Bug#1100485: hopenpgp-tools: hokey canonicalize damages signature

Fri, 14 Mar 2025 04:48:16 -0700 

Package: hopenpgp-tools
Version: 0.23.10-1
Severity: normal
X-Debbugs-Cc: uklei...@debian.org

With gpg 2.2.46 I have:

        $ gpg --export 39CB544D6527CF60 | gpg --import
        gpg: key 39CB544D6527CF60: "Nicolas Pitre <n...@fluxnic.net>" not 
changed
        gpg: Total number processed: 1
        gpg:              unchanged: 1

        $ gpg --export 39CB544D6527CF60 | hokey canonicalize | gpg --import
        hokey (hopenpgp-tools) 0.23.10
        Copyright (C) 2012-2023  Clint Adams
        hokey comes with ABSOLUTELY NO WARRANTY. This is free software, and you 
are welcome to redistribute it under certain conditions.
        gpg: key 39CB544D6527CF60: 1 bad signature
        gpg: key 39CB544D6527CF60: "Nicolas Pitre <n...@fluxnic.net>" not 
changed
        gpg: Total number processed: 1
        gpg:              unchanged: 1

So when piping the certificate through `hokey canonicalize`, gpg is
unhappy with the result ("1 bad signature").

I didn't try to debug, so maybe it's also gpg (or the public key) that
is wrong here. Another indication that it's indeed hokey that is broken
here is that Sequoia is also reports a broken signature:

        $ diff -u <(gpg --export 39CB544D6527CF60 | sq inspect 
--dump-bad-signatures) <(gpg --export 39CB544D6527CF60 | hokey canonicalize | 
sq inspect --dump-bad-signatures)
        hokey (hopenpgp-tools) 0.23.10
        Copyright (C) 2012-2023  Clint Adams
        hokey comes with ABSOLUTELY NO WARRANTY. This is free software, and you 
are welcome to redistribute it under certain conditions.
        --- /dev/fd/63  2025-03-14 12:41:09.762163073 +0100
        +++ /dev/fd/62  2025-03-14 12:41:09.766163061 +0100
        @@ -7,10 +7,11 @@
                 Key flags: certification, signing

                    Subkey: E582CAEAF7CBA7AA04344A927F4A62820BF463B7
        +                   Invalid: No binding signature at time 
2025-03-14T11:41:09Z
        +                   Invalid: No binding signature at time 
2025-03-14T11:41:09Z
           Public-key algo: RSA
           Public-key size: 2048 bits
             Creation time: 2014-08-27 18:44:41 UTC
        -        Key flags: signing

                    Subkey: 41DAFFF1E479BE87915F2E61CB32F57D9BA1D6FF
           Public-key algo: RSA
        @@ -52,3 +53,34 @@
                    UserID: Nicolas Pitre <npi...@baylibre.com>
            Certifications: 1, use --certifications to list

        +    Bad Signature:
        +                   Version: 4
        +                   Type: SubkeyBinding
        +                   Pk algo: RSA
        +                   Hash algo: SHA256
        +                   Hashed area:
        +                     Signature creation time: 2025-02-25 05:18:24 UTC 
(critical)
        +                     Issuer: 39CB544D6527CF60
        +                       Nicolas Pitre <n...@fluxnic.net> 
(UNAUTHENTICATED)
        +                     Notation: s...@notations.sequoia-pgp.org
        +                       00000000  1a 30 59 f3 ea fd 72 88  a3 2b 5e a5 
1b e2 43 bd
        +                       00000010  89 d8 f6 37 92 11 28 a5  50 8d b1 af 
c8 e9 16 48
        +                     Key flags: S
        +                     Embedded signature:  (critical)
        +                                                Version: 4
        +                         Type: PrimaryKeyBinding
        +                         Pk algo: RSA
        +                         Hash algo: SHA256
        +                         Hashed area:
        +                           Signature creation time: 2025-02-25 
05:18:24 UTC (critical)
        +                           Issuer: 7F4A62820BF463B7
        +                             Nicolas Pitre <n...@fluxnic.net> 
(UNAUTHENTICATED)
        +                           Notation: s...@notations.sequoia-pgp.org
        +                             00000000  d8 bd 36 7c ef bd c5 da  85 b8 
f7 02 5d 3b 81 28
        +                             00000010  1b b8 e1 68 40 15 89 ec  b5 8b 
f0 eb d4 bb b0 f4
        +                           Issuer Fingerprint: 
E582CAEAF7CBA7AA04344A927F4A62820BF463B7
        +                             Nicolas Pitre <n...@fluxnic.net> 
(UNAUTHENTICATED)
        +                         Digest prefix: 4CA6
        +                         Level: 0 (signature over data)
        +                   Digest prefix: DB75
        +                   Level: 0 (signature over data)


The key 39CB544D6527CF60 is available on the keyservers if you want to
reproduce. (gpg --keyserver-options no-self-sigs-only --keyserver 
keyserver.ubuntu.com --recv 39CB544D6527CF60)

Best regards
Uwe

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (750, 'testing-debug'), (750, 'testing'), (700, 
'stable-updates'), (700, 'stable-security'), (700, 'stable-debug'), (700, 
'stable'), (600, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 6.12.6-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages hopenpgp-tools depends on:
ii  libbz2-1.0     1.0.8-6
ii  libc6          2.40-4
ii  libffi8        3.4.6-1
ii  libgmp10       2:6.3.0+dfsg-3
ii  libnettle8t64  3.10-1+b1
ii  libnuma1       2.0.18-1+b1
ii  libyaml-0-2    0.2.5-2
ii  zlib1g         1:1.3.dfsg+really1.3.1-1+b1

hopenpgp-tools recommends no packages.

hopenpgp-tools suggests no packages.

-- no debconf information

Reply via email to