Package: debsig-verify
Version: 0.19+b10
Severity: important
Hi!
[ Reporting against version 0.19+b10 in buster, but I've tested with
0.23 and it shows exactly the same issue. ]
I've been trying to use debsigs and debsig-verify for a project, and
things are not going well.
When testing with debsig-verify, I've found a problem with
keyrings. I've signed a deb and generated a policy file and a keyring
to control verification of it with debsig. debsig doesn't work,
showing gpg errors:
$ debsig-verify --policies-dir debsig --keyrings-dir debsig -d
test-signed-good.deb ; echo $?
debsig: Starting verification for: test-signed-good.deb
debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key
debsig: Using policy directory: debsig/3E44B9BF5EC6F1F7
debsig: Parsing policy file: debsig/3E44B9BF5EC6F1F7/generic.pol
debsig: parsePolicyFile: parsing 'debsig/3E44B9BF5EC6F1F7/generic.pol'
debsig: parsePolicyFile: completed
debsig: Checking Selection group(s).
debsig: Processing 'origin' key...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: getKeyID subprocess returned error exit status 2
14
I've debugged through this by calling gpg directly with the command
line that's used, and that looks like this:
$ gpg2 --verbose --no-options --no-default-keyring --batch --no-secmem-warning
--no-permission-warning --no-mdc-warning --no-auto-check-trustdb --list-packets
./debsig/3E44B9BF5EC6F1F7/debsig.gpg
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
I've played around some more and worked out the problem - that command
line will not work with a new gpg2-style keyring file:
$ file debsig/3E44B9BF5EC6F1F7/debsig.gpg
debsig/3E44B9BF5EC6F1F7/debsig.gpg: GPG keybox database version 1, created-at
Fri May 14 16:32:27 2021, last-maintained Fri May 14 16:32:27 2021
Argh. So, fresh from my experience of debugging debsigs I thought it
would be worth playing with gpg1. I created a new keyring using gpg1,
and now things work:
$ gpg2 --verbose --no-options --no-default-keyring --batch --no-secmem-warning
--no-permission-warning --no-mdc-warning --no-auto-check-trustdb --list-packets
./debsig/3E44B9BF5EC6F1F7/debsig.gpg1
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1591088421, expires 0
...
and now things work properly with debsig-verify:
$ debsig-verify --policies-dir debsig --keyrings-dir debsig -d
test-signed-good.deb ; echo $?
debsig: Starting verification for: test-signed-good.deb
debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key
debsig: Using policy directory: debsig/3E44B9BF5EC6F1F7
debsig: Parsing policy file: debsig/3E44B9BF5EC6F1F7/generic.pol
debsig: parsePolicyFile: parsing 'debsig/3E44B9BF5EC6F1F7/generic.pol'
debsig: parsePolicyFile: completed
debsig: Checking Selection group(s).
debsig: Processing 'origin' key...
debsig: getKeyID: no match, falling back to 3E44B9BF5EC6F1F7
debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key
debsig: Selection group(s) passed, policy is usable.
debsig: Using policy file: debsig/3E44B9BF5EC6F1F7/generic.pol
debsig: Checking Verification group(s).
debsig: Processing 'origin' key...
debsig: getKeyID: no match, falling back to 3E44B9BF5EC6F1F7
debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key
gpg: Signature made Fri 14 May 2021 17:14:59 BST
gpg: using RSA key 8363C3DB2B165A8C8EB7A6E33E44B9BF5EC6F1F7
gpg: /tmp/debsig-verify.PQkSks/trustdb.gpg: trustdb created
gpg: Good signature from "Steve McIntyre <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8363 C3DB 2B16 5A8C 8EB7 A6E3 3E44 B9BF 5EC6 F1F7
debsig: Verification group(s) passed, deb is validated.
debsig: Verified package from '(null)' ((null))
0
I'm guessing that maybe in your testing you have an old-format keyring
that you've generated a while ago, and you're still using that?
-- System Information:
Debian Release: 10.9
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages debsig-verify depends on:
ii gnupg 2.2.12-1+deb10u1
ii gpg 2.2.12-1+deb10u1
ii libc6 2.28-10
ii libexpat1 2.2.6-2+deb10u1
debsig-verify recommends no packages.
Versions of packages debsig-verify suggests:
ii debian-keyring 2020.06.24
ii debsigs 0.1.25
-- no debconf information
