Sublime Forum

Error verifying Linux download

#1

Hi,

when checking the current 4152 download, I get a "gpg: FALSCHE Signatur von “Sublime HQ Pty Ltd support@sublimetext.com

$ gpg --keyring ./pubring.kbx --homedir ./ --verify sublime_text_build_4152_x64.tar.xz.asc sublime_text_build_4152_x64.tar.xz
gpg: Signatur vom Mi 02 Aug 2023 12:01:01 CEST
gpg:                mittels RSA-Schlüssel F57D4F59BD3DF454
gpg: FALSCHE Signatur von "Sublime HQ Pty Ltd <support@sublimetext.com>" [unbekannt]

when doing the same with 4143 everything works as expexcted:

$ gpg --keyring ./pubring.kbx --homedir ./ --verify sublime_text_build_4143_x64.tar.xz.asc sublime_text_build_4143_x64.tar.xz
gpg: Signatur vom Fr 11 Nov 2022 07:42:47 CET
gpg:                mittels RSA-Schlüssel F57D4F59BD3DF454
gpg: Korrekte Signatur von "Sublime HQ Pty Ltd <support@sublimetext.com>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 1EDD E2CD FC02 5D17 F6DA  9EC0 ADAE 6AD2 8A8F 901A
Unter-Fingerabdruck  = E359 79B8 96E9 9725 6457  C632 F57D 4F59 BD3D F454
0 Likes

#2

You’re likely experiencing this issue: https://github.com/sublimehq/sublime_text/issues/5787

0 Likes

#3

Hi,

thanks for pointing my to the github section.

When checking the link, I followed to the issue commented for Sublime Merge which mentions the “sublimehq-rpm-pub.gpg” key is still SHA1 which could be the real issue:

says

To clarify, the actual issue here is the key, not the signature in the rpm package. The binding signature of the key is SHA1 based, which is just insecure in this time and age

The linked report in the Redhat bugzilla also points to this direction

https://bugzilla.redhat.com/show_bug.cgi?id=2149762#c5

Doh, of course, this is the actual reason for the failed signature check in the non-chrome case:

Signature Packet, old CTB, 564 bytes
Version: 4
Type: PositiveCertification
Pk algo: RSA
Hash algo: SHA1
^^^^

While the signature made by this key uses SHA256 (ie “Header V4 RSA/SHA256 Signature, key ID 222d23d0”), the binding signature of the key uses the weak SHA1 hash.

These SHA1 usages should be reported to the vendors in question

So it seems the real cause for the verification error might be the “sublimehq-rpm-pub.gpg” still using SHA1

0 Likes

#4

@bschaaf could you (or anyone responsible) please verify that the signature of the 4152-file is indeed correct and intact?

I created a virtual machine, installed a clean Debian 12 and tried the following:

Download public key

~/work$ wget https://download.sublimetext.com/sublimehq-pub.gpg
...
2023-08-28 13:14:41 (2,39 MB/s) - »sublimehq-pub.gpg« gespeichert [3817/3817]

Import public key

~/work$ gpg --no-default-keyring --homedir ./ --import sublimehq-pub.gpg 
...
gpg: Schlüssel ADAE6AD28A8F901A: Öffentlicher Schlüssel "Sublime HQ Pty Ltd <support@sublimetext.com>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1

Download Sublime Text 4143 package and sig

~/work$ wget https://download.sublimetext.com/sublime_text_build_4143_x64.tar.xz
...
2023-08-28 13:15:16 (2,77 MB/s) - »sublime_text_build_4143_x64.tar.xz« gespeichert [17480384/17480384]

~/work$ wget https://download.sublimetext.com/sublime_text_build_4143_x64.tar.xz.asc
...
2023-08-28 13:15:58 (28,0 MB/s) - »sublime_text_build_4143_x64.tar.xz.asc« gespeichert [819/819]

Verify Sublime Text 4143 => correct signature

~/work$ gpg --keyring ./pubring.kbx --homedir ./ --verify sublime_text_build_4143_x64.tar.xz.asc sublime_text_build_4143_x64.tar.xz
...
gpg: Signatur vom Fr 11 Nov 2022 07:42:47 CET
gpg:                mittels RSA-Schlüssel F57D4F59BD3DF454
gpg: Korrekte Signatur von "Sublime HQ Pty Ltd <support@sublimetext.com>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 1EDD E2CD FC02 5D17 F6DA  9EC0 ADAE 6AD2 8A8F 901A
Unter-Fingerabdruck  = E359 79B8 96E9 9725 6457  C632 F57D 4F59 BD3D F454

Download Sublime Text 4152 package and sig

~/work$ wget https://download.sublimetext.com/sublime_text_build_4152_x64.tar.xz
...
2023-08-28 13:19:18 (2,44 MB/s) - »sublime_text_build_4152_x64.tar.xz« gespeichert [16454288/16454288]

~/work$ wget https://download.sublimetext.com/sublime_text_build_4152_x64.tar.xz.asc
...
2023-08-28 13:19:53 (25,2 MB/s) - »sublime_text_build_4152_x64.tar.xz.asc« gespeichert [819/819]

Verify Sublime Text 4152 => wrong signature

~/work$ gpg --keyring ./pubring.kbx --homedir ./ --verify sublime_text_build_4152_x64.tar.xz.asc sublime_text_build_4152_x64.tar.xz
...
gpg: Signatur vom Mi 02 Aug 2023 12:01:01 CEST
gpg:                mittels RSA-Schlüssel F57D4F59BD3DF454
gpg: FALSCHE Signatur von "Sublime HQ Pty Ltd <support@sublimetext.com>" [unbekannt]
0 Likes

#5

4152 was reissued and we missed updating the signatures for the tarballs. It should be good now.

2 Likes

BAD signature for sublime-text_build_4152 (debian) direct download
#6

Hi,

downloaded 4152 and signature file again today and the result of the signature check is now valid.

1 Like