1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1100958: sopv-gpgv: Does not consider RIPEMD160 and SHA-1 as weak d

    From Guillem Jover@21:1/5 to All on Fri Mar 21 01:40:01 2025
    Package: sopv-gpgv
    Version: 0.1.2-1
    Severity: serious

    Hi!

    On a minimal chroot, after installing gpgv, sopv-gpgv and
    debian-keyring, when downloading a source package currently affected
    by the SHA-1 keys in the Debian keyring, sopv-gpgv does not fail to
    verify the signatures as would be expected (made this severity
    serious due to this, but if you disagree, feel free to downgrade!).

    So, then doing something like:

    ,---
    $ sudo apt install debian-keyring gpgv sopv-gpgv
    $ apt source --download-only file
    $ k=/usr/share/keyrings/debian-keyring.gpg
    $ sopv inline-verify $k <file_*.dsc >/dev/null
    $ echo $?
    0
    $ gpgv --keyring $k --weak-digest SHA1 file_*.dsc
    gpgv: Signature made Thu Mar 13 20:46:00 2025 CET
    gpgv: using RSA key 597308FBBDBA035D8C7C95DDC42C58EB591492FD
    gpgv: Note: signatures using the SHA1 algorithm are rejected
    gpgv: Can't check signature: No public key
    $ echo $?
    2
    `---

    I guess sopv-gpgv, is missing passing
    «--weak-digest SHA1 --weak-digest RIPEMD160» to gpgv. This works fine
    when using gpgv-sq, because of its own defaults. :)

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Mon Apr 21 20:40:01 2025
    Processing control commands:

    reassign 1100958 gpgv
    Bug #1100958 [sopv-gpgv] sopv-gpgv: Does not consider RIPEMD160 and SHA-1 as weak digests
    Bug reassigned from package 'sopv-gpgv' to 'gpgv'.
    No longer marked as found in versions sopv-gpgv/0.1.2-1.
    Ignoring request to alter fixed versions of bug #1100958 to the same values previously set
    retitle 1100958 gpgv does not consider RIPEMD160 and SHA-1 as weak digests
    Bug #1100958 [gpgv] sopv-gpgv: Does not consider RIPEMD160 and SHA-1 as weak digests
    Changed Bug title to 'gpgv does not consider RIPEMD160 and SHA-1 as weak digests' from 'sopv-gpgv: Does not consider RIPEMD160 and SHA-1 as weak digests'.
    found 1100958 2.4.7-15
    Bug #1100958 [gpgv] gpgv does not consider RIPEMD160 and SHA-1 as weak digests Marked as found in versions gnupg2/2.4.7-15.
    found 1100958 2.2.46-6
    Bug #1100958 [gpgv] gpgv does not consider RIPEMD160 and SHA-1 as weak digests Marked as found in versions gnupg2/2.2.46-6.
    found 1100958 2.2.40-1.1
    Bug #1100958 [gpgv] gpgv does not consider RIPEMD160 and SHA-1 as weak digests Marked as found in versions gnupg2/2.2.40-1.1.

    --
    1100958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100958
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Holger Levsen@21:1/5 to All on Tue Apr 22 15:20:02 2025
    control: severity -1 important
    # that's bad but doesn't really justify autoremoval
    thanks


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    „Nicht Hitler, Göring, Goebbels und Himmler haben mich verschleppt und
    geschlagen. Nein! Es war der Schuster, der Nachbar, der Greisler, der
    Milchmann, der Postmann, der eine Uniform bekommen hat, eine Binde (..),
    und dann waren sie die ‚Herrenrasse‘.“ Karl Stojka (1931 - 2003)

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmgHldwACgkQCRq4Vgaa qhwIhRAAsQx+qexLNqZjn5NmGBTe/4bThud2eRFEssdSQGSHRTmrhWq2LB4YAVJ+ uSP107rbZkk40F7OR1azqsfam0cp28Q9pvgbHsatBqEB1GI586bJEkzq/h2flsIL 0YnCeYGDgZ0EE4X/aqcOvgnIM5pRl7/6uGf+Y8/lcI4QfE+/VXhKiAN0AhQyEH0e KGiRfPS1viL1iD0Cy4zvRvWVjGu0S+rVcxM7m2NzpLIyaksMDKTbsbJOV/F4F317 RoxgdXaGI+6sjUF0tqAVZHpV/31VMD5gSJrhHMUYKQ8DqQeIcVut0G2PYf2LpUn2 pTef2ZX4URMBQgS8g3wVYBWQ4u6i2dm4N33o6r+vfbBtPumjpjM4Mrw3QMjmKaij KKeduTd2Fh9RSWF/O
  • From Debian Bug Tracking System@21:1/5 to All on Tue Apr 22 15:20:02 2025
    Processing control commands:

    severity -1 important
    Bug #1100958 [gpgv] gpgv does not consider RIPEMD160 and SHA-1 as weak digests Severity set to 'important' from 'serious'

    --
    1100958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100958
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)