Bug#796710: [pkg-gnupg-maint] Bug#796710: moving a key signature to the correct place loop

2015-08-24 Thread Werner Koch 
On Sun, 23 Aug 2015 16:53, z...@debian.org said:

 i.e. it seems that whatever fixing gpg does to the wrong packages that
 are present in the key material, it is undone by the next refresh from
 the keyserver. Allegedly, this is a bug in both gpg and the keyserver

That is because the keyserver adds the wrong signatures again.  For a
certain keyserver bugs gpg has the

   --import-options  repair-pks-subkey-bug

enabled by default which does

  During import, attempt to repair the damage caused by the PKS
  keyserver bug (pre version 0.9.6) that mangles keys with multiple
  subkeys. Note that this cannot com‐ pletely repair the damaged key as
  some crucial data is removed by the keyserver, but it does at least
  give you back one subkey. Defaults to no for regular --import and to
  yes for keyserver --recv-keys.

and there are two or so other bugs fixed during import.  Unfortunately I
can's remember why we do the 

   gpg: moving a key signature to the correct place

only during a --key-edit.  That fix was introduced in October 1998
(gnupg 0.4.3) to mitigate a bug in an earlier release.  It should be run
by the import too but it seems it was never needed until now? 

We need to analyze the actual reason for the problem and see what we can
do about it.  We could also silence the message ;-)

 I've also tested this with gpg2, obtaining the same result.

It is all the same code.  A bigger problem with your key is that it is
780 KiB long.  I was not able to upload it after signing without
increasing a limit in dirmngr (from 2.1).

It might be a good to apply commit 84f4c88 to the Debian 2.1 package, so
users of 2.1 have an easier way to upload the key (right, I don't to that
mail address verification thing).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Bug#683328: Bug#796710: moving a key signature to the correct place loop

2015-08-23 Thread Clint Adams 
Cc:ing #683328 since I still think sks should be a little more responsible here.

You can see the key brokenness if you scroll to the end of

http://pool.sks-keyservers.net:11371/pks/lookup?op=vindexsearch=0x9C31503C6D866396

This is orthogonal to what gpg should and should not be doing.

Bug#796710: moving a key signature to the correct place loop

2015-08-23 Thread Stefano Zacchiroli 
Package: gnupg
Version: 1.4.19-3
Severity: normal
Tags: upstream

[ filing the bug report, as discussed with dkg and Clint at DebConf 15 ]

Below you can find the screen log of a gpg session that, using a fresh
GNUPGHOME:

1) fetch/reresh my key from the SKS keyserver pool
2) edit the key...
3) ...resulting in gpg moving a key signature to the correct place
   multiple times
4) save the key
5) go to 1

i.e. it seems that whatever fixing gpg does to the wrong packages that
are present in the key material, it is undone by the next refresh from
the keyserver. Allegedly, this is a bug in both gpg and the keyserver
software running on the SKS pool.

Note that in the session below I did also try a second edit after
saving, without refreshing, and that does not make gpg trying to move
the signatures again. I.e. it seems that gpg fixing is stable on disk;
it is just not stable w.r.t. the key server.

I've also tested this with gpg2, obtaining the same result.

Cheers.



zack@timira:~$ export KEYID=6D866396
zack@timira:~$ export GNUPGHOME=/tmp/gpg-bug
zack@timira:~$ mkdir -m 700 $GNUPGHOME
zack@timira:~$ gpg --keyserver pool.sks-keyservers.net --recv-keys $KEYID
gpg: keyring `/tmp/gpg-bug/secring.gpg' created
gpg: keyring `/tmp/gpg-bug/pubring.gpg' created
gpg: requesting key 6D866396 from hkp server pool.sks-keyservers.net
gpg: /tmp/gpg-bug/trustdb.gpg: trustdb created
gpg: key 6D866396: public key Stefano Zacchiroli z...@upsilon.cc imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:   imported: 1  (RSA: 1)

zack@timira:~$ gpg --edit-key $KEYID
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place

pub  4096R/6D866396  created: 2010-09-27  expires: 2016-09-02  usage: SC  
 trust: unknown   validity: unknown
sub  4096R/02D0E74C  created: 2010-09-27  expires: never   usage: E   
sub  4096R/93412799  created: 2012-12-01  expires: 2016-09-02  usage: S   
[ unknown] (1). Stefano Zacchiroli z...@upsilon.cc
[ unknown] (2)  Stefano Zacchiroli z...@debian.org
[ unknown] (3)  Stefano Zacchiroli z...@cs.unibo.it
[ revoked] (4)  Stefano Zacchiroli z...@pps.jussieu.fr
[ unknown] (5)  Stefano Zacchiroli z...@pps.univ-paris-diderot.fr
[ revoked] (6)  Stefano Zacchiroli (Debian Project Leader) lea...@debian.org

gpg save

zack@timira:~$ gpg --edit-key $KEYID
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/6D866396  created: 2010-09-27  expires: 2016-09-02  usage: SC  
 trust: unknown   validity: unknown
sub  4096R/02D0E74C  created: 2010-09-27  expires: never   usage: E   
sub  4096R/93412799  created: 2012-12-01  expires: 2016-09-02  usage: S   
[ unknown] (1). Stefano Zacchiroli z...@upsilon.cc
[ unknown] (2)  Stefano Zacchiroli z...@debian.org
[ unknown] (3)  Stefano Zacchiroli z...@cs.unibo.it
[ revoked] (4)  Stefano Zacchiroli z...@pps.jussieu.fr
[ unknown] (5)  Stefano Zacchiroli z...@pps.univ-paris-diderot.fr
[ revoked] (6)  Stefano Zacchiroli (Debian Project Leader) lea...@debian.org

gpg quit

zack@timira:~$ gpg --keyserver pool.sks-keyservers.net --recv-keys $KEYID
gpg: requesting key 6D866396 from hkp server pool.sks-keyservers.net
gpg: key 6D866396: Stefano Zacchiroli z...@upsilon.cc 13 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new signatures: 13

zack@timira:~$ gpg --edit-key $KEYID
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key