Package: keyringer Severity: important Tags: patch upstream -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Dear Maintainer, keyringer has a bug in its keyringer_check_expiration function, leading to it wrongly reporting that a recipient has no valid encryption subkeys when they do not have an expiration date and failing to perform any action on the keyring. For example: > % keyringer oignons-ca decrypt fournisseurs.asc > /usr/bin/../lib/keyringer/actions/../functions: line 705: [[: 1496165541 > 1480493851: syntax error in expression (error token is "1480493851") > Fatal: key 772B11B4F2DC80E1212B3F41B0739AAD91B7CDC0 has no keys suitable for > encryption: all subkeys expired. > > % gpg -k 772B11B4F2DC80E1212B3F41B0739AAD91B7CDC0 > pub rsa4096/0xB0739AAD91B7CDC0 2015-02-17 [SC] [expires: 2018-10-13] > Key fingerprint = 772B 11B4 F2DC 80E1 212B 3F41 B073 9AAD 91B7 CDC0 > uid [ultimate] Nicolas Braud-Santoni > <[email protected]> > uid [ultimate] Nicolas Braud-Santoni > <[email protected]> > uid [ultimate] Nicolas Braud-Santoni > <[email protected]> > uid [ultimate] Nicolas Braud-Santoni <[email protected]> > sub rsa4096/0x9D4F88010CFE19E3 2015-12-25 [S] > sub rsa4096/0x9F77E4C89B84134A 2015-12-25 [E] > sub rsa4096/0x6E433B63EE75FB07 2015-12-25 [A] The bug is present in jessie, stretch, sid and in keyringer's current development tree. I attached a patch that fixes the issue, and which I will submit upstream as soon as I get access to upstream's bugtracker. Please consider applying this patch in jessie. Best, nicoo - -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages keyringer depends on: ii gawk 1:4.1.3+dfsg-0.1+b1 ii git 1:2.10.2-3 ii gnupg 2.1.15-9 ii mawk 1.3.3-17 Versions of packages keyringer recommends: ii openssl 1.0.2j-1 ii tree 1.7.0-4 ii wipe 0.22-4 ii xclip 0.12+svn84-4 ii xdg-utils 1.1.1-1 keyringer suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iQJNBAEBCgA3FiEEiWEbFKE2h/s1SpJPnU+IAQz+GeMFAlhOz8gZHG5pY29sYXNA YnJhdWQtc2FudG9uaS5ldQAKCRCdT4gBDP4Z48ToEACCnd53KjaAmuffL8x7WzY0 wD1GvFP/tC7BqkN9zAJ7Qksnbg/7Q2V0FSZaHHfw1JZzXdWUV2ZGowNmyXr7o/O8 g5PeDdi2K3Le8MQgNpS1gJ/neKSTb+mnxkrHwwnbfIZaqCAjP0y1GozwULfnibZD MU6nYor4LZXiPe1HGl/p/OCb3I+iRAzU4SNfaH9+r7KRGNZ3b4wBU/CBTD86pkfZ B/nZI3C8PmDnOgnH0s1lg8bOGHmypwTEczsfc/GJs3K4QK8jTrGIr8Tr8iOd0Hkb drrO7VgV1F7/n3ZOSOwW/wZ9hqch4Y3iYhUg1pHjY4WYGdJkAFMZLyE+ND0wH5kH U9HDGGRDx1Sp4w7UG4os1TVSlt9ojrBVdByLO0DXiWXIk4qjt6Q86aDASVJP8Ln/ xxfffk0clGLraDuVCKp2q5xoZuMfXuQ5jvdcRogCWd91M1Y82Nxi2V005mUV9PlB urK2BgtwS42eSw7jYMJP7dkZqrdQPnXtxMUIUMCSnLLVixcpCAEwEqS8/coGDesX PLMKIxk4r82/Sa3/Q5fZKkGtdVdeT0IXtBTdcpXNoxu80f5fYeLd0jPwhAAx28jA 6L/yRgxbTpnSR4U98Zva6tEIaYL2keOd8RkQL+TngEbSKHuM5jlwtTNeP+ax/00t 71WtzivEd30W1tF1X9gxkA== =uBDU -----END PGP SIGNATURE-----
>From e5ac5fe5fd7774a854056ba851bc3ecd901fd16a Mon Sep 17 00:00:00 2001 From: Nicolas Braud-Santoni <[email protected]> Date: Mon, 12 Dec 2016 16:49:17 +0100 Subject: [PATCH 1/4] keyringer_check_expiration: Handle empty expiration dates Otherwise, if the only non-expired subkeys have empty expiration dates, keyringer wrongly errors-out and claims that no non-expired subkey is available. --- lib/keyringer/functions | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 09b004d..fd0176b 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -722,19 +722,25 @@ function keyringer_check_expiration { fi # Check the subkeys - expiry="" - for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do + local subkey="" + for subkey in $(gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub); do + local expiry=$(cut -d : -f 7 <<< "$subkey") + if [[ -z "$expiry" ]]; then + not_expired=1 + break + fi if [[ "$seconds" -lt "$expiry" ]]; then not_expired="1" if [[ "$ahead" -gt "$expiry" ]] && [ "$BASENAME" == "check" ]; then echo "Warning: subkey from $recipient will expire soon, on `date --date="@$expiry"`" fi + break fi done # All subkeys are expired - if [ ! -z "$expiry" ] && [ "$not_expired" != "1" ]; then + if [ ! -z "$subkey" ] && [ "$not_expired" != "1" ]; then echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired." exit 1 fi -- 2.10.2
