Your message dated Mon, 17 May 2021 13:51:31 +0200 with message-id <YKJYwxjQQ/[email protected]> and subject line Re: Bug#988646: debsig-verify doesn't work with gpg2-format keyrings has caused the Debian Bug report #988646, regarding debsig-verify doesn't work with gpg2-format keyrings to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 988646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988646 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: debsig-verify Version: 0.19+b10 Severity: important Hi! [ Reporting against version 0.19+b10 in buster, but I've tested with 0.23 and it shows exactly the same issue. ] I've been trying to use debsigs and debsig-verify for a project, and things are not going well. When testing with debsig-verify, I've found a problem with keyrings. I've signed a deb and generated a policy file and a keyring to control verification of it with debsig. debsig doesn't work, showing gpg errors: $ debsig-verify --policies-dir debsig --keyrings-dir debsig -d test-signed-good.deb ; echo $? debsig: Starting verification for: test-signed-good.deb debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key debsig: Using policy directory: debsig/3E44B9BF5EC6F1F7 debsig: Parsing policy file: debsig/3E44B9BF5EC6F1F7/generic.pol debsig: parsePolicyFile: parsing 'debsig/3E44B9BF5EC6F1F7/generic.pol' debsig: parsePolicyFile: completed debsig: Checking Selection group(s). debsig: Processing 'origin' key... gpg: no valid OpenPGP data found. gpg: processing message failed: Unknown system error debsig: getKeyID subprocess returned error exit status 2 14 I've debugged through this by calling gpg directly with the command line that's used, and that looks like this: $ gpg2 --verbose --no-options --no-default-keyring --batch --no-secmem-warning --no-permission-warning --no-mdc-warning --no-auto-check-trustdb --list-packets ./debsig/3E44B9BF5EC6F1F7/debsig.gpg gpg: no valid OpenPGP data found. gpg: processing message failed: Unknown system error I've played around some more and worked out the problem - that command line will not work with a new gpg2-style keyring file: $ file debsig/3E44B9BF5EC6F1F7/debsig.gpg debsig/3E44B9BF5EC6F1F7/debsig.gpg: GPG keybox database version 1, created-at Fri May 14 16:32:27 2021, last-maintained Fri May 14 16:32:27 2021 Argh. So, fresh from my experience of debugging debsigs I thought it would be worth playing with gpg1. I created a new keyring using gpg1, and now things work: $ gpg2 --verbose --no-options --no-default-keyring --batch --no-secmem-warning --no-permission-warning --no-mdc-warning --no-auto-check-trustdb --list-packets ./debsig/3E44B9BF5EC6F1F7/debsig.gpg1 # off=0 ctb=99 tag=6 hlen=3 plen=525 :public key packet: version 4, algo 1, created 1591088421, expires 0 ... and now things work properly with debsig-verify: $ debsig-verify --policies-dir debsig --keyrings-dir debsig -d test-signed-good.deb ; echo $? debsig: Starting verification for: test-signed-good.deb debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key debsig: Using policy directory: debsig/3E44B9BF5EC6F1F7 debsig: Parsing policy file: debsig/3E44B9BF5EC6F1F7/generic.pol debsig: parsePolicyFile: parsing 'debsig/3E44B9BF5EC6F1F7/generic.pol' debsig: parsePolicyFile: completed debsig: Checking Selection group(s). debsig: Processing 'origin' key... debsig: getKeyID: no match, falling back to 3E44B9BF5EC6F1F7 debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key debsig: Selection group(s) passed, policy is usable. debsig: Using policy file: debsig/3E44B9BF5EC6F1F7/generic.pol debsig: Checking Verification group(s). debsig: Processing 'origin' key... debsig: getKeyID: no match, falling back to 3E44B9BF5EC6F1F7 debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key gpg: Signature made Fri 14 May 2021 17:14:59 BST gpg: using RSA key 8363C3DB2B165A8C8EB7A6E33E44B9BF5EC6F1F7 gpg: /tmp/debsig-verify.PQkSks/trustdb.gpg: trustdb created gpg: Good signature from "Steve McIntyre <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8363 C3DB 2B16 5A8C 8EB7 A6E3 3E44 B9BF 5EC6 F1F7 debsig: Verification group(s) passed, deb is validated. debsig: Verified package from '(null)' ((null)) 0 I'm guessing that maybe in your testing you have an old-format keyring that you've generated a while ago, and you're still using that? -- System Information: Debian Release: 10.9 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages debsig-verify depends on: ii gnupg 2.2.12-1+deb10u1 ii gpg 2.2.12-1+deb10u1 ii libc6 2.28-10 ii libexpat1 2.2.6-2+deb10u1 debsig-verify recommends no packages. Versions of packages debsig-verify suggests: ii debian-keyring 2020.06.24 ii debsigs 0.1.25 -- no debconf information
--- End Message ---
--- Begin Message ---Hi! On Mon, 2021-05-17 at 12:03:30 +0100, Steve McIntyre wrote: > Package: debsig-verify > Version: 0.19+b10 > Severity: important > [ Reporting against version 0.19+b10 in buster, but I've tested with > 0.23 and it shows exactly the same issue. ] > > I've been trying to use debsigs and debsig-verify for a project, and > things are not going well. > > When testing with debsig-verify, I've found a problem with > keyrings. I've signed a deb and generated a policy file and a keyring > to control verification of it with debsig. debsig doesn't work, > showing gpg errors: > > $ debsig-verify --policies-dir debsig --keyrings-dir debsig -d > test-signed-good.deb ; echo $? > debsig: Starting verification for: test-signed-good.deb > debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key > debsig: Using policy directory: debsig/3E44B9BF5EC6F1F7 > debsig: Parsing policy file: debsig/3E44B9BF5EC6F1F7/generic.pol > debsig: parsePolicyFile: parsing 'debsig/3E44B9BF5EC6F1F7/generic.pol' > debsig: parsePolicyFile: completed > debsig: Checking Selection group(s). > debsig: Processing 'origin' key... > gpg: no valid OpenPGP data found. > gpg: processing message failed: Unknown system error > debsig: getKeyID subprocess returned error exit status 2 > 14 > > I've debugged through this by calling gpg directly with the command > line that's used, and that looks like this: > > $ gpg2 --verbose --no-options --no-default-keyring --batch > --no-secmem-warning --no-permission-warning --no-mdc-warning > --no-auto-check-trustdb --list-packets ./debsig/3E44B9BF5EC6F1F7/debsig.gpg > gpg: no valid OpenPGP data found. > gpg: processing message failed: Unknown system error > > I've played around some more and worked out the problem - that command > line will not work with a new gpg2-style keyring file: > > $ file debsig/3E44B9BF5EC6F1F7/debsig.gpg > debsig/3E44B9BF5EC6F1F7/debsig.gpg: GPG keybox database version 1, created-at > Fri May 14 16:32:27 2021, last-maintained Fri May 14 16:32:27 2021 The problem here is that this is not an OpenPGP keyring as file(1) correctly points out. :) This is the internal keybox database format used by GnuPG to store its keys. You need to generate an actual keyring with --export (the format of OpenPGP keyrings is specifying in RFC4880, while the keybox db is specific to GnuPG). > Argh. So, fresh from my experience of debugging debsigs I thought it > would be worth playing with gpg1. I created a new keyring using gpg1, > and now things work: > > $ gpg2 --verbose --no-options --no-default-keyring --batch > --no-secmem-warning --no-permission-warning --no-mdc-warning > --no-auto-check-trustdb --list-packets ./debsig/3E44B9BF5EC6F1F7/debsig.gpg1 > # off=0 ctb=99 tag=6 hlen=3 plen=525 > :public key packet: > version 4, algo 1, created 1591088421, expires 0 > ... > > and now things work properly with debsig-verify: That's because gpg1 used to use an OpenPGP keyring as its internal db store, but that changed with gpg2. > $ debsig-verify --policies-dir debsig --keyrings-dir debsig -d > test-signed-good.deb ; echo $? > debsig: Starting verification for: test-signed-good.deb > debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key > debsig: Using policy directory: debsig/3E44B9BF5EC6F1F7 > debsig: Parsing policy file: debsig/3E44B9BF5EC6F1F7/generic.pol > debsig: parsePolicyFile: parsing 'debsig/3E44B9BF5EC6F1F7/generic.pol' > debsig: parsePolicyFile: completed > debsig: Checking Selection group(s). > debsig: Processing 'origin' key... > debsig: getKeyID: no match, falling back to 3E44B9BF5EC6F1F7 > debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key > debsig: Selection group(s) passed, policy is usable. > debsig: Using policy file: debsig/3E44B9BF5EC6F1F7/generic.pol > debsig: Checking Verification group(s). > debsig: Processing 'origin' key... > debsig: getKeyID: no match, falling back to 3E44B9BF5EC6F1F7 > debsig: getSigKeyID: got 3E44B9BF5EC6F1F7 for origin key > gpg: Signature made Fri 14 May 2021 17:14:59 BST > gpg: using RSA key 8363C3DB2B165A8C8EB7A6E33E44B9BF5EC6F1F7 > gpg: /tmp/debsig-verify.PQkSks/trustdb.gpg: trustdb created > gpg: Good signature from "Steve McIntyre <[email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 8363 C3DB 2B16 5A8C 8EB7 A6E3 3E44 B9BF 5EC6 F1F7 > debsig: Verification group(s) passed, deb is validated. > debsig: Verified package from '(null)' ((null)) > 0 > > I'm guessing that maybe in your testing you have an old-format keyring > that you've generated a while ago, and you're still using that? I think the problem is that you might be just importing keys and using the keybox directly instead of exporting into an actual keyring? Given that even gpg2 cannot operate (analyze) on the keybox as if it was an OpenPGP keyring, should be telling of this not being a debsig* problem. :) So I think I'll just close this report. Please feel free to reopen if I've missed something. Thanks, Guillem
--- End Message ---
