Package: debsigs
Version: 0.1.25
Severity: important
Tags: patch
Hi!
Just playing with debsigs locally to see if it might solve a problem
for me. A little it surprised to see that it doesn't work fully with
gpg2.
I signed a package and that worked OK:
tack:~$ debsigs --sign=origin sbsigntool_0.6-3.2_amd64.deb
gpg: using "587979573442684E" as default secret key for signing
But listing the sigs doesn't work:
tack:~$ debsigs --list sbsigntool_0.6-3.2_amd64.deb
GPG signatures in sbsigntool_0.6-3.2_amd64.deb:
bad gpg line at /usr/share/perl5/Debian/debsigs/gpg.pm line 39, <GEN6> line 1.
The code in gpg.pm is assuming the first line is always going to
describe a signature packet, but that's not the case with
gpg2. Comparing the output, I see that there's an extra comment line
at the start of the output:
tack:~$ gpg1 --list-packets _gpgorigin
:signature packet: algo 1, keyid 587979573442684E
version 4, created 1620732510, md5len 0, sigclass 0x00
digest algo 8, begin of digest 1d 9d
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2021-05-11)
subpkt 16 len 8 (issuer key ID 587979573442684E)
data: [4095 bits]
tack:~$ gpg2 --list-packets _gpgorigin
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid 587979573442684E
version 4, created 1620732510, md5len 0, sigclass 0x00
digest algo 8, begin of digest 1d 9d
hashed subpkt 33 len 21 (issuer fpr v4
CEBB52301D617E910390FE16587979573442684E)
hashed subpkt 2 len 4 (sig created 2021-05-11)
subpkt 16 len 8 (issuer key ID 587979573442684E)
data: [4095 bits]
Here's a trivial patch to ignore that comment if it's there.
-- System Information:
Debian Release: 10.9
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages debsigs depends on:
ii binutils 2.31.1-16
ii gnupg 2.2.12-1+deb10u1
ii perl 5.28.1-6+deb10u1
Versions of packages debsigs recommends:
ii debsig-verify 0.19+b10
debsigs suggests no packages.
-- no debconf information
>From d56451db12dd89c874606741ed619e6b72cfa86f Mon Sep 17 00:00:00 2001
From: Steve McIntyre <st...@einval.com>
Date: Tue, 11 May 2021 12:53:21 +0100
Subject: [PATCH] Cope with extra comment in gpg2 output
Signed-off-by: Steve McIntyre <st...@einval.com>
---
gpg.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/gpg.pm b/gpg.pm
index 99d2998..c624b4e 100644
--- a/gpg.pm
+++ b/gpg.pm
@@ -35,6 +35,9 @@ sub getkeyfromfd {
my ($keyid, $date);
my $line = <$gpgfd>;
+ if ($line =~ /^#/) {
+ $line = <$gpgfd>;
+ };
# print STDERR "gpg: got first line: $line";
die 'bad gpg line' unless ($line =~ '^:signature packet:');
($keyid) = $line =~ /^:signature packet: .+ keyid ([0-9a-fA-F]+)/;
--
2.20.1
