Unable to verify of llvm sources with the .sig files

I’m on an Arch Linux system:

$ uname -a
Linux wink-desktop 5.0.4-arch1-1-ARCH #1 SMP PREEMPT Sat Mar 23 21:00:33 UTC 2019 x86_64 GNU/Linux

My gpg version is:
$ gpg --version
gpg (GnuPG) 2.2.15
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/wink/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I went to http://releases.llvm.org/download.html and downloaded llvm-8.0.0:
http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz
http://releases.llvm.org/8.0.0/llvm-8.0.0.src.tar.xz.sig
http://releases.llvm.org/8.0.0/hans-gpg-key.asc

I tried to import hans-gpg-key.asc but got an error:

$ gpg --import hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 2 bad signatures
gpg: key 0x0FC3042E345AD05D: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1

Searched around and found there is ----allow-non-selfsigned-uid and
it appears to succeed:

$ gpg --import --allow-non-selfsigned-uid hans-gpg-key.asc
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: key 0x0FC3042E345AD05D: 2 bad signatures
gpg: key 0x0FC3042E345AD05D: accepted non self-signed user ID “Hans Wennborg <hans@chromium.org>”
gpg: key 0x0FC3042E345AD05D: public key “Hans Wennborg <hans@chromium.org>” imported
gpg: Total number processed: 1
gpg: imported: 1

But when I verify I get an error “SHA1 algorithm rejected”:

$ gpg --verify llvm-8.0.0.src.tar.xz.sig llvm-8.0.0.src.tar.xz
gpg: Signature made Mon 18 Mar 2019 06:32:17 AM PDT
gpg: using RSA key B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Can’t check signature: Bad public key

Have I done something wrong?

Is there an md5sum or some other HASH available so I could check the source manually?

– Wink

Hi Wink,

Sorry for the late reply. I didn't see your email until now.

It's the "Note: signatures using the SHA1 algorithm are rejected"
error that's the problem.

It seems your gpg version doesn't like the message digest that was
used for the self-signature on my public key. I think the signatures
on the tarballs themselves should be okay, but that doesn't help if
you can't import my key of course.

I've tried to created a new self signature on my key. Can you try "gpg
--import" on the attached file and let me know if "gpg --verify" works
afterwards?

Thanks,
Hans

hans-gpg-key.asc (4.53 KB)

With the new signature file I was able to verify, but there was
still a bad signature: “gpg: key 0x0FC3042E345AD05D: 1 bad signature”
which I highlighted below. Didn’t seem to be a problem, but thought
I’d point it out. I’d be glad to do additional tests if you’d like.

$ gpg --list-keys
/home/wink/.gnupg/pubring.kbx

Hi Wink,

The one bad signature warning you got is for my old sub-key used for
encryption. It doesn't matter that it's not imported since it's not
used anymore, and was never used to sign llvm releases.

I've updated my key on the key server and on the release page.

Thanks for checking!

- Hans

SG, in transit now will try to validate later today or tomorrow.

Note: IIRC, tstellar-gpg-key.asc for 7.0.1 had similar problems. Maybe you could inform all master key holders to check/update their keys too.

I’ve was able to import both yours (hans-gpg-key.asc) and Tom’s (tstellar-gpg-key.asc) signatures from the Download page and was able to use gpg --verify llvm-8.0.0 and llvm-7.0.1.