Bug#723763: monkeysign should not sign revoked uids
On Thu, Sep 01, 2016 at 11:11:57AM -0400, Antoine Beaupré wrote: > On 2016-08-01 17:53:11, Antoine Beaupré wrote: > > Control: tags -1 +moreinfo > > > > Could you provide unit tests coverage for this and verify that the tests > > pass after the patch is applied? > > Also, after discussing with the Geysigning people, it seems that I > missed another patch that was already made here: > > https://lists.riseup.net/www/arc/monkeysphere/2015-02/msg9.html > > It seems that his patchset is a little more complete, although it still > doesn't feature unit tests, which I would prefer to have before merging > this in. > > Please consider reviewing his work before going forward - it seems that > running --list-keys twice is necessary, unless we're running GPG 2.1 > (which I am starting to think we should depend on :/). Sigh... disregard that - the above patches make sure that we don't sign *with* revoked keys - a different issue (which I'll track in #766129). a. -- L'homme construit des maisons parce qu'il est vivant, mais il écrit des livres parce qu'il se sait mortel. - Daniel Pennac, Comme un roman signature.asc Description: Digital signature
Bug#723763: monkeysign should not sign revoked uids
On 2016-08-01 17:53:11, Antoine Beaupré wrote: > Control: tags -1 +moreinfo > > Could you provide unit tests coverage for this and verify that the tests > pass after the patch is applied? Also, after discussing with the Geysigning people, it seems that I missed another patch that was already made here: https://lists.riseup.net/www/arc/monkeysphere/2015-02/msg9.html It seems that his patchset is a little more complete, although it still doesn't feature unit tests, which I would prefer to have before merging this in. Please consider reviewing his work before going forward - it seems that running --list-keys twice is necessary, unless we're running GPG 2.1 (which I am starting to think we should depend on :/). A. -- Any sufficiently advanced technology is indistinguishable from magic. - Arthur C. Clarke
Bug#723763: monkeysign should not sign revoked uids
On 2016-08-06 17:09:11, Nicholas D Steeves wrote: > Hi Antoine, > > I think by default Monkeysign still signs revoked keys and sends > emails to addresses that might no longer be active. I just ran a > monkeysign 7B75921E, and I think you have received a signed key for a > few of your revoked ones. Yes, the bug is definitely still not fixed. Jerome sent a patch for this (in cc), available here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723763#35 The patch is incomplete: we need unit test coverage for it, and just make sure it passes tests. But you could try it out and report if it works for you, that would certainly be useful! :) Thanks for the feedback, A. -- It is a miracle that curiosity survives formal education - Albert Einstein
Bug#723763: monkeysign should not sign revoked uids
Control: found -1 monkeysign/2.0.2 Hi Antoine, I think by default Monkeysign still signs revoked keys and sends emails to addresses that might no longer be active. I just ran a monkeysign 7B75921E, and I think you have received a signed key for a few of your revoked ones. Cheers, Nicholas
Bug#723763: monkeysign should not sign revoked uids
Control: tags -1 +moreinfo Could you provide unit tests coverage for this and verify that the tests pass after the patch is applied? Thanks! -- Never attribute to malice that which can be adequately explained by stupidity, but don't rule out malice. - Albert Einstein
Bug#723763: monkeysign should not sign revoked uids
tags patch thanks Please review the attached patches fixing the two issues mentioned in this thread: * Remove revoked uids from keys before processing * Refuse to sign on a revoked primary key Thanks! -- Jerome From a78ebe82bd16f228f1649790f03e0f91e66cbf2c Mon Sep 17 00:00:00 2001 From: Jerome CharaouiDate: Tue, 19 Jul 2016 16:38:47 -0400 Subject: [PATCH 2/2] Refuse to sign a revoked primary key. --- monkeysign/ui.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/monkeysign/ui.py b/monkeysign/ui.py index 6b34eb9..1289bcd 100644 --- a/monkeysign/ui.py +++ b/monkeysign/ui.py @@ -292,6 +292,9 @@ work. self.log(_('found %d keys matching your request') % len(keys)) for key in keys: +if keys[key].trust == 'r': +self.log(_('not signing revoked key %s') % keys[key].keyid()) +continue alluids = self.yes_no(_("""\ Signing the following key -- 2.8.1 From a94a87e8a99b95b158dc4557ab74118d0e4b2072 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Tue, 19 Jul 2016 15:12:55 -0400 Subject: [PATCH 1/2] Always delete revoked UIDs (closes #723763) Finds and deletes all revoked UIDs after finding a public key. --- monkeysign/gpg.py | 2 +- monkeysign/ui.py | 13 + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/monkeysign/gpg.py b/monkeysign/gpg.py index 456cf3b..1350ed6 100644 --- a/monkeysign/gpg.py +++ b/monkeysign/gpg.py @@ -434,7 +434,7 @@ class Keyring(): # end of copy-paste from sign_key() self.context.write(proc.stdin, 'deluid') self.context.expect(proc.stderr, 'GOT_IT') -self.context.expect(proc.stderr, 'GET_BOOL keyedit.remove.uid.okay') +self.context.expect(proc.stderr, r'GET_LINE keyedit.prompt|GET_BOOL keyedit.remove.uid.okay') self.context.write(proc.stdin, 'y') self.context.expect(proc.stderr, 'GOT_IT') self.context.expect(proc.stderr, 'GET_LINE keyedit.prompt') diff --git a/monkeysign/ui.py b/monkeysign/ui.py index c9b6a30..6b34eb9 100644 --- a/monkeysign/ui.py +++ b/monkeysign/ui.py @@ -243,6 +243,19 @@ this should not interrupt the flow of the program, but must be visible to the us if not self.tmpkeyring.fetch_keys(self.pattern): self.abort(_('could not find key %s in your keyring or keyservers') % self.pattern) +"""we should never sign a revoked UID""" +self.del_revoked_uids() + +def del_revoked_uids(self): +"""this will remove all revoked UIDs""" +for fpr, key in self.tmpkeyring.get_keys().iteritems(): +todelete = [] +for uid in key.uids.values(): +if uid.trust == 'r': +todelete.append(uid.uid) +for uid in todelete: +self.tmpkeyring.del_uid(fpr, uid) + def copy_secrets(self): """import secret keys (but only the public part) from your keyring -- 2.8.1 signature.asc Description: OpenPGP digital signature
Bug#723763: monkeysign should not sign revoked uids
On Sat, 2013-10-05 at 16:27 -0400, Antoine Beaupré wrote: On 2013-09-19 12:23:14, Philip Jägenstedt wrote: It looks like monkeysign doesn't care that a uid is revoked, it signs and sends out an email anyway. Could probably be fixed by first cleaning the key. (Also need to check that monkeysign won't sign a uid where the master key is revoked.) This is a known issue: revoked, expired, disabled or invalid keys are not detected by the underlying gpg library. This is especially a problem when listing private keys because gpg, in all its wizdom, doesn't actually provide those details in the key listing. You can see it for yourself here: anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-secret-keys 4023702F sec 1024D/4023702F 2005-03-08 [expired: 2010-03-12] uid The Anarcat anar...@anarcat.ath.cx uid The Anarcat anar...@koumbit.org uid Antoine Beaupré anto...@koumbit.org ssb 2048g/EB8D47BB 2005-03-08 [expires: 2010-03-12] anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-keys 4023702F pub 1024D/4023702F 2005-03-08 [revoked: 2005-03-11] uid The Anarcat anar...@anarcat.ath.cx uid The Anarcat anar...@koumbit.org uid Antoine Beaupré anto...@koumbit.org Notice how the secret key listing doesn't mention the key is revoked... But you are right, this should be fixed. I looks to me --with-colons will show both revocation of the public keys and uids, e.g. here's my old revoked key: pub:r:1024:17:C8D53F30F42163A4:2006-08-25:::-:Philip Jägenstedt phi...@foolip.org::sca: uid:r2008-06-30::FB9A4CAE39D8CE6BADFFF3E7D87D69568335E1FD::Philip Jägenstedt phil...@opera.com: sub:r:1024:16:2D587BA5340611CA:2006-08-25::e: It's true that --list-secret-keys --with-colons doesn't show which uids are revoked, but I don't think that's relevant when trying to determine (programatically) whether or not the key/uid is revoked/expired. Philip signature.asc Description: This is a digitally signed message part
Bug#723763: monkeysign should not sign revoked uids
On 2013-10-16 15:28:46, Philip Jägenstedt wrote: I looks to me --with-colons will show both revocation of the public keys and uids, e.g. here's my old revoked key: pub:r:1024:17:C8D53F30F42163A4:2006-08-25:::-:Philip Jägenstedt phi...@foolip.org::sca: uid:r2008-06-30::FB9A4CAE39D8CE6BADFFF3E7D87D69568335E1FD::Philip Jägenstedt phil...@opera.com: sub:r:1024:16:2D587BA5340611CA:2006-08-25::e: That looks like the --list-keys output, not --list-secret-keys. It's true that --list-secret-keys --with-colons doesn't show which uids are revoked, but I don't think that's relevant when trying to determine (programatically) whether or not the key/uid is revoked/expired. So yes, it's possible to extract that information, but that would involve re-running --list-keys for every secret key imported, really annoying. A. -- Semantics is the gravity of abstraction. pgpM_a7G7fFax.pgp Description: PGP signature
Bug#723763: monkeysign should not sign revoked uids
On Wed, 2013-10-16 at 15:44 -0400, Antoine Beaupré wrote: On 2013-10-16 15:28:46, Philip Jägenstedt wrote: I looks to me --with-colons will show both revocation of the public keys and uids, e.g. here's my old revoked key: pub:r:1024:17:C8D53F30F42163A4:2006-08-25:::-:Philip Jägenstedt phi...@foolip.org::sca: uid:r2008-06-30::FB9A4CAE39D8CE6BADFFF3E7D87D69568335E1FD::Philip Jägenstedt phil...@opera.com: sub:r:1024:16:2D587BA5340611CA:2006-08-25::e: That looks like the --list-keys output, not --list-secret-keys. Indeed it is. It's true that --list-secret-keys --with-colons doesn't show which uids are revoked, but I don't think that's relevant when trying to determine (programatically) whether or not the key/uid is revoked/expired. So yes, it's possible to extract that information, but that would involve re-running --list-keys for every secret key imported, really annoying. I don't understand, why is --list-secret-keys involved at all when inspecting the key you're signing? Signing your own keys using monkeysign sounds a bit weird, is that supported? Philip signature.asc Description: This is a digitally signed message part
Bug#723763: monkeysign should not sign revoked uids
On 2013-10-16 15:49:29, Philip Jägenstedt wrote: On Wed, 2013-10-16 at 15:44 -0400, Antoine Beaupré wrote: On 2013-10-16 15:28:46, Philip Jägenstedt wrote: I looks to me --with-colons will show both revocation of the public keys and uids, e.g. here's my old revoked key: pub:r:1024:17:C8D53F30F42163A4:2006-08-25:::-:Philip Jägenstedt phi...@foolip.org::sca: uid:r2008-06-30::FB9A4CAE39D8CE6BADFFF3E7D87D69568335E1FD::Philip Jägenstedt phil...@opera.com: sub:r:1024:16:2D587BA5340611CA:2006-08-25::e: That looks like the --list-keys output, not --list-secret-keys. Indeed it is. It's true that --list-secret-keys --with-colons doesn't show which uids are revoked, but I don't think that's relevant when trying to determine (programatically) whether or not the key/uid is revoked/expired. So yes, it's possible to extract that information, but that would involve re-running --list-keys for every secret key imported, really annoying. I don't understand, why is --list-secret-keys involved at all when inspecting the key you're signing? Signing your own keys using monkeysign sounds a bit weird, is that supported? Oh, wait - I was confused by another unrelated issue: monkeysign allows you to sign keys *with* a revoked secret key... So yes, you are right... A. -- Le péché est né avant la vertu, comme le moteur avant le frein. - Jean-Paul Sartre pgpdUnyQCVetr.pgp Description: PGP signature
Bug#723763: monkeysign should not sign revoked uids
On 2013-09-19 12:23:14, Philip Jägenstedt wrote: It looks like monkeysign doesn't care that a uid is revoked, it signs and sends out an email anyway. Could probably be fixed by first cleaning the key. (Also need to check that monkeysign won't sign a uid where the master key is revoked.) This is a known issue: revoked, expired, disabled or invalid keys are not detected by the underlying gpg library. This is especially a problem when listing private keys because gpg, in all its wizdom, doesn't actually provide those details in the key listing. You can see it for yourself here: anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-secret-keys 4023702F sec 1024D/4023702F 2005-03-08 [expired: 2010-03-12] uid The Anarcat anar...@anarcat.ath.cx uid The Anarcat anar...@koumbit.org uid Antoine Beaupré anto...@koumbit.org ssb 2048g/EB8D47BB 2005-03-08 [expires: 2010-03-12] anarcat@angela:monkeysign[dev/ux]*$ LANG=C gpg --list-keys 4023702F pub 1024D/4023702F 2005-03-08 [revoked: 2005-03-11] uid The Anarcat anar...@anarcat.ath.cx uid The Anarcat anar...@koumbit.org uid Antoine Beaupré anto...@koumbit.org Notice how the secret key listing doesn't mention the key is revoked... But you are right, this should be fixed. A. -- That's one of the remarkable things about life: it's never so bad that it can't get worse. - Calvin pgpDtUWYi0aLQ.pgp Description: PGP signature
Bug#723763: monkeysign should not sign revoked uids
Package: monkeysign Version: 1.0 Severity: important It looks like monkeysign doesn't care that a uid is revoked, it signs and sends out an email anyway. Could probably be fixed by first cleaning the key. (Also need to check that monkeysign won't sign a uid where the master key is revoked.) -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages monkeysign depends on: ii gnupg 1.4.14-1 ii python 2.7.5-4 Versions of packages monkeysign recommends: ii python-gtk2 2.24.0-3+b1 ii python-qrencode 1.01-2+b1 ii python-zbar 0.10+doc-9+b1 ii python-zbarpygtk 0.10+doc-9+b1 monkeysign suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org