Il 01/12/2023 01:20, Dimitri John Ledkov ha scritto:
Hi,Currently dak requires signatures on .changes & .dsc uploads. .changes with signatures are publicly announced and then .dsc are published in the archive with signatures. .changes references .dsc.All .dsc have Checksums-Sha256 for the files they reference, .dsc itself can be verified through strong checksum in Sources metadata, chained via InRelease to the strong debian archive key signature.The same is not true for signatures on .dsc themselves. Majority of .dsc use at least sha256 and can be successfully verified.But some use weak hash: 5 dsc signed using Hash: RIPEMD160 152 dsc signed using Hash: SHA1 And many of them cannot be verified using debian-keyring: 2,455 no public key
hi, on "no public key" list there are my uploads, I'm debian maintainer (https://nm.debian.org/person/fantu/), I signed with my key and I have DM upload right for them (https://qa.debian.org/developer.php?login=fantonifabio%40tiscali.it)
I did something wrong that I don't know?
3 wrong key usageLists of affected .dsc are published at https://people.canonical.com/~xnox/dsc-analysis/ due to size.This makes me wonder if signatures on uploaded or published .dsc have any value at all. Ultimately one should use apt secure to retrieve both .deb and .dsc; and verify .changes signature if one wants to figure out authorship.Should we upload sourceful NMU to eliminate SHA1, RIPEMD160, wrong-key-usage signatures in .dsc?Should we stop requiring signed .dsc on uploads? -- Regards, Dimitri.
OpenPGP_signature.asc
Description: OpenPGP digital signature
