Your message dated Mon, 05 Sep 2016 00:37:15 -0400
with message-id <[email protected]>
and subject line Re: Bug#723763: monkeysign should not sign revoked uids
has caused the Debian Bug report #723763,
regarding monkeysign should not sign revoked uids
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
723763: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723763
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: monkeysign
Version: 1.0
Severity: important
It looks like monkeysign doesn't care that a uid is
revoked, it signs and sends out an email anyway.
Could probably be fixed by first cleaning the key.
(Also need to check that monkeysign won't sign a
uid where the master key is revoked.)
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages monkeysign depends on:
ii gnupg 1.4.14-1
ii python 2.7.5-4
Versions of packages monkeysign recommends:
ii python-gtk2 2.24.0-3+b1
ii python-qrencode 1.01-2+b1
ii python-zbar 0.10+doc-9+b1
ii python-zbarpygtk 0.10+doc-9+b1
monkeysign suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On 2013-09-19 12:23:14, Philip Jägenstedt wrote:
> It looks like monkeysign doesn't care that a uid is
> revoked, it signs and sends out an email anyway.
On 2016-08-06 17:09:11, Nicholas D Steeves wrote:
> I think by default Monkeysign still signs revoked keys and sends
> emails to addresses that might no longer be active. I just ran a
> monkeysign 7B75921E, and I think you have received a signed key for a
> few of your revoked ones.
So I finally looked into this in more details.
Basically, I can't reproduce this at all. I have tried generating new
keys and unit tests to reproduce the issue, and I couldn't.
I also tried to sign a with a revoked UID. no mail is sent to the
revoked UID, nor is a certification generated for that UID.
[730]anarcat@angela:monkeysign$ gpg --list-sigs -v unittest
gpg: utilisation du modèle de confiance PGP
gpg: impossible de gérer l'algorithme à clef publique 22
gpg: impossible de gérer l'algorithme à clef publique 18
pub 1024R/86E4E70A96F47C6A 2012-07-20
uid Test Key <[email protected]>
sig 3 86E4E70A96F47C6A 2012-07-20 Test Key <[email protected]>
sig L 792152527B75921E 2016-09-05 Antoine Beaupré
<[email protected]>
uid [ révoquée] Second Test Key <[email protected]>
sig 3 86E4E70A96F47C6A 2013-08-11 Test Key <[email protected]>
rev 86E4E70A96F47C6A 2016-09-05 Test Key <[email protected]>
sub 1024R/894EE34814B46386 2012-07-20
sig 86E4E70A96F47C6A 2012-07-20 Test Key <[email protected]>
[722]anarcat@angela:monkeysign$ git co 2.0.2
Note: checking out '2.0.2'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b new_branch_name
HEAD est maintenant sur 7780521... Merge remote-tracking branch 'origin/2.0.x'
into 2.0.x
[726]anarcat@angela:monkeysign$ gpg --import tests/96F47C6A.asc
gpg: clef 86E4E70A96F47C6A : clef publique « Second Test Key
<[email protected]> » importée
gpg: Quantité totale traitée : 1
gpg: importées : 1 (RSA: 1)
[727]anarcat@angela:monkeysign$ gpg --import tests/96F47C6A-
96F47C6A-revoke.asc 96F47C6A-revuid.asc 96F47C6A-secret.asc
[727]anarcat@angela:monkeysign$ gpg --import tests/96F47C6A-revuid.asc
gpg: clef 86E4E70A96F47C6A : « Test Key <[email protected]> » 1 nouvelle
signature
gpg: Quantité totale traitée : 1
gpg: nouvelles signatures : 1
[728]anarcat@angela:monkeysign$ ./scripts/monkeysign --no-mail -l unittest
Preparing to sign with this key
pub [unknown] 4096R/7B75921E 1243621534 [expiry: 1496357973]
Fingerprint = 8DC9 01CE 6414 6C04 8AD5 0FBB 7921 5252 7B75 921E
uid 1 [unknown] Antoine Beaupré (home address) <[email protected]>
uid 2 [unknown] Antoine Beaupré (work) <[email protected]>
sub 2048R/EE02855A 1342743455
sub 4096R/9C5A5581 1243622183
Signing the following key
pub [unknown] 1024R/96F47C6A 1342795252
Fingerprint = 3F94 240C 918E 6359 0B04 152E 86E4 E70A 96F4 7C6A
uid 1 [unknown] Test Key <[email protected]>
uid 2 [revoked] Second Test Key <[email protected]>
sub 1024R/14B46386 1342795252
Sign all identities? [y/N] y
Really sign key? [y/N] y
not sending email to "Test Key" <[email protected]>, as requested, here's the
email message:
>From nobody Mon Sep 5 00:32:54 2016
Content-Type: multipart/mixed; boundary="===============7126139918222277606=="
MIME-Version: 1.0
--===============7126139918222277606==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Please find attached your signed OpenPGP key. You can import the
signed key by running each through `gpg --import`.
If you have multiple user ids, each signature was sent in a separate
email to each user id.
Note that your key was not uploaded to any keyservers. If you want
this new signature to be available to others, please upload it
yourself. With GnuPG this can be done using:
gpg --keyserver pool.sks-keyservers.net --send-key <keyid>
Regards,
--===============7126139918222277606==
Content-Type: application/pgp-keys;
name="signed-3F94240C918E63590B04152E86E4E70A96F47C6A.asc"
MIME-Version: 1.0
Content-Disposition: attachment;
filename="signed-3F94240C918E63590B04152E86E4E70A96F47C6A.asc"
Content-Transfer-Encoding: 7bit
Content-Description: signed OpenPGP Key
3F94240C918E63590B04152E86E4E70A96F47C6A, uid Test Key <[email protected]>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mI0EUAlt9AEEAMVygQA7sGE7xS5lGk8bPK7vtBuNAb9ETjXmC8jPLZ35KTviRq1c
NfFl0J66ObgcLEQjl84GMQ6Du6qLDAAgwi/2TqzmoGljXEiOd+lePBOhEV7WgkTx
sBhniZINe/q0Sv4OJzQxfaOsW3eyfHJEXq6oCGqX+f0Nat1ygPNt/ji7ABEBAAG0
GlRlc3QgS2V5IDxmb29AZXhhbXBsZS5jb20+iLgEEwECACIFAlAJbfQCGwMGCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIbk5wqW9HxqzpQD/0UZ7vg8ck/AlB6X
N43ecVoX8KuLQEV1QGc4dJ9zDJ7yfojs1b1Nlcb397VEufTeRDOyCueop5cvqv6f
ViFrA/V1xsn2RIjZhYSjk9m7UPRItpwLGHv6WSmYeSoCYXbTBtf+bf76c0TN97a3
BQTyRpa85GsWcT3S2Vpmv+PmcW2GuI0EUAlt9AEEAN0jzH5FZpR89c/Eg5rbHBD8
9KZS9fn2XpfAnLn8CLvt+409Ts3MRxePkJLkkuMA4KvNSfyEdYxrFIyKodzd2RSm
1mysgGKFOjrnaKRDr8HpzM+k8bfUbP7Q+3CjyGsui/QAgdv9LenrimhjfCvFS5BI
i0lEiGSJZ4lZ5uORKnaJABEBAAGInwQYAQIACQUCUAlt9AIbDAAKCRCG5OcKlvR8
aknhA/9Zb3cwoDFcunI2vFwpFqnZ1B1Hr81UvsTAr7V39oaWILwWcC5KASw7mLrF
zfIm2xRAeMXX6DKOtJ8WL3xWh3fCRy2zfm01vojr9DRo7MJCPP7N2DdEdQZo4+nQ
PIvzJ1nifFCN+0isRB2Xu/ItYW5CROjdQ6Dg/ws6VQkmEV4jvg==
=R16i
-----END PGP PUBLIC KEY BLOCK-----
--===============7126139918222277606==--
not sending email to "Second Test Key" <[email protected]>, as
requested, here's the email message:
>From nobody Mon Sep 5 00:32:54 2016
Content-Type: multipart/mixed; boundary="===============4140608320576554857=="
MIME-Version: 1.0
--===============4140608320576554857==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Please find attached your signed OpenPGP key. You can import the
signed key by running each through `gpg --import`.
If you have multiple user ids, each signature was sent in a separate
email to each user id.
Note that your key was not uploaded to any keyservers. If you want
this new signature to be available to others, please upload it
yourself. With GnuPG this can be done using:
gpg --keyserver pool.sks-keyservers.net --send-key <keyid>
Regards,
--===============4140608320576554857==
Content-Type: application/pgp-keys;
name="signed-3F94240C918E63590B04152E86E4E70A96F47C6A.asc"
MIME-Version: 1.0
Content-Disposition: attachment;
filename="signed-3F94240C918E63590B04152E86E4E70A96F47C6A.asc"
Content-Transfer-Encoding: 7bit
Content-Description: signed OpenPGP Key
3F94240C918E63590B04152E86E4E70A96F47C6A,
uid Second Test Key <[email protected]>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mI0EUAlt9AEEAMVygQA7sGE7xS5lGk8bPK7vtBuNAb9ETjXmC8jPLZ35KTviRq1c
NfFl0J66ObgcLEQjl84GMQ6Du6qLDAAgwi/2TqzmoGljXEiOd+lePBOhEV7WgkTx
sBhniZINe/q0Sv4OJzQxfaOsW3eyfHJEXq6oCGqX+f0Nat1ygPNt/ji7ABEBAAG0
LVNlY29uZCBUZXN0IEtleSA8dW5pdHRlc3RzQG1vbmtleXNwaGVyZS5pbmZvPoiq
BDABAgAUBQJXzOdCDR0gdGVzdCByZXZ1aWQACgkQhuTnCpb0fGpWRgP9HRJzDocI
nkZVzIKR6ocw7VTVn817V385xN+Zgx6CZrBba4b6waluyXxmM7jdsFzlsOPdR8Tk
UjQ/LfLjStJ5MJuwujBHW5XfittWcqNFItzPTt49YovnP6A8ROBBl4zCPmQL2YGQ
/SBOq8LnKovaBjxvPz57i9Ze0C2F5Tzi5Y24jQRQCW30AQQA3SPMfkVmlHz1z8SD
mtscEPz0plL1+fZel8CcufwIu+37jT1OzcxHF4+QkuSS4wDgq81J/IR1jGsUjIqh
3N3ZFKbWbKyAYoU6OudopEOvwenMz6Txt9Rs/tD7cKPIay6L9ACB2/0t6euKaGN8
K8VLkEiLSUSIZIlniVnm45EqdokAEQEAAYifBBgBAgAJBQJQCW30AhsMAAoJEIbk
5wqW9HxqSeED/1lvdzCgMVy6cja8XCkWqdnUHUevzVS+xMCvtXf2hpYgvBZwLkoB
LDuYusXN8ibbFEB4xdfoMo60nxYvfFaHd8JHLbN+bTW+iOv0NGjswkI8/s3YN0R1
Bmjj6dA8i/MnWeJ8UI37SKxEHZe78i1hbkJE6N1DoOD/CzpVCSYRXiO+
=ojno
-----END PGP PUBLIC KEY BLOCK-----
--===============4140608320576554857==--
Now. Maybe I am doing something wrong, or maybe GnuPG or Monkeysign got
fixed since those bugs were reported. I am running Debian Jessie, so
this is GnuPG 1.4.18 and monkeysign 2.0.2.
All the gory details are here:
https://0xacab.org/monkeysphere/monkeysign/issues/33
I am going to close this bug as done now.
Someone will need to provide me with more solid ways of reproducing
this, including a step-by-step commandline documentation or complete
failed unit test before I look at reviewing patches about revoked keys
again.
A.
--
L'ennui avec la grande famille humaine, c'est que tout le monde veut
en être le père.
- Mafalda
--- End Message ---
