May 30, 2023
sq inspect can be used to identify problems with certificates:
$ gpg --export 0x7C34B4E14CE4F655 | sq inspect
-: OpenPGP Certificate.
Fingerprint: 1745 1D0F BB5E 88F4 0AC0 08F6 7C34 B4E1 4CE4 F655
Invalid: No binding signature at time 2020-11-18T22:41:24Z
Public-key algo: DSA (Digital Signature Algorithm)
Public-key size: 1024 bits
Creation time: 2001-08-03 17:34:53 UTC
UserID: Phil Pennock [censored email address in this list post]
Invalid: Policy rejected non-revocation signature (PositiveCertification)
because: SHA1 is not considered secure since 2013-01-01T00:00:00Z
Bad Signature: [ snip long error which doesn't matter here ]
To associate a User ID or a subkey with a certificate, the certificate’s primary key signs it. This signature is called a binding signature, because it binds the User ID or subkey to the certificate. This prevents an attacker from adding their own User ID or subkey to your certificate. Before Sequoia uses a User ID or subkey, it checks that there is a valid binding signature. In addition to being faked, a binding signature might be invalid, because it is expired, or it uses weak cryptography.
Possible reasons why the binding signature verification check fails:
-
The signature expired. Retrieving the certificate again may update it with more recent binding signatures that are fresh.
-
Signature algorithm is weak (e.g. SHA-1). The signer needs to re-create the signature using stronger algorithm.
Possible solutions:
- Use sq-keyring-linter to check and fix the certificate.
