Bug#992966: simple-cdd: fails to validate Release file with a good signature and a signature that can't be checked

2021-08-25 Thread Raphael Hertzog 
Control: severity -1 important

Bumping the severity on suggestion of #debian-release.

On Wed, 25 Aug 2021, Raphaël Hertzog wrote:
> Right now if you try to use simple-cdd on a stretch or buster system (to
> build stretch/buster images), you get failures like this one:

I was a bit to quick in my assertion. The problem is limited to stretch
because buster's debian-archive-keyring has been updated a while ago (but
my buster chroot was not up-to-date):
https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/

Cheers,
-- 
Raphaël Hertzog ◈ Freexian SARL ◈ Tel: +33 (0)6 88 21 35 47
https://www.freexian.com

Bug#992966: simple-cdd: fails to validate Release file with a good signature and a signature that can't be checked

2021-08-25 Thread Raphaël Hertzog 
Package: simple-cdd
Version: 0.6.8
Severity: normal
X-Debbugs-Cc: raph...@freexian.com

Right now if you try to use simple-cdd on a stretch or buster system (to
build stretch/buster images), you get failures like this one:

> 2021-08-24 10:45:08 ERROR verify gpg signature exited with code 2
> 2021-08-24 10:45:08 ERROR Last 3 lines of standard error:
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg: Signature made Tue 24 
> Aug 2021 09:21:34 AM CDT
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg:using RSA 
> key A7236886F3CCCAAD148A27F80E98404D386FA1D9
> 2021-08-24 10:45:08 ERROR verify gpg signature: gpg: Can't check signature: 
> No public key
> 2021-08-24 10:45:08 ERROR Signature verification failed on ['gpg', '--batch', 
> '--no-default-keyring', '--keyring', 
> '/usr/share/keyrings/debian-archive-keyring.gpg', '--keyring', 
> '/srv/install/simple-cdd/.gnupg/pubring.gpg', '--verify', 
> '/srv/install/simple-cdd/tmp/mirror/extrafiles']
> FAILURE:  build-simple-cdd failed, exiting

The problem is that the Release file (and the extrafiles) of stretch and
buster is signed by 4 keys, including the recently added keys for
bullseye. But /usr/share/keyrings/debian-archive-keyring.gpg in
stretch/buster does not (yet) contain the new key and simple-cdd uses `gpg
--verify` which fails with error code 2 as soon as a single signature
can't be verified.

But simple-cdd should fail only if none of the signatures can't be
verified or if some signature fails to verify while the key is present
(a bit like APT does it...). But the absence of a key should not result in
a failure provided that the other signatures are working.

Elements of proof:

$ wget http://debian.backend.mirrors.debian.org/debian/dists/stretch/Release
$ wget http://debian.backend.mirrors.debian.org/debian/dists/stretch/Release.gpg
$ LANG=C gpg --keyring 
/srv/chroots/buster-amd64/usr/share/keyrings/debian-archive-keyring.gpg 
--verify Release.gpg Release
gpg: Signature made Sat Aug 14 09:43:24 2021 CEST
gpg:using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpg: Good signature from "Debian Archive Automatic Signing Key (9/stretch) 
" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
 Subkey fingerprint: 16E9 0B3F DF65 EDE3 AA7F  323C 04EE 7237 B7D4 53EC
gpg: Signature made Sat Aug 14 09:43:25 2021 CEST
gpg:using RSA key 0146DC6D4A0B2914BDED34DB648ACFD622F3D138
gpg: Good signature from "Debian Archive Automatic Signing Key (10/buster) 
" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 80D1 5823 B7FD 1561 F9F7  BCDD DC30 D7C2 3CBB ABEE
 Subkey fingerprint: 0146 DC6D 4A0B 2914 BDED  34DB 648A CFD6 22F3 D138
gpg: Signature made Sat Aug 14 10:46:19 2021 CEST
gpg:using RSA key A7236886F3CCCAAD148A27F80E98404D386FA1D9
gpg: Can't check signature: No public key
gpg: Signature made Sat Aug 14 10:26:43 2021 CEST
gpg:using RSA key 067E3C456BAE240ACEE88F6FEF0F382A1A7B6500
gpg:issuer "debian-rele...@lists.debian.org"
gpg: Good signature from "Debian Stable Release Key (9/stretch) 
" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
$ echo $?
2
$ LANG=C gpg --keyring 
/srv/chroots/buster-amd64/usr/share/keyrings/debian-archive-keyring.gpg 
--with-subkey-fingerprints --list-keys A7236886F3CCCAAD148A27F80E98404D386FA1D9
gpg: error reading key: No public key
$ LANG=C gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg 
--with-subkey-fingerprints --list-keys A7236886F3CCCAAD148A27F80E98404D386FA1D9
pub   rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
  1F89983E0081FDE018F3CC9673A4F27B8DD47936
uid   [ unknown] Debian Archive Automatic Signing Key (11/bullseye) 

sub   rsa4096 2021-01-17 [S] [expires: 2029-01-15]
  A7236886F3CCCAAD148A27F80E98404D386FA1D9



-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 
'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages simple-cdd depends on:
ii  dctrl-tools 2.24-3+b1
ii  debian-cd   3.1.35
ii  lsb-release 11.1.0
ii  python3 3.9.2-3
ii  python3-simple-cdd  0.6.8
ii  reprepro