Tell from PGP signature which algorithms served in its creation
up vote
0
down vote
favorite
I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.
InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.
My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.
UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.
UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.
security sha apt pgp
asked Nov 19 at 12:54
rookie099
34710
add a comment |
up vote
0
down vote
favorite
I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.
InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.
My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.
UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.
UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.
security sha apt pgp
asked Nov 19 at 12:54
rookie099
34710
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.
InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.
My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.
UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.
UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.
security sha apt pgp
asked Nov 19 at 12:54
rookie099
34710
I am dealing with a Debian repository that apparently contains an InRelease file that may have been signed in a way that is no longer appropriate. The symptom is that clients receive the warning The repository '... InRelease is not signed when they run apt-get update.
InRelease contains sections starting with -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE-----, so it is signed, and I've already adjusted my PGP personal-digest-preferences and personal-cipher-preferences settings to exclude SHA-1 from use. But something is still lacking.
My question is this: When I inspect the actual signature (the ASCII armor between ----BEGIN PGP SIGNATURE----- and -----END PGP SIGNATURE-----) is there a way to tell which algorithms served in its creation, and specifically whether SHA-1 served in its creation? I guess the answer is no, but I'd like to hear an expert's opinion.
UPDATE The first line after -----BEGIN PGP SIGNATURE----- reads Hash: SHA256 so that looks good (since I've chosen SHA256 first in the preferences settings), but the problem still persists.
UPDATE I've now excluded SHA-1 also from indices by calling apt-ftparchive packages and apt-ftparchive release (for creating files Packages and Releases respectively) with additional parameters --no-sha1, but the problem still persists.
security sha apt pgp
security sha apt pgp
asked Nov 19 at 12:54
rookie099
34710
asked Nov 19 at 12:54
rookie099
34710
edited Nov 19 at 13:36
asked Nov 19 at 12:54
rookie099
34710
asked Nov 19 at 12:54
rookie099
34710
asked Nov 19 at 12:54
rookie099
34710
34710
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.
So adding the signing key to clients with add-key add key.pub made the problem disappear.
answered Nov 19 at 14:44
rookie099
34710
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.
So adding the signing key to clients with add-key add key.pub made the problem disappear.
answered Nov 19 at 14:44
rookie099
34710
add a comment |
up vote
0
down vote
accepted
So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.
So adding the signing key to clients with add-key add key.pub made the problem disappear.
answered Nov 19 at 14:44
rookie099
34710
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.
So adding the signing key to clients with add-key add key.pub made the problem disappear.
answered Nov 19 at 14:44
rookie099
34710
So now it looks as if the signature was already valid (after removing SHA-1 digests as described), but the signing key was not yet known.
So adding the signing key to clients with add-key add key.pub made the problem disappear.
answered Nov 19 at 14:44
rookie099
34710
answered Nov 19 at 14:44
rookie099
34710
answered Nov 19 at 14:44
rookie099
34710
answered Nov 19 at 14:44
rookie099
34710
34710
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53375105%2ftell-from-pgp-signature-which-algorithms-served-in-its-creation%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
