Hi all, A while back I looked at #695932 and similar bugs and attempted to make some progress in addressing them. I was never really happy with what I came up with, but I should share some of my conclusions.
The key problem in each of the bugs is that what is signature-checked is different to what is parsed. In my reading on this, the gpg people said that they weren't intending to offer any sort of functionality to gpgv to give the validated data back (#695855 and other upstream threads). While #695932 is fixed, I don't think dash-escaping is yet fixed in deb822.py and there could easily be further bugs hidden away there. Using gpg rather than gpgv is the nicest way of killing all these bugs in one pass because you can ask gpg to give you back the signed data (-- decrypt) rather than just verify it.That said, I don't really think we can start depending on gpg rather than gpgv -- that would drag in gpg and all its dependencies into the standard installation. Since we can't ask gpgv to give us back the data that was signed, the most reliable option will be to separate the signature and what python-debian believes is the payload and then pass the detached signature to gpgv. That way, if the separation of payload from armouring and signature is incorrect (such as these bugs), it turns into a signature failure. I suspect this means using temporary files are needed. To successfully pull this off, it looked like a bit of refactoring of the reading code in deb822.py was required to reduce the number of different code paths for reading data into the parser. I should dust off the work that I've already done and rebase it against the current git and then see what it actually achieves and what I was able to achieve with gpgv rather than gpg. cheers Stuart -- Stuart Prescott http://www.nanonanonano.net/ [email protected] Debian Developer http://www.debian.org/ [email protected] GPG fingerprint 90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7 -- http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-python-debian-maint
