Bug#917742: ca-cacert: FTBFS: tests failed

2019-01-29 Thread Axel Beckert 
Hi Dmitry,

ca-cacert just fell out of testing because of this issue.

Lucas Nussbaum wrote:
> > make[1]: Entering directory '/<>'
> > #find . -maxdepth 1 -type f -name "*.crt" -exec openssl verify "{}" \;
> > certtool --verify --load-ca-certificate root.crt --infile class3.crt
> > Loaded CAs (1 available)
> > Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
> > Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Signature algorithm: RSA-SHA256
> > Output: Verified. The certificate is trusted. 
> > 
> > Chain verification output: Verified. The certificate is trusted. 
> > 
> > certtool --verify --load-ca-certificate root.crt --infile root.crt
> > Loaded CAs (1 available)
> > Subject: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> > Signature algorithm: RSA-MD5
 ^^^
> > Output: Not verified. The certificate is NOT trusted. 
> > 
> > Chain verification output: Not verified. The certificate is NOT trusted. 

Reason for this test suite failure is likely that certtool stopped to
accept the MD5 hashing algorithm.

The man page says:

   --verify-allow-broken
  Allow broken algorithms, such as MD5 for verification.

  This can be combined with --p7-verify, --verify or
  --verify-chain.

This could be fixed to change

  certtool --verify --load-ca-certificate root.crt --infile root.crt

to

  certtool --verify --verify-allow-broken --load-ca-certificate root.crt 
--infile root.crt

As far as I see understand that seems to be only the self-signature of
root.crt (which AFAICT should be neglectable) while the (AFAICT
relevant) signature on class3.crt uses SHA256 which is ok.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#917742: ca-cacert: FTBFS: tests failed

2018-12-29 Thread Lucas Nussbaum 
Source: ca-cacert
Version: 2011.0523-2
Severity: serious
Justification: FTBFS on amd64
Tags: buster sid
Usertags: ftbfs-20181229 ftbfs-buster

Hi,

During a rebuild of all packages in sid, your package failed to build
on amd64.

Relevant part (hopefully):
> make[1]: Entering directory '/<>'
> #find . -maxdepth 1 -type f -name "*.crt" -exec openssl verify "{}" \;
> certtool --verify --load-ca-certificate root.crt --infile class3.crt
> Loaded CAs (1 available)
>   Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
>   Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> Authority,OU=http://www.cacert.org,O=Root CA
>   Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> Authority,OU=http://www.cacert.org,O=Root CA
>   Signature algorithm: RSA-SHA256
>   Output: Verified. The certificate is trusted. 
> 
> Chain verification output: Verified. The certificate is trusted. 
> 
> certtool --verify --load-ca-certificate root.crt --infile root.crt
> Loaded CAs (1 available)
>   Subject: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> Authority,OU=http://www.cacert.org,O=Root CA
>   Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> Authority,OU=http://www.cacert.org,O=Root CA
>   Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> Authority,OU=http://www.cacert.org,O=Root CA
>   Signature algorithm: RSA-MD5
>   Output: Not verified. The certificate is NOT trusted. 
> 
> Chain verification output: Not verified. The certificate is NOT trusted. 
> 
> make[1]: *** [debian/rules:13: override_dh_auto_test] Error 1

The full build log is available from:
   http://aws-logs.debian.net/2018/12/29/ca-cacert_2011.0523-2_unstable.log

A list of current common problems and possible solutions is available at
http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!

About the archive rebuild: The rebuild was done on EC2 VM instances from
Amazon Web Services, using a clean, minimal and up-to-date chroot. Every
failed build was retried once to eliminate random failures.