Public bug reported: The dpkg-sig script is unable to verify a signature of a Debian package when GNU ar is used to assemble the package. This also renders dpkg-sig not capable of adding new signature when one already exists.
The problem lies in the difference of how GNU ar will terminate a file name to indicate where it ends - it will add a trailing slash "/" (forward slash) on the contrary to BSD ar which does not follow such practice[1]. For example: * File content: krzysztof@b1:~$ ar vt zookeeper-cli_1.4.1-1_all.deb rw-rw-r-- 0/0 4 Mar 18 21:16 2013 debian-binary rw-rw-r-- 0/0 636 Mar 18 21:16 2013 control.tar.gz rw-rw-r-- 0/0 9108275 Mar 18 21:16 2013 data.tar.gz krzysztof@b1:~$ egrep -a 'debian-binary' zookeeper-cli_1.4.1-1_all.deb | tr -dc '[:alnum:][:space:][:punct:]' debian-binary/ 1363641418 0 0 100664 4 ` A trailing slash is visible in the example above. * Signing: krzysztof@v1:~$ dpkg-sig -k 83F709E3 --sign builder zookeeper-cli_1.4.1-1_all.deb Processing zookeeper-cli_1.4.1-1_all.deb... Signed deb zookeeper-cli_1.4.1-1_all.deb * Verifying: krzysztof@b1:~$ dpkg-sig -k 83F709E3 --verify zookeeper-cli_1.4.1-1_all.deb Processing zookeeper-cli_1.4.1-1_all.deb... BADSIG _gpgbuilder * Actual signature (as per the content of added _gpgbuilder file): -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Version: 4 Signer: Ooyala, Inc. Date: Tue Mar 19 04:58:02 2013 Role: builder Files: 3cf918272ffa5de195752d73f3da3e5e 7959c969e092f2a5a8604e2287807ac5b1b384ad 4 debian-binary/ 3a15c94b05829d12483b84fab6c499bd 6b25fa2067a801fefb64e499a258e0489c837127 636 control.tar.gz/ f97656d8cbd740867628d219363ac06c 51b960d4f77d980e44594337b88508e1e6890ef0 9108275 data.tar.gz/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJRR/BaAAoJEBqJzH+D9wnjrVoP/21Qk6OZlxYBUs2A5TUG6lXo E0RXJAsLF+uQNNh3BlOBZFUAG8CuRWz4z/FmqroP6DQci/2QOsklTssrkEw5Vd6i ierusxre/rKhJ6KJ8BFbeq08GKoOUhffbjlIR/mztACkyYznS+JgfMcTmn17oGq6 UzkniGgGI/LL3b/excVxBgqETlb2nSp5i3xPoa2f6FiRYVn45c3AZ531tR3mwaap UN3CsP5l/RRzR1B++QT13T74EWkWkOeWZPws9sTJICVVqkyADYE8kinRI+I1avaQ AKh7HbSszAklzMxo96SD/eO4whA1PBon1pcMC0VMGmqDnlvkoDYt+DpKuAEyTG98 t0z3dEzeLDuyxJL62/QUXorSC6fRtc4xlScF/Rw1AkBDhr9G9sBJ25RJmOtX+miS DYo6qLgQVkWX2tNS80Istrnz+rGRv+T+xiKKNrvTJp3RdfPYnK8pXG8XJmG92nAL bStwZxn4f2twfhJn2qdjuw1G+BDloGotpnK8IHPKd9ojHCdC3eE5d8TOIMuuz2d1 5XORkYCrtiJKxHlzLa75y1622dztPot0aIWkxiA7ju80w2LDqU9R+FlEUpF7fEcd Dq4jl2eKGSutrbPbT3mRpJ4F1hMmAm+vh0ywJK7l/JzbjlY6nfIdYlBNM0zF2yFC 0/LEeVqodFWPKg//X1RS =5/mm -----END PGP SIGNATURE----- Please note the trailing slash in the lines where checksums were added. As per the "deb" file format guide a trailing slash is valid and Debian package may contain it[2]. This can be reproduced on both Lucid and Precise, and current Debian - pretty much every version of the "dpkg-sig" package is affected. It his particular case it was the following: krzysztof@b1:~$ apt-cache show dpkg-sig Package: dpkg-sig Priority: optional Section: universe/devel Installed-Size: 236 Maintainer: Ubuntu MOTU Developers <ubuntu-m...@lists.ubuntu.com> Original-Maintainer: Marc 'HE' Brockschmidt <h...@debian.org> Architecture: all Version: 0.13.1 Depends: perl, gnupg, libdigest-md5-perl, libconfig-file-perl Suggests: ssh, libterm-readkey-perl Filename: pool/universe/d/dpkg-sig/dpkg-sig_0.13.1_all.deb Size: 37714 MD5sum: 72677be8cfd4f8d8cc3d2722ddcf5ee2 SHA1: a23950a4b29f36cd4c2b3a88f618926ca772852d SHA256: 10911f3ae268d2e5bffc7d4ed5e043a5c0c8bf1151918ed4cab15c0d4c0db310 Description-en: create and verify signatures on .deb-files dpkg-sig is a low-level tool for creation and verification of signature on Debian binary packages (.deb-files). . The created signed packages are strict compatible with dpkg and the apt-utils. . Website is http://dpkg-sig.turmzimmer.net/ Description-md5: af8f9217fe0119840369e775a3c5bc7c Bugs: https://bugs.launchpad.net/ubuntu/+filebug Origin: Ubuntu Installed on the following release: krzysztof@b1:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 12.04.1 LTS Release: 12.04 Codename: precise There is an existing bug open against it with Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356509 I am attaching a small (and probably incorrect) patch that was used by me to fix the issue with GPG verification and creation. I use automated package building facility (comprised of both FPM and dpkg-buildpackage et al) and was relying on the "dpkg-sig" script when it goes to adding and verifying files. 1. http://en.wikipedia.org/wiki/Ar_%28Unix%29#BSD_variant 2. http://manpages.ubuntu.com/manpages/lucid/man5/deb.5.html ** Affects: dpkg-sig (Ubuntu) Importance: Undecided Status: New ** Tags: packaging ** Patch added: "Possible solution to the dpkg-sig issue." https://bugs.launchpad.net/bugs/1156988/+attachment/3582593/+files/dpkg-dig.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1156988 Title: Fails to verify GPG signature of a package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg-sig/+bug/1156988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
