2184994 – virt-builder fails to validate SHA1 GPG key (gpg: Note: signatures using the SHA1 algorithm are rejected)

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2184994 - virt-builder fails to validate SHA1 GPG key (gpg: Note: signatures using the SHA1 algorithm are rejected)

Summary: virt-builder fails to validate SHA1 GPG key (gpg: Note: signatures using the ...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	guestfs-tools
Sub Component:
Version:	9.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Richard W.M. Jones
QA Contact:	YongkuiGuo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-06 12:23 UTC by YongkuiGuo
Modified:	2023-09-22 13:30 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-22 13:30:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-7118	0	None	Migrated	None	2023-09-22 13:30:32 UTC
Red Hat Issue Tracker	RHELPLAN-154176	0	None	None	None	2023-04-06 12:27:09 UTC

Description YongkuiGuo 2023-04-06 12:23:24 UTC

Description of problem:
On RHEL-9.3.0-20230405.0 compose, the 'virt-builder --list -v -x' command fails with the next error:

command line: virt-builder --list -v -x
/usr/bin/gpg2 --help >/dev/null 2>&1
curl --help >/dev/null 2>&1
virt-resize --help >/dev/null 2>&1
trying to read /etc/virt-builder/repos.d/libguestfs.conf
read 2 sources
trying to read /etc/virt-builder/repos.d/opensuse.conf
read 0 sources
/usr/bin/gpg2 --homedir /tmp/virt-builder.KPm6PU/vb.gpghome.qtIhGF --list-keys
gpg: keybox '/tmp/virt-builder.KPm6PU/vb.gpghome.qtIhGF/pubring.kbx' created
gpg: /tmp/virt-builder.KPm6PU/vb.gpghome.qtIhGF/trustdb.gpg: trustdb created
/usr/bin/gpg2 --homedir /tmp/virt-builder.KPm6PU/vb.gpghome.qtIhGF --status-file '/tmp/virt-builder.KPm6PU/vbstatf93317.txt' --import '/etc/virt-builder/repos.d/libguestfs.gpg'
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 91738F73E1B768A0: 3 bad signatures
gpg: key 91738F73E1B768A0: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
/usr/bin/gpg2 --homedir /tmp/virt-builder.KPm6PU/vb.gpghome.qtIhGF --trusted-key '' --list-keys
gpg: '' is not a valid long keyID
virt-builder: error: GPG failure: could not trust the imported key
Use the ‘-v’ option and look for earlier error messages.
rm -rf -- '/tmp/virt-builder.KPm6PU'


Version-Release number of selected component (if applicable):
guestfs-tools-1.48.2-8.el9.x86_64
kernel-5.14.0-295.el9.x86_64
gnupg2-2.3.3-3.el9.x86_64


How reproducible:
100% (baremetal or VM in beaker)


Steps:

1.
2.
3.

Actual results:
As above

Expected results:
virt-builder works fine as usual.

Additional info:
1. Our automation hit this issue on RHEL-9.3.0-20230403.57, RHEL-9.3.0-20230404.31, and RHEL-9.3.0-20230405.0 composes with beaker baremetal.
2. Can not reproduce this issue on PSI OpenStack env.
3. No such issue on RHEL8.9

Comment 1 Richard W.M. Jones 2023-04-06 13:12:58 UTC

Since I just a few minutes ago added guestfs-tools 1.50.1, could you try that version?
See bug 2168626

Comment 2 YongkuiGuo 2023-04-06 13:25:21 UTC

(In reply to Richard W.M. Jones from comment #1)
> Since I just a few minutes ago added guestfs-tools 1.50.1, could you try
> that version?
> See bug 2168626
I just tried, guestfs-tools-1.50.1 cannot fix this issue.

Comment 3 Richard W.M. Jones 2023-04-06 14:09:59 UTC

This seems like it could be something to do with SHA1.  However I'm not sure
how to show the full information of a GPG key.  eg: This only gives
superficial info:

$ gpg --show-keys /etc/virt-builder/repos.d/libguestfs.gpg
pub   rsa4096 2011-10-11 [SC]
      F7774FB1AD074A7E8C8767EA91738F73E1B768A0
uid                      Richard W.M. Jones <rjones>
uid                      Richard W.M. Jones <rich>
sub   rsa4096 2011-10-11 [E]

Comment 4 Laszlo Ersek 2023-04-06 14:10:34 UTC

From "builder/sigchecker.ml" @ b68a846e2f40: the "--trusted-key" gpg option gets the '' (empty string) operand because the previous import fails. gpg never prints "IMPORTED", so we never set "key_id" to the imported key, key_id remains the empty string.

I figure we need to update "/etc/virt-builder/repos.d/libguestfs.gpg" so that it provide keys with SHA256 signatures.

Comment 5 Richard W.M. Jones 2023-04-06 14:12:45 UTC

3rd time lucky ...

Comment 6 Richard W.M. Jones 2023-04-06 14:15:11 UTC

Apparently using -vv shows more detail:

$ gpg -vv --show-keys /etc/virt-builder/repos.d/libguestfs.gpg
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Version: GnuPG v1.4.14 (GNU/Linux)
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
	version 4, algo 1, created 1318334657, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 91738F73E1B768A0
# off=528 ctb=b4 tag=13 hlen=2 plen=37
:user ID packet: "Richard W.M. Jones <rich>"
# off=567 ctb=89 tag=2 hlen=3 plen=568
:signature packet: algo 1, keyid 91738F73E1B768A0
	version 4, created 1318334657, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 74 18
	hashed subpkt 2 len 4 (sig created 2011-10-11)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 91738F73E1B768A0)
	data: [4092 bits]
# off=1138 ctb=b4 tag=13 hlen=2 plen=38
:user ID packet: "Richard W.M. Jones <rjones>"
# off=1178 ctb=89 tag=2 hlen=3 plen=568
:signature packet: algo 1, keyid 91738F73E1B768A0
	version 4, created 1318336779, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 21 46
	hashed subpkt 2 len 4 (sig created 2011-10-11)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 91738F73E1B768A0)
	data: [4096 bits]
# off=1749 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
	version 4, algo 1, created 1318334657, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 9658E5232D07308A
# off=2277 ctb=89 tag=2 hlen=3 plen=543
:signature packet: algo 1, keyid 91738F73E1B768A0
	version 4, created 1318334657, md5len 0, sigclass 0x18
	digest algo 2, begin of digest 48 b4
	hashed subpkt 2 len 4 (sig created 2011-10-11)
	hashed subpkt 27 len 1 (key flags: 0C)
	subpkt 16 len 8 (issuer key ID 91738F73E1B768A0)
	data: [4095 bits]
pub   rsa4096 2011-10-11 [SC]
      F7774FB1AD074A7E8C8767EA91738F73E1B768A0
uid                      Richard W.M. Jones <rjones>
uid                      Richard W.M. Jones <rich>
sub   rsa4096 2011-10-11 [E]

Comment 8 YongkuiGuo 2023-04-06 14:25:37 UTC

In my env:

$ gpg -vv --show-keys /etc/virt-builder/repos.d/libguestfs.gpg
gpg: Note: RFC4880bis features are enabled.
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Version: GnuPG v1.4.14 (GNU/Linux)
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
	version 4, algo 1, created 1318334657, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 91738F73E1B768A0
# off=528 ctb=b4 tag=13 hlen=2 plen=37
:user ID packet: "Richard W.M. Jones <rich>"
# off=567 ctb=89 tag=2 hlen=3 plen=568
:signature packet: algo 1, keyid 91738F73E1B768A0
	version 4, created 1318334657, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 74 18
	hashed subpkt 2 len 4 (sig created 2011-10-11)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 91738F73E1B768A0)
	data: [4092 bits]
# off=1138 ctb=b4 tag=13 hlen=2 plen=38
:user ID packet: "Richard W.M. Jones <rjones>"
# off=1178 ctb=89 tag=2 hlen=3 plen=568
:signature packet: algo 1, keyid 91738F73E1B768A0
	version 4, created 1318336779, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 21 46
	hashed subpkt 2 len 4 (sig created 2011-10-11)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
	hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID 91738F73E1B768A0)
	data: [4096 bits]
# off=1749 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
	version 4, algo 1, created 1318334657, expires 0
	pkey[0]: [4096 bits]
	pkey[1]: [17 bits]
	keyid: 9658E5232D07308A
# off=2277 ctb=89 tag=2 hlen=3 plen=543
:signature packet: algo 1, keyid 91738F73E1B768A0
	version 4, created 1318334657, md5len 0, sigclass 0x18
	digest algo 2, begin of digest 48 b4
	hashed subpkt 2 len 4 (sig created 2011-10-11)
	hashed subpkt 27 len 1 (key flags: 0C)
	subpkt 16 len 8 (issuer key ID 91738F73E1B768A0)
	data: [4095 bits]
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 91738F73E1B768A0: invalid self-signature on user ID "Richard W.M. Jones <rich>"
gpg: key 91738F73E1B768A0: invalid self-signature on user ID "Richard W.M. Jones <rjones>"
gpg: key 91738F73E1B768A0/9658E5232D07308A: invalid subkey binding
gpg: key 91738F73E1B768A0: skipped user ID "Richard W.M. Jones <rich>"
gpg: key 91738F73E1B768A0: skipped user ID "Richard W.M. Jones <rjones>"
gpg: key 91738F73E1B768A0/9658E5232D07308A: skipped subkey
pub   rsa4096 2011-10-11 [SCEA]
      F7774FB1AD074A7E8C8767EA91738F73E1B768A0

Comment 9 Laszlo Ersek 2023-04-06 14:34:10 UTC

(In reply to Richard W.M. Jones from comment #3)
> This seems like it could be something to do with SHA1.

Right; from comment#0: "gpg: Note: signatures using the SHA1 algorithm are rejected".

> However I'm not sure
> how to show the full information of a GPG key.  eg: This only gives
> superficial info:
> 
> $ gpg --show-keys /etc/virt-builder/repos.d/libguestfs.gpg

I didn't expect it to be this complicated, but it is... <https://stackoverflow.com/questions/22136029/how-to-display-gpg-key-details-without-importing-it> leads me to pgpdump (available in Fedora and EPEL), and then:

pgpdump /etc/virt-builder/repos.d/libguestfs.gpg

will print a bunch of "Hash alg - SHA1(hash 2)" entries under "Signature Packet"s.

Comment 10 Laszlo Ersek 2023-04-06 14:38:19 UTC

Basically pgpdump is a wrapper around "gpg --list-packets", and it translates the algorithm references in the "--list-packets" output to names, from RFC 4880.

SHA-1 is "hash algorithm 2", so wherever you see "digest algo 2" in the untranslated output above, that's where pgpdump will print "Hash alg - SHA1(hash 2)".

Comment 11 Laszlo Ersek 2023-04-06 14:42:29 UTC

Dist-git change: 464efce3c538 ("Mark SHA1 as a weak digest", 2023-03-30).

For bug 2070722.

Comment 12 Laszlo Ersek 2023-04-06 14:45:47 UTC

From reading the downstream gnupg2 source code: please try with the "--allow-weak-digest-algos" command line option.

Comment 13 Laszlo Ersek 2023-04-06 14:50:54 UTC

... in the prepped source of gnupg2 from dist-git @ 82c38c29114f ("gnupg-2.3.3-3", 2023-03-30), I find in "$HOME/rpmbuild/BUILD/gnupg-2.3.3/g10/gpg.c":

  /* Options to override new security defaults.  */
  ARGPARSE_s_n (oAllowWeakKeySignatures, "allow-weak-key-signatures", "@"),
  ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
  ARGPARSE_s_n (oAllowOldCipherAlgos, "allow-old-cipher-algos", "@"),
  ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
  ARGPARSE_s_s (oVerifyOptions, "verify-options", "@"),
  ARGPARSE_s_n (oEnableSpecialFilenames, "enable-special-filenames", "@"),
  ARGPARSE_s_n (oNoRandomSeedFile,  "no-random-seed-file", "@"),
  ARGPARSE_s_n (oNoSigCache,         "no-sig-cache", "@"),
  ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
  ARGPARSE_s_n (oIgnoreValidFrom,    "ignore-valid-from", "@"),
  ARGPARSE_s_n (oIgnoreCrcError, "ignore-crc-error", "@"),
  ARGPARSE_s_n (oIgnoreMDCError, "ignore-mdc-error", "@"),
  ARGPARSE_s_s (oDisableCipherAlgo,  "disable-cipher-algo", "@"),
  ARGPARSE_s_s (oDisablePubkeyAlgo,  "disable-pubkey-algo", "@"),
  ARGPARSE_s_s (oCipherAlgo, "cipher-algo", "@"),
  ARGPARSE_s_s (oAEADAlgo,   "aead-algo", "@"),
  ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"),
  ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"),

... for future reference, if we need to relax more checks...

Comment 14 YongkuiGuo 2023-04-07 06:47:47 UTC

Thanks for your investigation.

The version of gnupg2 has been downgraded from 2.3.3-3 to 2.3.3-2 in the latest RHEL9.3 nightly compose. And virt-builder works well as usual.

Comment 15 Richard W.M. Jones 2023-04-11 10:32:00 UTC

There was some internal discussion and it seems as if this change will be
reverted in gnupg2.

We will still need to fix the libguestfs key, so let's keep this bug open.

Comment 16 RHEL Program Management 2023-09-22 13:30:11 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 17 RHEL Program Management 2023-09-22 13:30:37 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.