On Wed, Dec 20, 2023 at 11:59:31PM +0100, Guillem Jover wrote: >Hi! > >On Wed, 2023-12-20 at 15:30:24 +0000, Steve McIntyre wrote: >> Package: debsig-verify >> Version: 0.23+b2 >> Severity: important >> Tags: patch > >> Updating our derived distro from bullseye to bookworm, we've moved on >> from 0.23 to 0.28. We're using subkeys for signing our debs, and that >> no longer works. I can see that the change you've made to no longer >> fall back if a fingerprint doesn't match >> (849d9633ebf809398c848821c603148ae0470278) has broken this. > >Ouch, I've been increasingly unhappy with the whole policy thing, >because it was not functioning as documented, fixing it to do so has >broken multiple use cases, it seems like unnecessary complexity and in >a way trying to reimplement some of the checks that should be done by >the OpenPGP implementation, and it is getting in the way of adding >other OpenPGP backends due to the insistence of tying the signature >issuer fingerprint with the policy to apply, which means the primary >certificate fingerprint cannot be used as would perhaps be usually >expected.
Nod. To make everything work reliably here for all cases, we're now making 4 copies of the policy directory for every key we might use, using both the long keyid and the full fingerprint for each of the master key and the signing subkey. Then we're including a keyring with all of the keys in each of those policy directories. It's not wonderful... :-/ >I recorded part of this in the TODO, and I had in mind asking you >about how you use this as part of the redesign work, but I'll leave >that for a later point. :) ACK. :-) So, I'm curious... Debsig-verify does seem to be really quite over-complicated, at least for our use case. Wouldn't it be much simpler to just have a keyring per origin, and then (maybe) a system config file to state which origin(s) are needed. The policy definition files don't seem to add any value here. IMHO. It would also be lovely if the design was less restricted by GnuPG. (Yes, I know!) A real problem for me is that debsig-verify wants to see *every* signature accounted for when verifying a package. This is opposite to the behaviour of gpgv, which is more like what we were inititally expecting / hoping for. We're signing packages with a rolling range of N keys for our releases, similar to Debian's Release.gpg setup, and now we have to include 4*N policy directories for debsig-verify, and our keyring files all have to include *all* the keys. So, I'd be tempted by something easier to follow: * config to say which keyring(s) to use, and (maybe) some config to say "need minimum N valid sigs" * keyring(s) including key(s) * when validating signatures, verify each of them individually rather than expecting GnuPG to DTRT. I think we both know how well that works *grin*. If enough valid sigs are detected, we're good. If not, fail. Does that sound reasonable? What am I missing? -- Steve McIntyre, Cambridge, UK. st...@einval.com "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." -- Linus Torvalds
