On Tue, 2020-12-29 at 13:15 +0100, Ansgar wrote: > gpg --check-sigs seems to trust digest algs depending on what digest > algs were trusted when the key was imported: > > I have `weak-digest SHA1` and `weak-digest RIPEMD160` in my gpg.conf > and observed this behavior:
As a further observeration, this doesn't happen when the key was retrieved by `--recv-keys`: +--- | $ gpg --keyserver-options no-self-sigs-only --keyserver keyserver.ubuntu.com --recv-keys | B1AEA6F29103A00A4D5212A15B3C275D60BF72BE | gpg: Note: signatures using the SHA1 algorithm are rejected | gpg: key 0x5B3C275D60BF72BE: 2 signatures not checked due to missing keys | gpg: key 0x5B3C275D60BF72BE: 4 bad signatures | gpg: key 0x5B3C275D60BF72BE: public key "[...]" imported | gpg: marginals needed: 3 completes needed: 1 trust model: pgp | gpg: depth: 0 valid: 1 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 1u | gpg: depth: 1 valid: 5 signed: 7 trust: 0-, 1q, 2n, 0m, 2f, 0u | gpg: depth: 2 valid: 7 signed: 2 trust: 0-, 0q, 4n, 2m, 1f, 0u | gpg: depth: 3 valid: 1 signed: 2 trust: 0-, 0q, 0n, 1m, 0f, 0u | gpg: next trustdb check due at 2021-03-20 | gpg: Total number processed: 1 | gpg: imported: 1 | $ gpg --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 0x5B3C275D60BF72BE | gpg: Note: signatures using the SHA1 algorithm are rejected | pub rsa4096/0x5B3C275D60BF72BE 2013-02-24 [SC] [expires: 2025-02-23] | B1AEA6F29103A00A4D5212A15B3C275D60BF72BE | uid [ unknown] [...] | sig!3 0x5B3C275D60BF72BE 2020-07-16 [...] | sig!2 0x69F2FC516EA71993 2020-08-05 [...] | uid [ unknown] [...] | sig!3 0x5B3C275D60BF72BE 2020-02-21 [...] | sig%3 0x5B3C275D60BF72BE 2018-02-23 [Invalid digest algorithm] | sig%3 0x5B3C275D60BF72BE 2013-02-24 [Invalid digest algorithm] | sig!2 0x69F2FC516EA71993 2020-08-05 [...] | sub rsa4096/0xD1660B54B5E3F109 2013-02-24 [E] [expires: 2025-02-23] | sig! 0x5B3C275D60BF72BE 2020-02-21 [...] | | gpg: 5 good signatures | gpg: 2 signatures not checked due to errors +--- Signature rejected as expected. +--- | $ gpg --allow-weak-digest-algos --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs 0x5B3C275D60BF72BE | pub rsa4096/0x5B3C275D60BF72BE 2013-02-24 [SC] [expires: 2025-02-23] | B1AEA6F29103A00A4D5212A15B3C275D60BF72BE | uid [ unknown] [...] | sig!3 0x5B3C275D60BF72BE 2020-07-16 [...] | sig!2 0x69F2FC516EA71993 2020-08-05 [...] | uid [ unknown] [...] | sig!3 0x5B3C275D60BF72BE 2020-02-21 [...] | sig!3 0x5B3C275D60BF72BE 2018-02-23 [...] | sig!3 0x5B3C275D60BF72BE 2013-02-24 [...] | sig!2 0x69F2FC516EA71993 2020-08-05 [...] | sub rsa4096/0xD1660B54B5E3F109 2013-02-24 [E] [expires: 2025-02-23] | sig! 0x5B3C275D60BF72BE 2020-02-21 [...] | | gpg: 7 good signatures +--- And `--allow-weak-digest-algos` passed to the `--check-sigs` call shows the signatures as valid as I would expect and what didn't happen when the key was imported using `--import`. Ansgar
