Your message dated Mon, 08 Apr 2024 03:20:18 +0000
with message-id <e1rtfyq-00aed0...@fasolo.debian.org>
and subject line Bug#1059150: fixed in debsig-verify 0.30
has caused the Debian Bug report #1059150,
regarding No longer works with signing subkeys
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059150: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059150
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: debsig-verify
Version: 0.23+b2
Severity: important
Tags: patch
Hey Guillem,
Updating our derived distro from bullseye to bookworm, we've moved on
from 0.23 to 0.28. We're using subkeys for signing our debs, and that
no longer works. I can see that the change you've made to no longer
fall back if a fingerprint doesn't match
(849d9633ebf809398c848821c603148ae0470278) has broken this.
Here's a patch that I've added locally on top of 0.28 to also attempt
to match subkey fingerprints. This passes tests here and makes subkeys
work for us again.
Cheers,
Steve
-- System Information:
Debian Release: 11.8
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500,
'oldoldstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-26-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages debsig-verify depends on:
ii gnupg 2.2.27-2+deb11u2
ii gpg 2.2.27-2+deb11u2
ii libc6 2.31-13+deb11u7
ii libexpat1 2.2.10-2+deb11u5
debsig-verify recommends no packages.
Versions of packages debsig-verify suggests:
ii debian-keyring 2021.09.25
ii debsigs 0.1.25
-- no debconf information
diff --git a/src/openpgp-gpg.c b/src/openpgp-gpg.c
index 4c29b7f..97ec3a4 100644
--- a/src/openpgp-gpg.c
+++ b/src/openpgp-gpg.c
@@ -115,6 +115,7 @@ enum keyid_state {
KEYID_FPR,
KEYID_UID,
KEYID_SIG,
+ KEYID_SUB,
};
enum colon_fields {
@@ -221,7 +222,7 @@ gpg_getKeyID(const char *keyring, const char *match_id)
/* Certificate found. */
state = KEYID_PUB;
- } else if (state == KEYID_PUB) {
+ } else if (state == KEYID_PUB || state == KEYID_SUB) {
if (!match_prefix(buf, "fpr:"))
continue;
fpr = get_colon_field(buf, COLON_FIELD_FPR_ID);
@@ -241,6 +242,7 @@ gpg_getKeyID(const char *keyring, const char *match_id)
continue;
if (strcmp(uid, match_id) != 0) {
free(uid);
+ state = KEYID_SUB;
continue;
}
free(uid);
--- End Message ---
--- Begin Message ---
Source: debsig-verify
Source-Version: 0.30
Done: Guillem Jover <guil...@debian.org>
We believe that the bug you reported is fixed in the latest version of
debsig-verify, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <guil...@debian.org> (supplier of updated debsig-verify package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Apr 2024 04:53:04 +0200
Source: debsig-verify
Architecture: source
Version: 0.30
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <debian-d...@lists.debian.org>
Changed-By: Guillem Jover <guil...@debian.org>
Closes: 1059150
Changes:
debsig-verify (0.30) unstable; urgency=medium
.
* Add OpenPGP subkey support.
Based on a patch by Steve McIntyre <st...@einval.com>. Closes: #1059150
* Switch from pkg-config to pkgconf.
* Documentation:
- doc: Bump required C compiler to support C99.
* Packaging:
- Update copyright years.
* Test suite:
- Add new macro to set the OpenPGP key to use.
- Switch to use sq --signer-file.
Checksums-Sha1:
01670e599b512c3cbaa897f492cfa2700cd717c5 1883 debsig-verify_0.30.dsc
cb4c8bba735a039089d06ee62c4f8d28640a2fd9 148388 debsig-verify_0.30.tar.xz
c3583ec44c15a4d66263a491cb94c2fd7b22d370 6682
debsig-verify_0.30_amd64.buildinfo
Checksums-Sha256:
0804e0ece8790d81cb8295976b0b344eb362bbad3dfd88141c3c2bd6baf209c9 1883
debsig-verify_0.30.dsc
cb97fdf5f8af2aecc18c3436a18c5f50a4563e4dcc506553c022e22838d1b808 148388
debsig-verify_0.30.tar.xz
466649a8b747ab8e4f1fc071778d0e9c2667a674f06a4af822a686553ba36826 6682
debsig-verify_0.30_amd64.buildinfo
Files:
6413ca59d30c14247db5155f3c6a514f 1883 admin optional debsig-verify_0.30.dsc
b72ec987ffd867e3f9d1cb08f70ed75c 148388 admin optional
debsig-verify_0.30.tar.xz
ec6a1deba0dc37dbf3514006324b8b7d 6682 admin optional
debsig-verify_0.30_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAmYTXRYACgkQuXK/PqSu
V6ObCw/9GAQE2+GKCuSkB+bc1GVtm9e7g8XOfga5UMvBQH/23Zxcl8srSQUAmd8k
+hrCUC+Fxpgcvp1SNSD8ngWXs1n4K0dVBKtIGlW2Nldu4zLTWTrIW5mbMvyNaCbN
YPPVYFWVNjx0ojsPmwCGKCkiWFJBXGfz4RWe2FeuclyoOMK5kJfP77YzGEYuqO8x
fYoe6mME4JQp7Ohb1X4CsEvfF8zoRIxmynfvkGjAXAUMXUDosQi3oJcGsNL4SA33
hDe3B9n9bjCFnybBz76/TDUdt88H78VlJlLo9/b+ryMjAmsMcXqNn8TmWv+ZNNRd
AnmVoqCa/zWQJjqniIZm1tzcdf0DJJAl+1XfNhB1PeEPKiQ/sbRZ6QGs+wvmfjgg
NJz3hDRK0aGiONYtc2/pCA864s6vKhRd8rlgSvDHMwwMM0aQGqyOp3PYsmbcdBgv
1cSavrBmV/YP67JQrAw/P7pGoAB11+IB95PoPloQBJKxsQx1u3MWBOc+4WDQyjcW
vTFLuj1jtZH6bcxCFFPBq59Zgt9Bb3rQU4naqfVGnWC0jS7a0/VJNfReygtbvq0x
knFHqbLg6cZzFRfEqFs4pR6KDvQMZqoOmeW3fZ3m0fsySpNi183TQuYn6V89kT6s
XiBR2iAzNLxfe3ZtraAGJKZMAdV2tQry9Xv4Sl2IO+mT273/5hU=
=yHok
-----END PGP SIGNATURE-----
pgpQmPwqipFbb.pgp
Description: PGP signature
--- End Message ---
