SHA1 Key signature warnings in Debian build for releases 3.x #979
Comments
|
I'll look into this.
Eric F Crist
…________________________________
From: Lance Lin ***@***.***>
Sent: Wednesday, July 12, 2023 11:53:03 AM
To: OpenVPN/easy-rsa ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [OpenVPN/easy-rsa] Key signature warnings in Debian build for release 3.1.5 (Issue #979)
I am the Debian maintainer for easy-rsa. While building the latest release, I received the following output:
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: verifying ./easy-rsa_3.1.5.orig.tar.gz.asc
gpgv: Signature made Sat 10 Jun 2023 08:58:15 PM +07
gpgv: using RSA key C8FCA3E7F787072CDEB91D2F72964219390D0D0E
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: WARNING: signing subkey 72964219390D0D0E has an invalid cross-certification
gpgv: Can't check signature: General error
dpkg-source: warning: cannot verify upstream tarball signature for ./easy-rsa_3.1.5.orig.tar.gz: no acceptable signature found
I took the latest public key from here<https://github.com/OpenVPN/easy-rsa/tree/master/release-keys> and the .tgz and .tgz.sig from here<https://github.com/OpenVPN/easy-rsa/releases/tag/v3.1.5>.
Could you look into the issues with cross-certification and SHA1?
—
Reply to this email directly, view it on GitHub<#979>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AANXQP6UCHBI22KVHMWQ543XP3I67ANCNFSM6AAAAAA2HYOFOM>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
Release 3.1.5, replaced by 3.1.6 and 3.1.7, without complaint. |
|
Please reopen, since this is still an issue: |
TinCanTech
changed the title
|
@ecrist are you willing to upgrade your key yet ? |
|
FTR: While there was some reconfiguration under the hood, the main difference between Easy-RSA Easy-RSA
Easy-RSA
Easy-RSA |
|
Could we maybe get a new version in the Debian repos? $ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ apt-cache showpkg easy-rsa
Package: easy-rsa
Versions:
3.1.0-1 (/var/lib/apt/lists/deb.debian.org_debian_dists_bookworm_main_binary-amd64_Packages) (/var/lib/dpkg/status)
Description Language:
File: /var/lib/apt/lists/deb.debian.org_debian_dists_bookworm_main_binary-amd64_Packages
MD5: 30ef8db774064b75fc32b3b7baedeb03
Description Language: en
File: /var/lib/apt/lists/deb.debian.org_debian_dists_bookworm_main_i18n_Translation-en
MD5: 30ef8db774064b75fc32b3b7baedeb03
Reverse Depends:
fbx-all,easy-rsa
openvpn,easy-rsa
Dependencies:
3.1.0-1 - openssl (0 (null)) opensc (0 (null))
Provides:
3.1.0-1 -
Reverse Provides:
$ /usr/share/easy-rsa/easyrsa --version
EasyRSA Version Information
Version: 3.1.0
Generated: Wed May 18 20:53:50 CDT 2022
SSL Lib: OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
Git Commit: 1600b3fe9bd71e229b8648cd24206c55917b2f9b
Source Repo: https://github.com/OpenVPN/easy-rsa |
|
easy-rsa 3.2.0-1 is available in Debian's unstable and testing distributions. Here is documentation on choosing a Debian distribution to have packages from. |
|
Can I use Sid packages on "stable"? I should have phrased my comment differently 😉 Is it possible to promote a version greater than 3.1.0 from unstable to stable? |
|
It is possible to backport new features to stable, but I want to avoid doing that since openssl is a dependency of easy-rsa. Backporting easy-rsa without a backported openssl would most likely lead to instabilities. |
|
EasyRSA is tested against |
|
I would rather volunteer my time doing other things than backporting in Debian, but any Debian Developer should be able to backport in my place. While it is not recommended in Debian to install packages from testing or unstable, it is an option for users. |
https://wiki.debian.org/DebianReleases/PointReleases
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable Currently, the easy-rsa project does not closely adhere to Semantic versioning—patch releases add/change/remove functionality, for example:
As it is now, the easy-rsa version is frozen in stable: Every two years we get a new version via a Debian release and the version in a specific release is frozen for its 3 (5 LTS) year lifecycle. |
https://github.com/OpenVPN/easy-rsa/releases/tag/v3.2.0
https://tracker.debian.org/pkg/easy-rsa/news/?page=1 Is it correct, that 3.2.0 is already in Debian If Debian were to cut its trixie release today, it would bake in this version for the upcoming 3-5 years. |
|
I strongly advise that debian does not pick up EasyRSA v3.2.0 It would be much better long-term to pick v3.2.1, upon its release - September 2024. If that is not possible then debian should use EasyRSA v3.1.7 |
|
It usually takes 2-5 days for packages to migrate from unstable to testing. Debian's tracker pages for packages helps to see the status of a package in Debian. No bugs have been reported so far for the easy-rsa 3.2.0-1 in Debian testing or unstable, so there should be no issue having this version. With a planned release for September 2024, I can easily package easy-rsa 3.2.1-1 before the next stable Debian release. Importing upstream versions earlier to unstable and testing helps test for longer so that bugs can be resolved as they appear. If a bug is serious enough to downstream to Debian, I would be happy to apply a patch before the next upstream release. |
That is excellent news. EasyRSA v3.2.1 is intended to be a long term stable release. |
I am the Debian maintainer for easy-rsa. While building the latest release, I received the following output:
I took the latest public key from here and the
.tgzand.tgz.sigfrom here.Could you look into the issues with cross-certification and SHA1?
The text was updated successfully, but these errors were encountered: