Bug#988646: debsig-verify doesn't work with gpg2-format keyrings

Steve McIntyre Mon, 17 May 2021 04:06:28 -0700

Package: debsig-verify
Version: 0.19+b10
Severity: important

Hi!


[ Reporting against version 0.19+b10 in buster, but I've tested with
  0.23 and it shows exactly the same issue. ]

I've been trying to use debsigs and debsig-verify for a project, and
things are not going well.

When testing with debsig-verify, I've found a problem with
keyrings. I've signed a deb and generated a policy file and a keyring
to control verification of it with debsig. debsig doesn't work,
showing gpg errors:

$ debsig-verify --policies-dir debsig --keyrings-dir debsig -d 
test-signed-good.deb ; echo $?
debsig: Starting verification for: test-signed-good.deb
debsig:         getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key
debsig: Using policy directory: debsig/3E44B9BF5EC6F1F7
debsig:   Parsing policy file: debsig/3E44B9BF5EC6F1F7/generic.pol
debsig:     parsePolicyFile: parsing 'debsig/3E44B9BF5EC6F1F7/generic.pol'
debsig:     parsePolicyFile: completed
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: getKeyID subprocess returned error exit status 2
14

I've debugged through this by calling gpg directly with the command
line that's used, and that looks like this:

$ gpg2 --verbose --no-options --no-default-keyring --batch --no-secmem-warning 
--no-permission-warning --no-mdc-warning --no-auto-check-trustdb --list-packets 
./debsig/3E44B9BF5EC6F1F7/debsig.gpg
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error

I've played around some more and worked out the problem - that command
line will not work with a new gpg2-style keyring file:

$ file debsig/3E44B9BF5EC6F1F7/debsig.gpg
debsig/3E44B9BF5EC6F1F7/debsig.gpg: GPG keybox database version 1, created-at 
Fri May 14 16:32:27 2021, last-maintained Fri May 14 16:32:27 2021

Argh. So, fresh from my experience of debugging debsigs I thought it
would be worth playing with gpg1. I created a new keyring using gpg1,
and now things work:

$ gpg2 --verbose --no-options --no-default-keyring --batch --no-secmem-warning 
--no-permission-warning --no-mdc-warning --no-auto-check-trustdb --list-packets 
./debsig/3E44B9BF5EC6F1F7/debsig.gpg1
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
        version 4, algo 1, created 1591088421, expires 0
...

and now things work properly with debsig-verify:

$ debsig-verify --policies-dir debsig --keyrings-dir debsig -d 
test-signed-good.deb ; echo $?
debsig: Starting verification for: test-signed-good.deb
debsig:         getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key
debsig: Using policy directory: debsig/3E44B9BF5EC6F1F7
debsig:   Parsing policy file: debsig/3E44B9BF5EC6F1F7/generic.pol
debsig:     parsePolicyFile: parsing 'debsig/3E44B9BF5EC6F1F7/generic.pol'
debsig:     parsePolicyFile: completed
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
debsig:         getKeyID: no match, falling back to 3E44B9BF5EC6F1F7
debsig:         getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key
debsig:     Selection group(s) passed, policy is usable.
debsig: Using policy file: debsig/3E44B9BF5EC6F1F7/generic.pol
debsig:     Checking Verification group(s).
debsig:       Processing 'origin' key...
debsig:         getKeyID: no match, falling back to 3E44B9BF5EC6F1F7
debsig:         getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key
gpg: Signature made Fri 14 May 2021 17:14:59 BST
gpg:                using RSA key 8363C3DB2B165A8C8EB7A6E33E44B9BF5EC6F1F7
gpg: /tmp/debsig-verify.PQkSks/trustdb.gpg: trustdb created
gpg: Good signature from "Steve McIntyre <st...@example.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8363 C3DB 2B16 5A8C 8EB7  A6E3 3E44 B9BF 5EC6 F1F7
debsig:     Verification group(s) passed, deb is validated.
debsig: Verified package from '(null)' ((null))
0

I'm guessing that maybe in your testing you have an old-format keyring
that you've generated a while ago, and you're still using that?

-- System Information:
Debian Release: 10.9
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debsig-verify depends on:
ii  gnupg      2.2.12-1+deb10u1
ii  gpg        2.2.12-1+deb10u1
ii  libc6      2.28-10
ii  libexpat1  2.2.6-2+deb10u1

debsig-verify recommends no packages.

Versions of packages debsig-verify suggests:
ii  debian-keyring  2020.06.24
ii  debsigs         0.1.25

-- no debconf information

Bug#988646: debsig-verify doesn't work with gpg2-format keyrings

Reply via email to