Your message dated Thu, 22 Dec 2016 11:04:35 +0000 with message-id <e1ck1ap-0003hj...@fasolo.debian.org> and subject line Bug#783605: fixed in dpkg-sig 0.13.1+nmu4 has caused the Debian Bug report #783605, regarding dpkg-sig --verify does not fail unless the .deb is signed to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 783605: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783605 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Subject: dpkg-sig --verify does not fail unless the .deb is signed Package: dpkg-sig Version: 0.13.1+nmu2 Severity: grave Tags: security, patch Dear Maintainer, Perhaps I've misunderstood the purpose of this tool, but one may have hoped for something that would check that a .deb was signed with a trusted key. dpkg-sig does: * report an error with non-zero exit status if a .deb has bad signature * report no error with zero exit status if a .deb has good signature dpkg-sig does NOT: * report an error with non-zero exit status if a .deb is unsigned Steps to reproduce: * mkdir /tmp/build && cd /tmp/build * apt-get source liblzo2-2 * apt-get build-dep liblzo2-2 * dpkg-source -x lzo2_2.08-1.2.dsc * cd lzo2-2.08/ * dpkg-buildpackage -rfakeroot -b -uc -us # builds unsigned .deb * dpkg-sig --verify ../liblzo2-2_2.08-1.2_amd64.deb * echo $? Expected behaviour: * echo $? should print non-zero exit status Actual behaviour: * echo $? prints 0 Impact: Any user of dpkg-sig --verify cares about having valid signatures on their .debs. It seems this could be a security issue to then trivially allow bypassing this check simply by presenting an unsigned .deb, hence the grave severity. This hurts anyone who depends on this tool in their work-flow AND had the misguided expectation that it would error out on unsigned debs as I did. Therefore I've attached a patch which I suspect changes the tool to conform to this expectation. It was only briefly tested, please review before applying. -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dpkg-sig depends on: ii gnupg 1.4.18-7 ii libconfig-file-perl 1.50-2 ii perl [libdigest-md5-perl] 5.20.2-3 dpkg-sig recommends no packages. Versions of packages dpkg-sig suggests: pn libterm-readkey-perl <none> pn ssh <none> -- no debconf information--- dpkg-sig.orig 2015-04-28 20:08:01.276000000 +1000 +++ dpkg-sig 2015-04-28 20:02:33.372000000 +1000 @@ -140,6 +140,7 @@ print @verify_output; exit 2 if grep { /^BADSIG/ } @verify_output; exit 3 if grep { /^UNKNOWNSIG/ } @verify_output; + exit 4 if grep { /^NOSIG/ } @verify_output; } elsif ($list) { for (get_deb_parts($file)) { print "$1\n" if ($_->[0] =~ /_gpg(.+)/); @@ -181,6 +182,7 @@ print @verify_output; exit 2 if grep { /^BADSIG/ } @verify_output; exit 3 if grep { /^UNKNOWNSIG/ } @verify_output; + exit 4 if grep { /^NOSIG/ } @verify_output; } elsif ($list) { for (get_deb_parts($deb)) { print "$1\n" if ($_->[0] =~ /_gpg(.+)/); @@ -502,6 +504,7 @@ #Get MD5 sums: my $digests = get_deb_digests($deb); + my $found_sigs; for (my $n=0;$n<@$digests;$n++) { my ($part_name, $size, $sha1sum, $md5sum) = @{@$digests[$n]}; @@ -517,12 +520,15 @@ if ($sig =~ /BEGIN PGP SIGNED MESSAGE/) { $status = verify_deb_sig_v4($part_name, $n, $digests, \@info, \@return); + $found_sigs = 1; } if ($check_v3_sig && (!$status || $status eq "BAD")) { $status = verify_deb_sig_v3($part_name, $n, $digests, \@info, \@return); + $found_sigs = 1; } if ($check_v2_sig && (!$status || $status eq "BAD")) { $status = verify_deb_sig_v2($part_name, $n, $digests, \@info, \@return); + $found_sigs = 1; } if ($status && $status eq "GOOD") { @@ -533,6 +539,9 @@ push @return, "BADSIG $part_name\n" } } + if (!$found_sigs) { + push @return, "NOSIG\n" + } return @return; }
--- End Message ---
--- Begin Message ---Source: dpkg-sig Source-Version: 0.13.1+nmu4 We believe that the bug you reported is fixed in the latest version of dpkg-sig, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 783...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Biedl <debian.a...@manchmal.in-ulm.de> (supplier of updated dpkg-sig package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 20 Dec 2016 00:02:40 +0100 Source: dpkg-sig Binary: dpkg-sig Architecture: source Version: 0.13.1+nmu4 Distribution: unstable Urgency: medium Maintainer: Marc 'HE' Brockschmidt <h...@debian.org> Changed-By: Christoph Biedl <debian.a...@manchmal.in-ulm.de> Description: dpkg-sig - create and verify signatures on .deb-files Closes: 783605 Changes: dpkg-sig (0.13.1+nmu4) unstable; urgency=medium . * Non-maintainer upload * Exit non-zero upon unsigned .deb. Patch by Paul Harvey. Closes: #783605 Checksums-Sha1: 2cb4059c759c6ea0540b0be6d80524737e3e6a22 1468 dpkg-sig_0.13.1+nmu4.dsc aee49b8af6c3e7e0c42d8242e99f72ef94b625a2 28545 dpkg-sig_0.13.1+nmu4.tar.gz Checksums-Sha256: 2471c671d439924865a5b0f444f1ac81c1ba1cc81e08cebeef9db33da233aac5 1468 dpkg-sig_0.13.1+nmu4.dsc 7c33d26c371f67e3a0aa658bb925336e8584d43fef9938e16da8da6272f47bc3 28545 dpkg-sig_0.13.1+nmu4.tar.gz Files: 6c659c6266813f2fbd4f7b0b1ee7751c 1468 devel optional dpkg-sig_0.13.1+nmu4.dsc 1f27c7b7b7990b93fb1c86e35aff25c8 28545 devel optional dpkg-sig_0.13.1+nmu4.tar.gz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAlhZCyUACgkQdbcQY1wh On4I5Q/+Ly/aFBs9yR1ZFamiEZIh1xI15eiJjrBMy7xiSz8qwDtTe/aumd9FrwoC iUNIIbO1S+VbuOl/BGcrKa+5OgbvbpdW8TncDzN/iL5p4C9W7G765Rk/lpkwCbzP 5LN3rRdIjlOuOuQ7MNHepOCg1cDS9NFhtxR9eGGba2b6nHN/z7SI5x2q9OhGm1P8 aorFnn1VxYSi+hVTm15+WkMSDMy3bxdNjhkIUTxSGJhd9qBKGjmLz1fegp16n0mF HSmRs6LQcSguJ4JdQ/nsYVbmu9y2U7XHfXg0UwXrjHgL1kMv401ROObgC6TiaVq1 LilaqdyApRNEC5BMmhi1OyBWozSten4plmZRrFiKznh72gGITDcxwiZRUGQcIxyv YLsFzvE1a/IdoxE/n23MPAfrVHHBKVLaiHCRBSVcRu2SVondRK31ac78u2GQVJuf yFj4GAJwzPo5LB8F+sBsZT88dQi0h2dFRoh455EsGji+yj5qQWZywY/8no8b6s+O 5CA5mkCBIPxOBFghUZa0Whv9kzKZ7Kaae2N/71N78xYWPlQ/VSmnf/4e2ZEzVeRo vHLPR7A3IqJ3SuYEf3BS5eVG7E0+R3BM6tiEwyrP4iSibMNsciYipqXxZbW31ya1 1kZJAvuN5y6FcUkbE4l6kuIRpWRj5dIgl18GEFowRCri6G5qoPA= =xUsT -----END PGP SIGNATURE-----
--- End Message ---
