On Sun, Sep 04, 2016 at 10:04:54AM -0400, Daniel Kahn Gillmor wrote: > On Sat 2016-09-03 18:40:26 -0400, Bastian Blank wrote: > > Package: gnupg > > Version: 2.1.15-2 > > Severity: grave > I'm unclear as to why this is Severity: grave -- i've reset the Severity > to normal, but i'm happy to have you reset the severity with an > appropriate explanation.
I'm inclined to forward that to ctte, as this is a clear breakage in backward compatibility and you already broke that transition pretty bad anyway. > > A simple verification of a inlined signed file leaves the agent running. > > This makes it impossible to clean up the system properly. > "impossible" is an overstatement, right? While i agree with you that > it's better to not have the agent left running, it can at the very least > be terminated manually (e.g. with "gpgconf --kill gpg-agent" or > "gpg-connect-agent killagent /bye"). Well, you took over the gpg name, so you have to abide to the same interface, which you obviously don't do. > > This is for example used by cdebootstrap. > A verification of a signature should not launch the agent at all, so i'm > not convinced this is what's happening. With a dedicated GNUPGHOME you > can observe the presence of the agent by looking for S.gpg-agent, which > doesn't appear after file verification: The only way to verify an inline-signed message and also get the unescaped message is to use gpg --decrypt. --verify does not even accept --output. > So maybe it's not file verification that's causing the agent to spawn > but some other operation? The file is not encrypted, so not really. > > As it is inline signed, it is not possible to use gpgv, which can't > > decode messages. > gpgv can verify inline-signed data, but does not produce output of the > verified text. That's the concern, right? I've opened > https://bugs.gnupg.org/gnupg/issue2668 to record that concern upstream. Isn't gpgv a debian-ism? > If you're talking about verifying InRelease, then that's a bit of a > special case, because it has a constrained format that we can rely on. > In particular, it's an RFC822 message, which means it has no lines with > a leading hyphen (-) and it has no preamble or footer outside the > signature. So it should be possible to convert it manually to separate > files that can then be verified with gpgv and used independently. You can do several modification to such signed files without changing the signature, esp dash-escaping and whitespaces at line endings. What is a sane way to undo all of this? > Alternately, cdebootstrap could use Release and Release.gpg and avoid > InRelease. InRelease was introduced to fix race conditions, so no, this does not work. Nastian -- Emotions are alien to me. I'm a scientist. -- Spock, "This Side of Paradise", stardate 3417.3
