Bug#1059150: No longer works with signing subkeys

Wed, 20 Dec 2023 07:33:35 -0800 

Package: debsig-verify
Version: 0.23+b2
Severity: important
Tags: patch

Hey Guillem,

Updating our derived distro from bullseye to bookworm, we've moved on
from 0.23 to 0.28.  We're using subkeys for signing our debs, and that
no longer works. I can see that the change you've made to no longer
fall back if a fingerprint doesn't match
(849d9633ebf809398c848821c603148ae0470278) has broken this.

Here's a patch that I've added locally on top of 0.28 to also attempt
to match subkey fingerprints. This passes tests here and makes subkeys
work for us again.

Cheers,

Steve


-- System Information:
Debian Release: 11.8
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldoldstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-26-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debsig-verify depends on:
ii  gnupg      2.2.27-2+deb11u2
ii  gpg        2.2.27-2+deb11u2
ii  libc6      2.31-13+deb11u7
ii  libexpat1  2.2.10-2+deb11u5

debsig-verify recommends no packages.

Versions of packages debsig-verify suggests:
ii  debian-keyring  2021.09.25
ii  debsigs         0.1.25

-- no debconf information

diff --git a/src/openpgp-gpg.c b/src/openpgp-gpg.c
index 4c29b7f..97ec3a4 100644
--- a/src/openpgp-gpg.c
+++ b/src/openpgp-gpg.c
@@ -115,6 +115,7 @@ enum keyid_state {
     KEYID_FPR,
     KEYID_UID,
     KEYID_SIG,
+    KEYID_SUB,
 };
 
 enum colon_fields {
@@ -221,7 +222,7 @@ gpg_getKeyID(const char *keyring, const char *match_id)
 
             /* Certificate found. */
             state = KEYID_PUB;
-        } else if (state == KEYID_PUB) {
+        } else if (state == KEYID_PUB || state == KEYID_SUB) {
             if (!match_prefix(buf, "fpr:"))
                continue;
             fpr = get_colon_field(buf, COLON_FIELD_FPR_ID);
@@ -241,6 +242,7 @@ gpg_getKeyID(const char *keyring, const char *match_id)
                continue;
             if (strcmp(uid, match_id) != 0) {
                 free(uid);
+               state = KEYID_SUB;
                continue;
            }
             free(uid);

Reply via email to