Tell from PGP signature which algorithms served in its creation











up vote
0
down vote

favorite












I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.



InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.



My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.



UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.



UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.










share|improve this question




























    up vote
    0
    down vote

    favorite












    I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.



    InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.



    My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.



    UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.



    UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.










    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.



      InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.



      My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.



      UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.



      UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.










      share|improve this question















      I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.



      InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.



      My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.



      UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.



      UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.







      security sha apt pgp






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 19 at 13:36

























      asked Nov 19 at 12:54









      rookie099

      34710




      34710
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.



          So adding the signing key to clients with add-key add key.pub made the problem disappear.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53375105%2ftell-from-pgp-signature-which-algorithms-served-in-its-creation%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote



            accepted










            So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.



            So adding the signing key to clients with add-key add key.pub made the problem disappear.






            share|improve this answer

























              up vote
              0
              down vote



              accepted










              So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.



              So adding the signing key to clients with add-key add key.pub made the problem disappear.






              share|improve this answer























                up vote
                0
                down vote



                accepted







                up vote
                0
                down vote



                accepted






                So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.



                So adding the signing key to clients with add-key add key.pub made the problem disappear.






                share|improve this answer












                So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.



                So adding the signing key to clients with add-key add key.pub made the problem disappear.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 19 at 14:44









                rookie099

                34710




                34710






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53375105%2ftell-from-pgp-signature-which-algorithms-served-in-its-creation%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    404 Error Contact Form 7 ajax form submitting

                    How to know if a Active Directory user can login interactively

                    Refactoring coordinates for Minecraft Pi buildings written in Python