rustup: incorrectly reported signature validation failure (Rust 1.8.0 to Rust 1.21.0, some nightlies)

Problem

Older versions of Rust (on x86_64-unknown-linux-gnu) report a signature verification failure, so I cannot trust them, so I can’t check which of those versions of Rust my code works on.

Steps

rustup toolchain install 1.8

Possible Solution(s)

No response

Notes

This applies to more than just 1.8, but here is the output for 1.8, which I stopped early.

$ rustup toolchain install 1.8
info: syncing channel updates for '1.8.0-x86_64-unknown-linux-gnu'
 65.3 KiB /  65.3 KiB (100 %)  20.0 KiB/s in  8s ETA:  0s
warning: Signature verification failed for 'https://static.rust-lang.org/dist/channel-rust-1.8.0.toml'
info: latest update on 2016-04-12, rust version 1.8.0 (db2939409 2016-04-11)
info: downloading component 'cargo'
167.5 KiB /   3.9 MiB (  4 %)   0 B/s in  2s ETA: Unknown^C

Rustup version

rustup 1.25.2 (17db695f1 2023-02-01)

Installed toolchains

Default host: x86_64-unknown-linux-gnu
rustup home:  /home/chaitrex/.rustup

installed toolchains
--------------------

stable-x86_64-unknown-linux-gnu (default)
beta-x86_64-unknown-linux-gnu
nightly-x86_64-unknown-linux-gnu
1.0.0-x86_64-unknown-linux-gnu
1.1.0-x86_64-unknown-linux-gnu
1.2.0-x86_64-unknown-linux-gnu
1.3.0-x86_64-unknown-linux-gnu
1.4.0-x86_64-unknown-linux-gnu
1.5.0-x86_64-unknown-linux-gnu
1.6.0-x86_64-unknown-linux-gnu
1.7.0-x86_64-unknown-linux-gnu

active toolchain
----------------

stable-x86_64-unknown-linux-gnu (default)
rustc 1.67.1 (d5a82bbd2 2023-02-07)

About this issue

Original URL
State: closed
Created a year ago
Comments: 15 (10 by maintainers)

Commits related to this issue

Remove GPG signature support This is a breaking change: the gpg config settings, variables, and related cli commands are all removed. Fixes: #3250 by removing our GPG support. - the foundation's ne... — committed to rbtcollins/rustup.rs by rbtcollins a year ago

Most upvoted comments

This is happening on 1.67.1 and 1.69.0-nightly for me so I don’t think it’s limited to 1.8 to 1.20.

❯ rustup update
info: syncing channel updates for 'stable-aarch64-apple-darwin'
warning: Signature verification failed for 'https://static.rust-lang.org/dist/channel-rust-stable.toml'
info: latest update on 2023-02-09, rust version 1.67.1 (d5a82bbd2 2023-02-07)
...
info: syncing channel updates for 'nightly-aarch64-apple-darwin'
warning: Signature verification failed for 'https://static.rust-lang.org/dist/channel-rust-nightly.toml'
info: latest update on 2023-03-02, rust version 1.69.0-nightly (f77bfb733 2023-03-01)

Just today on macOS.

❯ rustup self update
info: checking for self-updates
  rustup unchanged - 1.25.2

I’m surprised this was just a warning and it didn’t bail out and require me to manually override. Seems like if this was an actual mismatch, I could be in some trouble and have just downloaded untrusted/unverified code. I do understand that TLS mitigates this; I just kinda expect that if a project does elect to use the extra layer of signature checks, that they serve their purpose and aren’t mere theatre. I could be misunderstanding this warning though.

dcow on Mar 2, 2023

I don’t think keeping gpg support while accepting sha-1 has any value tbh.

pietroalbini on Mar 21, 2023