Hi!
On Mon, 2025-05-19 at 01:26:59 +0200, Guillem Jover wrote:
> I've just uploaded it now.
So, a new bug report just came in yesterday, that through the new sqv
support revealed a pre-existing problem with the Sequoia handling on
verification, where the code was calling sq (and now possibly sqv)
with no keyrings if they are not present on disk (which will be the
case on a true minimal installation w/o debian-keyring installed), and
where sq used to give a rather verbose output that can be confusing,
and sqv now gives an apparently alarming error message as it expects
at least one keyring option to be passed. :/
In focusing on testing verification, I completely missed checking the
scenario with no keyrings, sorry about that! :'(
Something like this, for sqv:
,---
$ dpkg-source -x *.dsc
error: the following required arguments were not provided:
--keyring <FILE>
Usage: sqv --keyring <FILE> --cleartext --output <FILE> <FILE>
For more information, try '--help'.
dpkg-source: warning: cannot verify inline signature for
./upgrade-system_1.9.8.dsc: no acceptable signature found
dpkg-source: info: extracting upgrade-system in upgrade-system-1.9.8
dpkg-source: info: unpacking upgrade-system_1.9.8.tar.xz
`---
And this for sq:
,---
$ dpkg-source -x *.dsc
Can't authenticate signature allegedly made by
C89002C77A8BEC6A4E6D7390AE1F8277C4B4D7B6: missing certificate.
Hint: Consider searching for the certificate using:
$ sq network search C89002C77A8BEC6A4E6D7390AE1F8277C4B4D7B6
0 authenticated signatures, 1 uncheckable signature.
Error: Verification failed: could not authenticate any signatures
dpkg-source: warning: cannot verify inline signature for
./upgrade-system_1.9.8.dsc: no acceptable signature found
dpkg-source: info: extracting upgrade-system in upgrade-system-1.9.8
dpkg-source: info: unpacking upgrade-system_1.9.8.tar.xz
`---
In my view these make the UI rather confusing, but have no functional
effect, because by default they are warnings and do not prevent
extraction, and even with --require-valid-signature, they'd fail as
well given that the keyrings are not installed.
While this was brought up in the upstream Sequoia IRC channel, Neal
asked whether the sq command was being run in stateless mode, which is
the assumed running context for all other OpenPGP backends (from GnuPG
to SOP), which can be done (and should have been done) by passing
--home=none to sq invocations (but not sqv).
So, I'd like to prepare a dpkg 1.22.20 release with the two attached
patches (and some further translation updates), but would probably wait
a few more days in case there's anything else that pops up, then can
update this bug metadata, and provide a proper debdiff if so.
Thanks,
Guillem
From dcc392e9b5785c96930a6ba0d1dc316cc5764a78 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Wed, 21 May 2025 09:50:56 +0200
Subject: [PATCH 1/2] Dpkg::OpenPGP::Backend::Sequoia: Do not run sq/sqv to
verify with no keyrings
Both sq and sqv support expect a keyring to be able to verify the
signatures, and produce rather confusing and alarming diagnostics,
which by default are emitted as warnings.
In case we have no keyrings to pass (because they are not present on
disk for example), skip the commands invocation, and return an error
to the effect that no valid signatures could be found. In the future
we should instead print the keyrings that we are using and the ones we
are skipping, and print a specific error message for this condition,
to make the error condition more clear, but for now this is the minimal
change that gives a less confusing UI.
Closes: #1106148
---
scripts/Dpkg/OpenPGP/Backend/Sequoia.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm b/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm
index 2d50b0921..09b3ec88b 100644
--- a/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm
+++ b/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm
@@ -123,6 +123,7 @@ sub inline_verify
my ($self, $inlinesigned, $data, @certs) = @_;
return OPENPGP_MISSING_CMD unless ($self->{cmdv} || $self->{cmd});
+ return OPENPGP_NO_SIG if @certs == 0;
# XXX: sqv does not support --signer-file. See:
# <https://gitlab.com/sequoia-pgp/sequoia-sqv/-/issues/11>.
@@ -164,6 +165,7 @@ sub verify
my ($self, $data, $sig, @certs) = @_;
return OPENPGP_MISSING_CMD unless ($self->{cmdv} || $self->{cmd});
+ return OPENPGP_NO_SIG if @certs == 0;
# XXX: sqv does not support --signer-file. See:
# <https://gitlab.com/sequoia-pgp/sequoia-sqv/-/issues/11>.
--
2.49.0
From 96b9d6b20362f96f8fc9b5e35e6ea811a8c4b52d Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Wed, 21 May 2025 09:56:07 +0200
Subject: [PATCH 2/2] Dpkg::OpenPGP::Backend::Sequoia: Run sq in stateless mode
for verification
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For verification and for every other OpenPGP command we always run in
stateless mode, by for example creating a temporary home directory to
avoid the tools (such as GnuPG), to use any implicit keyrings that we
have not explicitly passed.
But for sq we have not been doing that, which changes this specific
backend command semantics compared to the others.
Explicitly pass «--home=none» to enable stateless mode.
Suggested-by: Neal H. Walfield <n...@sequoia-pgp.org>
---
scripts/Dpkg/OpenPGP/Backend/Sequoia.pm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm b/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm
index 09b3ec88b..32298d7d2 100644
--- a/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm
+++ b/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm
@@ -130,6 +130,8 @@ sub inline_verify
my $keyring_opt = $self->{cmdv} ? '--keyring' : '--signer-file';
my @opts;
+ # Select stateless mode for sq.
+ push @opts, '--home=none' unless $self->{cmdv};
push @opts, '--cleartext';
push @opts, map { ($keyring_opt, $_) } @certs;
my $tmpdir;
@@ -172,6 +174,8 @@ sub verify
my $keyring_opt = $self->{cmdv} ? '--keyring' : '--signer-file';
my @opts;
+ # Select stateless mode for sq.
+ push @opts, '--home=none' unless $self->{cmdv};
push @opts, map { ($keyring_opt, $_) } @certs;
push @opts, '--signature-file', $sig;
--
2.49.0
