Gitlab has unverified firmware commits

anksa · October 2, 2022, 10:14pm

What is going on here??? I noticed the latest firmware release commits have been signed by an unverified gpg key. Are you kidding me??? They have committed months ago! If anyone flashed their EC or COREBOOT firmware using these commits they should take immediate action. I myself notced it ony after flashing today - this is deserves an exlanation immediately please.

How can these happen? Both commits has been signed by GPG Key ID: 8735540225E98BDBC82491B41E9C3CA91AE25114 several months ago and unverified. Then a commit after that was signed by Jonathon Hall but with a DIFFERENT key that is verified (GPG Key ID: 1E9C3CA91AE25114).

WHAT IS GOING ON?

irvinewade · October 3, 2022, 6:33am

You are right to highlight this but probably not malicious: Utility Script has to be Updated

jonathon.hall · October 3, 2022, 12:33pm

@anksa, the commits are actually signed with the same key, which you can see with git log --show-signature (included below). The reason the first few commits display “unverified” is just that I had not yet uploaded my GPG key to Gitlab, and it does not re-verify old commits when uploading a GPG key later.

I’ll ask our admins if there is any way to get Gitlab to recheck old commits. There should be no actual concerns though since the commits are in fact signed by the same key.

commit 42315e1ab3c508105f6bd9f5dbc2b68d834a6c9f (HEAD)
gpg: Signature made Thu 18 Aug 2022 04:56:17 PM EDT
gpg:                using RSA key 8735540225E98BDBC82491B41E9C3CA91AE25114
gpg:                issuer "jonathon.hall@puri.sm"
gpg: Good signature from "Jonathon Hall <jonathon.hall@puri.sm>" [ultimate]
Author: Jonathon Hall <jonathon.hall@puri.sm>
Date:   Thu Aug 18 16:56:17 2022 -0400

    Update Pureboot images to Release-22
    
    Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>

commit 72099f4cfcf3f720f83485045ac842aa826e3733
Merge: cbc0599 5d4ffaf
Author: Jonathon Hall <jonathon.hall@puri.sm>
Date:   Tue Aug 9 13:16:45 2022 +0000

    Merge branch '4.17-Purism-1' into 'master'
    
    Update coreboot/SeaBIOS images to 4.17-Purism-1
    
    See merge request firmware/releases!51

commit 5d4ffaf74fd65ed6823a7f2f06a5c6bf7caadb82 (4.17-Purism-1)
gpg: Signature made Thu 28 Jul 2022 08:51:01 AM EDT
gpg:                using RSA key 8735540225E98BDBC82491B41E9C3CA91AE25114
gpg:                issuer "jonathon.hall@puri.sm"
gpg: Good signature from "Jonathon Hall <jonathon.hall@puri.sm>" [ultimate]
Author: Jonathon Hall <jonathon.hall@puri.sm>
Date:   Thu Jul 28 08:51:01 2022 -0400

    Update coreboot/SeaBIOS images to 4.17-Purism-1
    
    Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>

commit cbc05992f1dbf483c043242d2b67a954a22d7cd2
Merge: 95e148a e5b2b73
Author: Matt Devillier <matt.devillier@puri.sm>
Date:   Thu Jun 30 17:30:45 2022 +0000

    Merge branch 'Librem-EC-1.9' into 'master'
    
    librem_14: Update EC firmware to 1.9
    
    See merge request firmware/releases!50

commit e5b2b739f67f6eaa9927acbe3b162e5d97fafa85 (Librem-EC-1.9)
gpg: Signature made Thu 30 Jun 2022 01:27:48 PM EDT
gpg:                using RSA key 8735540225E98BDBC82491B41E9C3CA91AE25114
gpg:                issuer "jonathon.hall@puri.sm"
gpg: Good signature from "Jonathon Hall <jonathon.hall@puri.sm>" [ultimate]
Author: Jonathon Hall <jonathon.hall@puri.sm>