git-ecosystem
.deb package signed with a deprecated SHA1 algorithm
When following the guide to verify the signature for the .deb package, I got the following error:
$ debsig-verify --debug gcm.deb
debsig: Starting verification for: gcm.deb
debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
debsig: getDbPathname: using /etc/debsig/policies/3C853823978B07FA keyring
debsig: Using policy directory: /etc/debsig/policies/3C853823978B07FA
debsig: Parsing policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig: parsePolicyFile: parsing '/etc/debsig/policies/3C853823978B07FA/generic.pol'
debsig: parsePolicyFile: completed
debsig: Checking Selection group(s).
debsig: Processing 'origin' key...
debsig: getDbPathname: using /usr/share/debsig/keyrings/3C853823978B07FA/gcm-public.gpg keyring
debsig: getKeyID: mapped 3C853823978B07FA -> 189ABF20BC4D22098078A6403C853823978B07FA
debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
debsig: Selection group(s) passed, policy is usable.
debsig: Using policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol
debsig: Checking Verification group(s).
debsig: Processing 'origin' key...
debsig: getDbPathname: using /usr/share/debsig/keyrings/3C853823978B07FA/gcm-public.gpg keyring
debsig: getKeyID: mapped 3C853823978B07FA -> 189ABF20BC4D22098078A6403C853823978B07FA
debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key
gpg: Signature made Wed 30 Oct 2024 11:59:51 CET
gpg: using RSA key 189ABF20BC4D22098078A6403C853823978B07FA
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can't check signature: Invalid digest algorithm
debsig: sigVerify: gpg exited abnormally or with non-zero exit status
debsig: verifyGroupRules: failed for origin
debsig: Verification group failed checks.
debsig: Failed verification for gcm.deb.
I believe that the failure is due to "signatures using the SHA1 algorithm are rejected". Would it be possible to sign the package using a modern algorithm instead?
$ debsig-verify --debug gcm.deb
debsig: Starting verification for: gcm.deb debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key debsig: getDbPathname: using /etc/debsig/policies/3C853823978B07FA keyring debsig: Using policy directory: /etc/debsig/policies/3C853823978B07FA debsig: Parsing policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol debsig: parsePolicyFile: parsing '/etc/debsig/policies/3C853823978B07FA/generic.pol' debsig: parsePolicyFile: completed debsig: Checking Selection group(s). debsig: Processing 'origin' key... debsig: getDbPathname: using /usr/share/debsig/keyrings/3C853823978B07FA/gcm-public.gpg keyring debsig: getKeyID: mapped 3C853823978B07FA -> 189ABF20BC4D22098078A6403C853823978B07FA debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key debsig: Selection group(s) passed, policy is usable. debsig: Using policy file: /etc/debsig/policies/3C853823978B07FA/generic.pol debsig: Checking Verification group(s). debsig: Processing 'origin' key... debsig: getDbPathname: using /usr/share/debsig/keyrings/3C853823978B07FA/gcm-public.gpg keyring debsig: getKeyID: mapped 3C853823978B07FA -> 189ABF20BC4D22098078A6403C853823978B07FA debsig: getSigKeyID: got 189ABF20BC4D22098078A6403C853823978B07FA for origin key gpg: Signature made Wed 30 Oct 2024 11:59:51 CET gpg: using RSA key 189ABF20BC4D22098078A6403C853823978B07FA gpg: Note: signatures using the SHA1 algorithm are rejected gpg: Can't check signature: Invalid digest algorithm debsig: sigVerify: gpg exited abnormally or with non-zero exit status debsig: verifyGroupRules: failed for origin debsig: Verification group failed checks. debsig: Failed verification for gcm.deb.
When I try this, I get:
$ debsig-verify gcm.deb
debsig: Verified package from 'Git Credential Manager public key' (Git Credential Manager)
I.e. I cannot reproduce.
Maybe it depends on the distro you're on? Here's where I'm at:
$ lsb_release -d
Description: Ubuntu 22.04.5 LTS
You are correct, more specifically, it depends on the version of debsig-verify.
I assume you are still on version 0.23, which is published in Jammy, whereas this change came in v0.24. Quoting from their change log:
Reject weak RIPEMD160 and SHA1 algorithms.