Package: debmirror
Version: 1:2.30
Severity: normal
sid is apparently currently signed by three keys -- automatic signing
keys for wheezy, jessie, and stretch. I can't justify this (i have no
idea why it should be signed by the wheezy signing key, for example),
but that shouldn't matter for debmirror's purpose.
In practice, debmirror should accept any one good signature from any
of its trusted keys.
However, gpgv returns a non-zero error code if it notices anything
fishy, like a signature that it can't validate, and debmirror uses
that as a chance to bail out. Here's an example:
2 debmirror@testhost:~$ debmirror --keyring
/usr/share/keyrings/debian-archive-stretch-automatic.gpg /srv/debmirror/archive
[GNUPG:] NEWSIG
[GNUPG:] ERRSIG 8B48AD6246925553 1 8 00 1546612061 9
A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
[GNUPG:] NO_PUBKEY 8B48AD6246925553
[GNUPG:] NEWSIG
[GNUPG:] ERRSIG 7638D0442B90D010 1 8 00 1546612061 9
126C0D24BD8A2942CC7DF8AC7638D0442B90D010
[GNUPG:] NO_PUBKEY 7638D0442B90D010
[GNUPG:] NEWSIG
[GNUPG:] KEY_CONSIDERED E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 0
[GNUPG:] SIG_ID xEVWVyjJFLGtpwkNoXTkQjo22Ws 2019-01-04 1546612061
[GNUPG:] KEY_CONSIDERED E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 0
[GNUPG:] GOODSIG 04EE7237B7D453EC Debian Archive Automatic Signing Key
(9/stretch) <ftpmas...@debian.org>
[GNUPG:] VALIDSIG 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC 2019-01-04
1546612061 0 4 0 1 8 00 E1CF20DDFFE4B89E802658F1E0B11894F66AEC98
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
gpgv: Signature made Fri 04 Jan 2019 09:27:41 AM EST
gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
gpgv: Can't check signature: No public key
gpgv: Signature made Fri 04 Jan 2019 09:27:41 AM EST
gpgv: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010
gpgv: Can't check signature: No public key
gpgv: Signature made Fri 04 Jan 2019 09:27:41 AM EST
gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch)
<ftpmas...@debian.org>"
[GNUPG:] NEWSIG
[GNUPG:] ERRSIG 8B48AD6246925553 1 8 01 1546612062 9
A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
[GNUPG:] NO_PUBKEY 8B48AD6246925553
[GNUPG:] NEWSIG
[GNUPG:] ERRSIG 7638D0442B90D010 1 8 01 1546612062 9
126C0D24BD8A2942CC7DF8AC7638D0442B90D010
[GNUPG:] NO_PUBKEY 7638D0442B90D010
[GNUPG:] NEWSIG
[GNUPG:] KEY_CONSIDERED E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 0
[GNUPG:] SIG_ID jhlMnCWh9GquPf8AQBwAiGQAPYU 2019-01-04 1546612062
[GNUPG:] KEY_CONSIDERED E1CF20DDFFE4B89E802658F1E0B11894F66AEC98 0
[GNUPG:] GOODSIG 04EE7237B7D453EC Debian Archive Automatic Signing Key
(9/stretch) <ftpmas...@debian.org>
[GNUPG:] VALIDSIG 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC 2019-01-04
1546612062 0 4 0 1 8 01 E1CF20DDFFE4B89E802658F1E0B11894F66AEC98
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
gpgv: Signature made Fri 04 Jan 2019 09:27:42 AM EST
gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
gpgv: Can't check signature: No public key
gpgv: Signature made Fri 04 Jan 2019 09:27:42 AM EST
gpgv: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010
gpgv: Can't check signature: No public key
gpgv: Signature made Fri 04 Jan 2019 09:27:42 AM EST
gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC
gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch)
<ftpmas...@debian.org>"
Errors:
.temp/.tmp/dists/sid/Release.gpg signature does not verify
.temp/.tmp/dists/sid/InRelease signature does not verify
Failed to download some Release, Release.gpg or InRelease files!
WARNING: releasing 1 pending lock...
2 debmirror@testhost:~$
debmirror's gpg_verify() function should be re-written to account for
this, probably by verifying that *at least one* signature is valid.
While fixing this signature verification, it might also want to ensure
that it's verifying the status-fd output, rather than the return code
(see https://dev.gnupg.org/T1537#100523 and other related discussion
about why the return code is not reliable for what you typically want
to find out from gpgv).
In addition, the verification of InRelease is potentially buggy,
because the processing of the inline signature doesn't verify the
*contents* of the signature -- there could be additional data above or
below the signature -- or multiple things signed. So any verification
like that needs to probably use the gpgv --output flag, and stash (or
compare) the output to Release itself. (or sometihng like that, i
confess i don't follow all the logic in debmirror for
signature-verification yet)
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (200,
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages debmirror depends on:
ii bzip2 1.0.6-9
pn libdigest-md5-perl <none>
pn libdigest-sha-perl <none>
ii liblockfile-simple-perl 0.208-1
pn libnet-perl <none>
ii libwww-perl 6.36-1
ii perl 5.28.1-3
ii rsync 3.1.2-2.2
ii xz-utils 5.2.2-1.3
Versions of packages debmirror recommends:
ii ed 1.14.2-2
ii gpgv 2.2.12-1
ii patch 2.7.6-3
Versions of packages debmirror suggests:
ii gnupg 2.2.12-1
-- no debconf information
