Opened 3 years ago

Closed 2 years ago

#21694 closed defect (fixed)

Tor source tarball signed with sha1

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: 0.3.1.x-final
Component: - Select a component Version: Tor: 0.3.1.7
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

$ gpg --verify -v tor-0.2.9.10.tar.gz.asc
gpg: assuming signed data in 'tor-0.2.9.10.tar.gz'
gpg: Signature made Wed 01 Mar 2017 13:09:27 GMT
gpg: using RSA key 6AFEE6D49E92B601
gpg: using subkey 6AFEE6D49E92B601 instead of primary key FE43009C4607B1FB
gpg: using pgp trust model
gpg: Good signature from "Nick Mathewson <nickm@…>" [unknown]
gpg: aka "Nick Mathewson <nickm@…>" [unknown]
gpg: aka "Nick Mathewson <nickm@…>" [unknown]
gpg: aka "Nick Mathewson <nickm@…>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB

Subkey fingerprint: 7A02 B352 1DC7 5C54 2BA0 1545 6AFE E6D4 9E92 B601

gpg: binary signature, digest algorithm SHA1, key algorithm rsa4096

Child Tickets

Change History (10)

comment:1 Changed 3 years ago by nickm

What's the gpg.conf option to sign with something better?

comment:2 Changed 3 years ago by tyseom

Usually it just uses the strongest in your preferences.

gpg --edit-key yourkey
showpref

if the digest line shows SHA1 only you might add some SHA512, SHA384, ..
(setpref)

comment:3 Changed 3 years ago by nickm

nope. I see:

     Cipher: AES256, AES192, AES, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: BZIP2, ZLIB, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify

comment:4 Changed 3 years ago by cypherpunks

what does
gpg --version
say?

comment:5 Changed 3 years ago by dgoulet

In your .gnupg/gpg.conf add this (put whatever alg you want):

cert-digest-algo SHA256
digest-algo SHA256

comment:6 Changed 3 years ago by nickm

Okay, I'll try that.

comment:7 Changed 3 years ago by dgoulet

Resolution: fixed
Status: newclosed

comment:8 Changed 2 years ago by cypherpunks

Milestone: Tor: 0.2.9.x-finalTor: 0.3.1.x-final
Resolution: fixed
Status: closedreopened
Version: Tor: 0.3.1.7

Nothing fixed, tor-0.3.1.7.tar.gz signed with SHA1

comment:9 Changed 2 years ago by isis

Maybe try also setting (in ~/.gnupg/gpg.conf):

personal-digest-preferences SHA512 SHA384 SHA256

The preferences which you had set when you created the key are burned into the key, but gpg2 --export-options 'export-minimal' --export FE43009C4607B1FB | pgpdump | grep 'Hash alg' says that it's SHA256, so I honestly don't know what is getting it to use SHA1.

comment:10 Changed 2 years ago by nickm

Resolution: fixed
Status: reopenedclosed

I think I got it right this time

[1134]$ gpg -v tor-0.3.1.8.tar.gz.asc  
gpg: assuming signed data in `tor-0.3.1.8.tar.gz'
gpg: Signature made Wed 25 Oct 2017 08:24:11 AM EDT
gpg:                using RSA key 6AFEE6D49E92B601
gpg: using subkey 6AFEE6D49E92B601 instead of primary key FE43009C4607B1FB
gpg: using classic trust model
gpg: Good signature from "Nick Mathewson <nickm@alum.mit.edu>"
gpg:                 aka "Nick Mathewson <nickm@wangafu.net>"
gpg:                 aka "Nick Mathewson <nickm@torproject.org>"
gpg:                 aka "Nick Mathewson <nickm@freehaven.net>"
gpg: binary signature, digest algorithm SHA512
Note: See TracTickets for help on using tickets.