`gpg: bad data signature` when verifying SHASUMS256.txt for v10.13.0

[fagerbua]

• v10.3.0:
• Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64:

Having imported the keys as described at https://github.com/nodejs/node#release-keys, I get the following not-completely-reassuring output when verifying SHASUMS256.txt:

$> grep node-v10.13.0-linux.x64.tar.xz SHASUMS256.txt | gsha256sum -c -
node-v10.13.0-linux-x64.tar.xz: OK
$> gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature made Tue Oct 30 09:45:52 2018 CET
gpg:                using RSA key 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946
gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
gpg: Good signature from "Myles Borins <myles.borins@gmail.com>" [unknown]
gpg:                 aka "Myles Borins <mborins@google.com>" [unknown]
gpg:                 aka "Myles Borins <mylesborins@google.com>" [unknown]
gpg:                 aka "Myles Borins (Not used after January 2017) <mborins@us.ibm.com>" [unknown]
gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4F0 DFFF 4E8C 1A82 3640  9D08 E73B C641 CC11 F4C8
     Subkey fingerprint: 0EFF E1BC EFD9 C84E 3D09  8152 933B 01F4 0B5C A946

This seems to be the same problem as reported in this question on the Unix StackExchange.

I'm not sure what to make of this. If this is expected, I think it ought to be mentioned in the README file.

[addaleax]

/cc @nodejs/release @MylesBorins

[MylesBorins]

This is not expected. I can verify that I did indeed sign that file. Will dig in right now to find out what went wrong with the signature itself

[MylesBorins]

I've revoked an old subkey that was used for encryption that appears to have be improperly signed. That fixes that error bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)... you should be able to refresh my public key and get that fixed. Digging into the not certified bit

[MylesBorins]

I've now updated the trust to my subkeys as absolute and ensured that everything is cross-certified. You will no longer see the bad signature error (that was an artifact unrelated to the signature), but you will continue to see the trust warning unless you trust someone within my network of trust.

[fagerbua]

Thanks for looking into this and confirming that the signature is valid!

For what it's worth, I still get the 'bad data signature' error (exactly the same as in my original report) after running gpg --keyserver pool.sks-keyservers.net --refresh-keys. Is there anything else I need to do?

[MylesBorins]

perhaps try deleting my key from your keychain and reimporting?

[fagerbua]

Thanks for the suggestion, but it doesn't help in my case:

$> gpg --delete-keys CC11F4C8
gpg (GnuPG/MacGPG2) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
pub  rsa4096/E73BC641CC11F4C8 2016-01-12 Myles Borins <myles.borins@gmail.com>

Delete this key from the keyring? (y/N) y
$>  gpg --keyserver pool.sks-keyservers.net --recv-keys C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
gpg: key E73BC641CC11F4C8: 12 signatures not checked due to missing keys
gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
gpg: key E73BC641CC11F4C8: public key "Myles Borins <myles.borins@gmail.com>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: bad data signature from key 8975BA8B6100C6B1: Wrong key usage (0x19, 0x2)
gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
gpg: depth: 0  valid:  25  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 25u
gpg: next trustdb check due at 2018-11-23
gpg: Total number processed: 1
gpg:               imported: 1

Also tried

$> gpg --delete-keys DEA16371974031A5
gpg (GnuPG/MacGPG2) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
pub  rsa4096/E73BC641CC11F4C8 2016-01-12 Myles Borins <myles.borins@gmail.com>

Delete this key from the keyring? (y/N) y

$> gpg --keyserver pool.sks-keyservers.net --recv-keys C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
gpg: key E73BC641CC11F4C8: 12 signatures not checked due to missing keys
gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
gpg: key E73BC641CC11F4C8: public key "Myles Borins <myles.borins@gmail.com>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
gpg: depth: 0  valid:  25  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 25u
gpg: next trustdb check due at 2018-11-23
gpg: Total number processed: 1
gpg:               imported: 1

[Trott]

@MylesBorins @fagerbua Any new information on this? Still an issue and unresolved? Or...

[fagerbua]

@Trott I'm getting the same error as reported in my last post.

[MattRiches]

Also getting this

[Trott]

@nodejs/releasers @MylesBorins Any ideas for next steps?

[MylesBorins]

@Trott the issue is that my encryption key which has been pushed up to the key server was incorrectly signed when it was created. I am having a lot of trouble figuring out how to fix this, and it seems like the solution may actually be replacing my key altogether, which I haven't had time to do yet, we should keep this open for now

[MylesBorins]

Took another stab at it. Ended up changing the authority of my subkey to allow for signing... since it is now revoked / expired there is nothing out there that should be singed by it that would be an issue.

Can you try pulling my subkey from the public key registry again

[fagerbua]

This looks better now.

$> gpg --delete-keys CC11F4C8
gpg (GnuPG/MacGPG2) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: bad data signature from key DEA16371974031A5: Wrong key usage (0x19, 0x2)
pub  rsa4096/E73BC641CC11F4C8 2016-01-12 Myles Borins <myles.borins@gmail.com>

Delete this key from the keyring? (y/N) y
$> gpg --keyserver pool.sks-keyservers.net --recv-keys C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
gpg: key E73BC641CC11F4C8: 12 signatures not checked due to missing keys
gpg: key E73BC641CC11F4C8: public key "Myles Borins <myles.borins@gmail.com>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:  25  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 25u
gpg: next trustdb check due at 2018-11-23
gpg: Total number processed: 1
gpg:               imported: 1
$> gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature made Tue Oct 30 09:45:52 2018 CET
gpg:                using RSA key 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946
gpg: Good signature from "Myles Borins <myles.borins@gmail.com>" [unknown]
gpg:                 aka "Myles Borins <mborins@google.com>" [unknown]
gpg:                 aka "Myles Borins <mylesborins@google.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4F0 DFFF 4E8C 1A82 3640  9D08 E73B C641 CC11 F4C8
     Subkey fingerprint: 0EFF E1BC EFD9 C84E 3D09  8152 933B 01F4 0B5C A946

I presume the trust warnings are because I'm not within Myles' network of trust. Feel free to close the issue as far as I'm concerned.