Debian Bug report logs - #1100894
ftp.debian.org: Accepts signatures from weak OpenPGP certificates

Package: ftp.debian.org; Maintainer for ftp.debian.org is Debian FTP Master <[email protected]>;

Reported by: Guillem Jover <[email protected]>

Date: Thu, 20 Mar 2025 08:39:01 UTC

Severity: serious

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Debian FTP Master <[email protected]>:
Bug#1100894; Package ftp.debian.org. (Thu, 20 Mar 2025 08:39:02 GMT) (full text, mbox, link).

Acknowledgement sent to Guillem Jover <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian FTP Master <[email protected]>. (Thu, 20 Mar 2025 08:39:02 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Guillem Jover <[email protected]>
To: [email protected]
Subject: ftp.debian.org: Accepts signatures from weak OpenPGP certificates
Date: Thu, 20 Mar 2025 09:35:19 +0100
Package: ftp.debian.org
Severity: serious

Hi!

While going over the SHA-1 issues in the keyrings [K], I then realized
that for some of those cases that will not validate signatures with
dupload, dpkg-source, or dscverify for example (and checking some
specific cases from keyring.debian.org, in case there was a newer fixed
certificate in there), that dak does not seem to be rejecting signatures
from those certificates. Even though SHA-1 was intended to be disallowed
for uploads since this was announced some time ago [A].

  [K] https://lists.debian.org/debian-devel/2025/03/msg00477.html
  [A] https://lists.debian.org/debian-devel-announce/2017/02/msg00007.html

I think the main reason is that the gpg verification invocations are not
done with something like «--weak-digest SHA1 --weak-digest RIPEMD160».

I have set the severity to serious as this seems like a security issue,
but of course feel free to lower it if you disagree.

Thanks,
Guillem

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 13:26:32 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.