Your message dated Thu, 12 Dec 2019 00:49:19 +0000
with message-id <[email protected]>
and subject line Bug#943970: fixed in debmirror 1:2.33
has caused the Debian Bug report #943970,
regarding debmirror: Debmirror fails to verify valid, signed InRelease files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
943970: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943970
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: debmirror
Version: 1:2.32
Severity: important
Dear Maintainer,
When debmirror splits InRelease files using split_clearsigned_file, it can
produce text and signature files that gpgv reports as having a "BAD signature."
Yet gpgv reports "Good signature" for the original InRelease file, by itself.
What I found is that most files work but some do not. Attached is a standalone
split command, using the code from debmirror. This is what I see when I test
the debian-archive wheezy-backports InRelease file:
# md5sum wheezy-inrelease
a3f7caeef19f3e3797ec08748409d413 wheezy-inrelease
# head -n 20 wheezy-inrelease
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Origin: Debian Backports
Label: Debian Backports
Suite: wheezy-backports
Version:
Codename: wheezy-backports
Date: Wed, 24 Jan 2018 08:51:34 UTC
NotAutomatic: yes
ButAutomaticUpgrades: yes
Architectures: amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips
mipsel powerpc s390 s390x sparc
Components: main contrib non-free
Description: Backports for the Wheezy Distribution
MD5Sum:
21206181d8c101b785f51c82820acef7 118763 contrib/Contents-amd64
85c8255dffc0437f45d71e2e0d27401b 2704 contrib/Contents-amd64.diff/Index
01c60695e6465dc1a3f2035d7060de57 10211 contrib/Contents-amd64.gz
01d265b9bcabbad6969c560a69550890 72100 contrib/Contents-armel
e03cee735398401fedf5b505fdc0cdbc 1720 contrib/Contents-armel.diff/Index
# gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyring
/usr/share/keyrings/debian-archive-removed-keys.gpg -v wheezy-inrelease
gpgv: armor header: Hash: SHA256
gpgv: original file name=''
gpgv: Signature made Wed 24 Jan 2018 03:51:53 AM EST
gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
gpgv: Good signature from "Debian Archive Automatic Signing Key (7.0/wheezy)
<[email protected]>"
gpgv: textmode signature, digest algorithm SHA256, key algorithm rsa4096
gpgv: Signature made Wed 24 Jan 2018 03:51:53 AM EST
gpgv: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010
gpgv: Good signature from "Debian Archive Automatic Signing Key (8/jessie)
<[email protected]>"
gpgv: textmode signature, digest algorithm SHA256, key algorithm rsa4096
# ./split_clearsigned_file wheezy-inrelease
# gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyring
/usr/share/keyrings/debian-archive-removed-keys.gpg -v wheezy-inrelease-sig
wheezy-inrelease-txt
gpgv: Signature made Wed 24 Jan 2018 03:51:53 AM EST
gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
gpgv: BAD signature from "Debian Archive Automatic Signing Key (7.0/wheezy)
<[email protected]>"
gpgv: textmode signature, digest algorithm SHA256, key algorithm rsa4096
It does not always fail in this way. The jessie-backports InRelease file works
fine.
Here's the source I used for split_clearsigned_file:
#!/usr/bin/perl -w
# isolate split_clearsigned_file from debmirror
my $infile = $ARGV[0];
open my $sfd, '>', "$infile-sig" or die "$infile-sig\n";
open my $tfd, '>', "$infile-txt" or die "$infile-txt\n";
split_clearsigned_file($infile, $tfd, $sfd) or die "split failed\n";
# Split a clearsigned message into data and signature.
# Based on the similar SplitClearSignedFile in APT.
sub split_clearsigned_file {
my ($filename, $content_fh, $signature_fh) = @_;
my $found_message_start = '';
my $found_message_end = '';
my $skip_until_empty_line = '';
my $found_signature = '';
my $first_line = 1;
my $signed_message_not_on_first_line = '';
my $found_garbage = '';
open my $handle, "<", $filename or die "can't open $filename: $1";
while (my $line = <$handle>) {
$line =~ s/[\n\r]+$//;
if (not $found_message_start) {
if ($line eq '-----BEGIN PGP SIGNED MESSAGE-----') {
$found_message_start = 1;
$skip_until_empty_line = 1;
} else {
$signed_message_not_on_first_line = 1;
$found_garbage = 1;
}
} elsif ($skip_until_empty_line) {
if ($line eq '') {
$skip_until_empty_line = '';
}
} elsif (not $found_signature) {
if ($line eq '-----BEGIN PGP SIGNATURE-----') {
$found_signature = 1;
$found_message_end = 1;
print $signature_fh "$line\n";
} elsif (not $found_message_end) { # we are in the message block
# We don't have any fields that need to be dash-escaped, but
# implementations are free to encode all lines.
$line =~ s/^- //;
if ($first_line) { # first line does not need a newline
$first_line = '';
} else {
print $content_fh "\n";
}
print $content_fh $line;
} else {
$found_garbage = 1;
}
} else {
print $signature_fh "$line\n";
if ($line eq '-----END PGP SIGNATURE-----') {
$found_signature = '';
}
}
}
$content_fh->flush;
$signature_fh->flush;
if ($found_message_start) {
if ($signed_message_not_on_first_line) {
die "Clearsigned file '$filename' does not start with a signed message
block.\n";
} elsif ($found_garbage) {
die "Clearsigned file '$filename' contains unsigned lines or multiple
signed message blocks.\n";
}
}
if ($found_signature) {
die "Signature in file $filename wasn't closed.\n";
}
if ($first_line and not $found_message_start and not $found_message_end) {
# This is an unsigned file, so don't generate an error, but splitting
# was unsuccessful nonetheless.
return 0;
} elsif ($first_line or not $found_message_start or not $found_message_end) {
# Syntax error.
die "Splitting of $filename failed as it doesn't contain all expected
signature parts.";
}
return 1;
}
The system information below is not from the system running debmirror, but it
is running buster.
-- System Information:
Debian Release: 10.1
APT prefers stable
APT policy: (750, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages debmirror depends on:
ii bzip2 1.0.6-9.2~deb10u1
pn libdigest-md5-perl <none>
pn libdigest-sha-perl <none>
pn liblockfile-simple-perl <none>
ii libwww-perl 6.36-2
ii perl [libnet-perl] 5.28.1-6
ii rsync 3.1.3-6
ii xz-utils 5.2.4-1
Versions of packages debmirror recommends:
pn ed <none>
ii gpgv 2.2.12-1+deb10u1
ii patch 2.7.6-3+deb10u1
Versions of packages debmirror suggests:
ii gnupg 2.2.12-1+deb10u1
--- End Message ---
--- Begin Message ---
Source: debmirror
Source-Version: 1:2.33
We believe that the bug you reported is fixed in the latest version of
debmirror, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated debmirror package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Dec 2019 00:24:23 +0000
Source: debmirror
Architecture: source
Version: 1:2.33
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 943970
Changes:
debmirror (1:2.33) unstable; urgency=medium
.
* Use debhelper-compat instead of debian/compat.
* Strip trailing spaces and tabs from the content of clearsigned files
before verifying the signature, in accordance with RFC 4880 section 7.1
(closes: #943970).
Checksums-Sha1:
6355e6e1e51755bb7a1fd51075daca94ea96e4b2 1784 debmirror_2.33.dsc
06b9b0cc1199c2d14888532b2d399b06e658fa70 54976 debmirror_2.33.tar.xz
Checksums-Sha256:
7ce999e50424e6a4b252410ee8990d0bf86a20aba9e4ed20921a847c101ddaf5 1784
debmirror_2.33.dsc
2f4e197c975d6cd7d8d406191f9d6eeedfd7ba64faf3057c3ee61006cbc92023 54976
debmirror_2.33.tar.xz
Files:
2f3ea3bba96ddf728cb32fe9a5d6c821 1784 net optional debmirror_2.33.dsc
e02ca3aaefd43f2e4b0f9cde4d227d49 54976 net optional debmirror_2.33.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl3xiSsACgkQOTWH2X2G
UAvJGBAAtldIUZf17wNH8P1O+4L+kty2hxwpgEUhIMJWxsY7Z9zFvi45+BeirKSO
oYOtRVcEfW/4q+uwgCuGJfJWX7hGlczNmP6x79CV1sfejxQX39jABtat6FlnRXpe
sEm5dKMz8WlaQ8UKi4BOVuz95XIbUGluAX/drycGedGVcPmAETe4+zu+rS/rbzQQ
3L0AX0th9E8qnel2V7hDqev4NmF+b+2H0kzJsE1He8K1vK+pX995ifGbefRm6Kq3
3ieBmvL2si8aWsmId/Z3qsT/LM4ydMs7MAav0mPvxD42fneyYdHZxv7grzWpGYkG
ZmdK/bQGBMO5FYj4IPlliWwfm02WjucIUlYDQ1vIotIoPlP0f0f0Q4/Wj6B8fLC8
Tca2n0LEmlVbK7Zi/um3NeQI334MOoMB+ZF98YU85Uvp/NhYermYj+r+K4Mvs3N7
HHzNdnxgD5L0x2L1lNkhaSl+evoVxE9lcovzUubGufyBkH7c1WmapAnP0pBc92xl
PEkV/FrqGXhKtyiElfHzOBmTrnR0S028Ju+FR7A6zj28S++BQwlXnbaeXEIPYe1Y
9uy++NmLdPczifYvZT0qYhdqgzGwrcbXz/GLlPwXdQxn6vimrbxn5LsGpqULqbnr
+WhAADBaoZSnDgKQu7rtx40B4NshZvw2cmqtjWhsDpWASnWAq8w=
=JZyv
-----END PGP SIGNATURE-----
--- End Message ---
