Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: packagecloud.io repo key uses SHA1 hash, which is rejected by unstable apt #7582

Open
lnicola opened this issue Jan 9, 2025 · 1 comment

Comments

@lnicola
Copy link

lnicola commented Jan 9, 2025

What type of bug is this?

Other

What subsystems and features are affected?

Build system

What happened?

This is not yet a big problem, but apt 2.9.19 in Debian 13 (testing) switched to Sequoia-PGP, and it rejects the packagecloud.io repository:

Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on 1005FB68604CE9B8F6879CF759F18EDF47F24417 is not bound:            primary key   because: No binding signature at time 2024-11-15T12:16:19Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring collision resistance   because: SHA1 is not considered secure since 2013-02-01T00:00:00Z

I don't know much about PGP/GPG, but:

$ curl -s https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x1005fb68604ce9b8f6879cf759f18edf47f24417 | pgpdump
New: Public Key Packet(tag 6)(525 bytes)
	Ver 4 - new
	Public key creation time - Fri Oct 19 04:01:41 EEST 2018
	Pub alg - RSA Encrypt or Sign(pub 1)
	RSA n(4096 bits) - ...
	RSA e(17 bits) - ...
New: User ID Packet(tag 13)(114 bytes)
	User ID - https://packagecloud.io/timescale/timescaledb (https://packagecloud.io/docs#gpg_signing) <[email protected]>
New: Signature Packet(tag 2)(568 bytes)
	Ver 4 - new
	Sig type - Positive certification of a User ID and Public Key packet(0x13).
	Pub alg - RSA Encrypt or Sign(pub 1)
	Hash alg - SHA1(hash 2)
	Hashed Sub: signature creation time(sub 2)(4 bytes)
		Time - Fri Oct 19 04:01:41 EEST 2018
	Hashed Sub: key flags(sub 27)(1 bytes)
		Flag - This key may be used to certify other keys
		Flag - This key may be used to sign data
		Flag - This key may be used to encrypt communications
		Flag - This key may be used to encrypt storage
		Flag - This key may be used for authentication
	Hashed Sub: preferred symmetric algorithms(sub 11)(5 bytes)
		Sym alg - AES with 256-bit key(sym 9)
		Sym alg - AES with 192-bit key(sym 8)
		Sym alg - AES with 128-bit key(sym 7)
		Sym alg - CAST5(sym 3)
		Sym alg - Triple-DES(sym 2)
	Hashed Sub: preferred hash algorithms(sub 21)(5 bytes)
		Hash alg - SHA256(hash 8)
		Hash alg - SHA1(hash 2)
		Hash alg - SHA384(hash 9)
		Hash alg - SHA512(hash 10)
		Hash alg - SHA224(hash 11)
	Hashed Sub: preferred compression algorithms(sub 22)(3 bytes)
		Comp alg - ZLIB <RFC1950>(comp 2)
		Comp alg - BZip2(comp 3)
		Comp alg - ZIP <RFC1951>(comp 1)
	Hashed Sub: features(sub 30)(1 bytes)
		Flag - Modification detection (packets 18 and 19)
	Hashed Sub: key server preferences(sub 23)(1 bytes)
		Flag - No-modify
	Sub: issuer key ID(sub 16)(8 bytes)
		Key ID - 0x59F18EDF47F24417
	Hash left 2 bytes - 2a 04 
	RSA m^d mod n(4095 bits) - ...
		-> PKCS-1
New: Public Subkey Packet(tag 14)(525 bytes)
	Ver 4 - new
	Public key creation time - Fri Oct 19 04:01:41 EEST 2018
	Pub alg - RSA Encrypt or Sign(pub 1)
	RSA n(4096 bits) - ...
	RSA e(17 bits) - ...
New: Signature Packet(tag 2)(1086 bytes)
	Ver 4 - new
	Sig type - Subkey Binding Signature(0x18).
	Pub alg - RSA Encrypt or Sign(pub 1)
	Hash alg - SHA1(hash 2)
	Hashed Sub: signature creation time(sub 2)(4 bytes)
		Time - Fri Oct 19 04:01:41 EEST 2018
	Hashed Sub: key flags(sub 27)(1 bytes)
		Flag - This key may be used to sign data
		Flag - This key may be used to encrypt communications
		Flag - This key may be used to encrypt storage
		Flag - This key may be used for authentication
	Sub: issuer key ID(sub 16)(8 bytes)
		Key ID - 0x59F18EDF47F24417
	Sub: embedded signature(sub 32)(540 bytes)
	Ver 4 - new
	Sig type - Primary Key Binding Signature(0x19).
	Pub alg - RSA Encrypt or Sign(pub 1)
	Hash alg - SHA1(hash 2)
	Hashed Sub: signature creation time(sub 2)(4 bytes)
		Time - Fri Oct 19 04:01:41 EEST 2018
	Sub: issuer key ID(sub 16)(8 bytes)
		Key ID - 0xE7391C94080429FF
	Hash left 2 bytes - dc 3d 
	RSA m^d mod n(4096 bits) - ...
		-> PKCS-1
	Hash left 2 bytes - 41 1a 
	RSA m^d mod n(4096 bits) - ...
		-> PKCS-1

TimescaleDB version affected

All

PostgreSQL version used

N/A

What operating system did you use?

Debian 13

What installation method did you use?

Deb/Apt

What platform did you run on?

On prem/Self-hosted

Relevant log output and stack trace

No response

How can we reproduce the bug?

$ podman run --rm -it debian:unstable
# apt update && apt dist-upgrade -y && apt install -y curl
# curl -s https://packagecloud.io/install/repositories/timescale/timescaledb/script.deb.sh | bash
# sed -i 's/trixie/bookworm/' /etc/apt/sources.list.d/timescale_timescaledb.list
# apt update
@lnicola lnicola added the bug label Jan 9, 2025
@mkindahl
Copy link
Contributor

@lnicola Thank you for the bug report and the reproduction case. It is trivial to reproduce using docker:

$ docker run --rm -ti debian:unstable
# apt update && apt dist-upgrade -y && apt install -y curl
# curl -s https://packagecloud.io/install/repositories/timescale/timescaledb/script.deb.sh | bash
# sed -i 's/trixie/bookworm/' /etc/apt/sources.list.d/timescale_timescaledb.list
# apt update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants