Rene Engelhard <[email protected]> writes: > signing.cxx:1259:Assertion > Test name: testODFGoodGPG::TestBody > equality assertion failed > - Expected: 1 > - Actual : 2 > - 2 > > signing.cxx:1374:Assertion > Test name: testPreserveMacroTemplateSignature12_ODF::TestBody > equality assertion failed > - Expected: 1 > - Actual : 2 > - ./xmlsecurity/qa/unit/signing/signing.cxx:1401 > > Failures !!! > Run: 43 Failure total: 2 Failures: 2 Errors: 0
[..] > key material is > https://cgit.freedesktop.org/libreoffice/core/tree/test/signing-keys?h=libreoffice-25-2-3 Looking purely at the key material I see: teythoon@europ /tmp/core/test/signing-keys (git)-[libreoffice-25-2-3] % /bin/gpg --export | sq cert lint gpg: WARNING: unsafe permissions on homedir '/tmp/core/test/signing-keys' Certificate C468A04FCA526A9F is not valid under the standard policy: No binding signature at time 2025-04-14T07:40:22Z Certificate C468A04FCA526A9F contains a User ID (test key - only signing <[email protected]>) protected by SHA-1 Certificate 96BDBA932A7D4D05 is not valid under the standard policy: No binding signature at time 2025-04-14T07:40:22Z Certificate 96BDBA932A7D4D05 contains a User ID (test key - only for encryption <[email protected]>) protected by SHA-1 Certificate 96BDBA932A7D4D05, key C914B3CC9B60A3FB uses a SHA-1-protected binding signature. Examined 3 certificates. 0 certificates are invalid and were not linted. (GOOD) 3 certificates were linted. 2 of the 3 certificates (66%) have at least one issue. (BAD) 0 of the linted certificates were revoked. 0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD) 0 of the linted certificates were expired. 3 of the non-revoked linted certificates have at least one non-revoked User ID: 2 have at least one User ID protected by SHA-1. (BAD) 2 have all User IDs protected by SHA-1. (BAD) 2 of the non-revoked linted certificates have at least one non-revoked, live subkey: 1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD) 0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey: 0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD) Error: 2 certificates have at least one issue > Is that the explanation or is there some other incompatibility here? It is not incompatible, just that gpg-from-sq rejects weak hash algorithms. Note that the signature extracted from xmlsecurity/qa/unit/signing/data/goodGPG.odt is fine: % sq packet dump sig Signature Packet, old CTB, 380 bytes Version: 4 Type: Binary Pk algo: RSA Hash algo: SHA512 Hashed area: Signature creation time: 2017-12-06 12:04:15 UTC Notation: [email protected]: 93F7584031D9B74A57BB89DFC468A04FCA526A9F Unhashed area: Issuer: C468A04FCA526A9F Digest prefix: EFB3 Level: 0 (signature over data) Therefore, an easy way to recover is to fix the certificates: teythoon@europ /tmp/core/test/signing-keys (git)-[libreoffice-25-2-3] % /bin/gpg --export-secret-keys | sq cert lint --fix | /bin/gpg --import gpg: WARNING: unsafe permissions on homedir '/tmp/core/test/signing-keys' gpg: WARNING: unsafe permissions on homedir '/tmp/core/test/signing-keys' Certificate C468A04FCA526A9F is not valid under the standard policy: No binding signature at time 2025-04-14T07:57:29Z Certificate C468A04FCA526A9F contains a User ID (test key - only signing <[email protected]>) protected by SHA-1 Certificate 96BDBA932A7D4D05 is not valid under the standard policy: No binding signature at time 2025-04-14T07:57:29Z Certificate 96BDBA932A7D4D05 contains a User ID (test key - only for encryption <[email protected]>) protected by SHA-1 Certificate 96BDBA932A7D4D05, key C914B3CC9B60A3FB uses a SHA-1-protected binding signature. Examined 2 certificates. 0 certificates are invalid and were not linted. (GOOD) 2 certificates were linted. 2 of the 2 certificates (100%) have at least one issue. (BAD) 0 of the linted certificates were revoked. 0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD) 0 of the linted certificates were expired. 2 of the non-revoked linted certificates have at least one non-revoked User ID: 2 have at least one User ID protected by SHA-1. (BAD) 2 have all User IDs protected by SHA-1. (BAD) 1 of the non-revoked linted certificates has at least one non-revoked, live subkey: 1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD) 0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey: 0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD) gpg: key C468A04FCA526A9F: "test key - only signing <[email protected]>" 1 new signature gpg: key C468A04FCA526A9F: secret key imported gpg: key 96BDBA932A7D4D05: "test key - only for encryption <[email protected]>" 2 new signatures gpg: key 96BDBA932A7D4D05: secret key imported gpg: Total number processed: 2 gpg: new signatures: 3 gpg: secret keys read: 2 gpg: secret keys unchanged: 2 gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u teythoon@europ /tmp/core/test/signing-keys (git)-[libreoffice-25-2-3] % gpg-sq -k gpg: WARNING: unsafe permissions on homedir '/tmp/core/test/signing-keys' /tmp/core/test/signing-keys/pubring.cert.d ------------------------------------------ pub rsa2048 2017-05-30 [SC] 237167E1A762AE7096F1F72EAE8850B494DC4F32 uid [ unknown] <[email protected]> sub rsa2048 2017-05-30 [E] pub rsa2048 2017-12-06 [SC] 93F7584031D9B74A57BB89DFC468A04FCA526A9F uid [ultimate] test key - only signing <[email protected]> pub rsa2048 2018-01-11 [SC] BB87453F47FEBF396099210496BDBA932A7D4D05 uid [ultimate] test key - only for encryption <[email protected]> sub rsa2048 2018-01-11 [E] Please let me know if you have more questions, or what I can do to help! Best, Justus
signature.asc
Description: PGP signature
