [selfsig]
66	sig 9E6438C817072058 2004-07-20 [selfsig]
67	sig 9E6438C817072058 2004-07-20 [selfsig]
68	sub elg2048 2004-07-20 [E] [expires: 2020-07-01]
69	sig 9E6438C817072058 2018-06-28 [keybind]
70	pub rsa4096 2009-08-25 [SC] [expires: 2021-01-01]
71	13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
72	uid Gentoo Linux Release Engineering (Automated Weekly Release Key)
73	<releng@g.o>
74	sig BB572E0E2D182910 2019-10-30 [selfsig]
75	sig BB572E0E2D182910 2013-08-24 [selfsig]
76	sig BB572E0E2D182910 2015-08-26 [selfsig]
77	sig BB572E0E2D182910 2009-08-25 [selfsig]
78	sig BB572E0E2D182910 2009-08-25 [selfsig]
79	sig BB572E0E2D182910 2017-08-22 [selfsig]
80	sig BB572E0E2D182910 2019-02-23 [selfsig]
81	sig BB572E0E2D182910 2019-04-27 [selfsig]
82	sig BB572E0E2D182910 2019-02-24 [selfsig]
83	sub rsa2048 2019-02-23 [S] [expires: 2021-01-01]
84	sig BB572E0E2D182910 2019-04-27 [keybind]
85	sig BB572E0E2D182910 2019-10-30 [keybind]
86	pub rsa4096 2018-05-28 [C] [expires: 2021-01-01]
87	EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72
88	uid Gentoo repository mirrors (automated git signing key)
89	<repomirrorci@g.o>
90	sig A13D0EF1914E7A72 2019-10-30 [selfsig]
91	sig A13D0EF1914E7A72 2018-05-28 [selfsig]
92	sig A13D0EF1914E7A72 2018-05-29 [selfsig]
93	sig A13D0EF1914E7A72 2018-11-25 [selfsig]
94	sig A13D0EF1914E7A72 2019-02-23 [selfsig]
95	sig A13D0EF1914E7A72 2019-04-27 [selfsig]
96	sub rsa2048 2018-05-28 [S] [expires: 2021-01-01]
97	sig A13D0EF1914E7A72 2019-04-27 [keybind]
98	sig A13D0EF1914E7A72 2019-10-30 [keybind]
99
100
101	More information: https://www.gentoo.org/downloads/signatures/