[BUG] [debsig-verify]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[BUG] [debsig-verify]

Jason Plum
All,

I have run into an issue with debsig-verify in combination with GnuPG v2.1.18+ as seen in Debian 9.

With GnuPG 2.1.18+, the call used in `/src/gpg-parse.c` to parse the keyring fails (error code 2), resulting in the failure of debsig-verify

```
root@bc88c35a95a8:~# debsig-verify -v -d --list-policies gitlab-ce_8.1.0+git.3216.1f52045-rc1.ce.0_amd64.deb 
debsig: Listing usable policies
debsig:         getSigKeyID: got 66D26543C0207D21 for origin key
debsig: Using policy directory: /etc/debsig/policies/66D26543C0207D21
debsig:   Policies in: /etc/debsig/policies/66D26543C0207D21
debsig:   Parsing policy file: /etc/debsig/policies/66D26543C0207D21/gitlab.pol
debsig:     parsePolicyFile: parsing '/etc/debsig/policies/66D26543C0207D21/gitlab.pol'
debsig:     parsePolicyFile: completed
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: subprocess getKeyID returned error exit status 2
```

Doing some investigation with strace, I located the exact call being attempted to the keyring in use, and called it manually in an attempt to more directly replicate the failue:
```
# gpg --no-options --no-default-keyring --batch --no-secmem-warning --no-permission-warning --list-packets -q /usr/share/debsig/keyrings/66D26543C0207D21/gitlab.gpg
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
```

In the event that the keyring was somehow corrupt, I verified that GnuPG could indeed interpret the keychain, and found no issue:
```
# gpg --no-permission-warning --no-default-keyring --keyring /usr/share/debsig/keyrings/66D26543C0207D21/gitlab.gpg -k     
/usr/share/debsig/keyrings/66D26543C0207D21/gitlab.gpg
------------------------------------------------------
pub   rsa4096 2016-08-18 [SC]                                                                           
     CC9524B59894C4C0A51ACD6266D26543C0207D21                                                          
uid           [ unknown] GitLab Inc. <[hidden email]>                                               
sub   rsa4096 2016-08-18 [E] 
```

For informational purposes, the keyring was generated with 
```
gpg --no-default-keyring --batch --no-permission-warning --no-options \
    --keyring "$KEYRINGS/$KEYID/gitlab.gpg" \
    --import $KEYFILE
```


This may be an intentional change, or an incidental breakage from GnuPG. I have not yet derived that, but wanted to bring this to your attention.

--
Jason Plum
GitLab