Bug#1098553: golang-github-digitorus-pkcs7: FTBFS: verify_test.go:576: Verify failed with error: pkcs7: failed to verify certificate chain

Santiago Vila Fri, 21 Feb 2025 15:32:03 -0800

Package: src:golang-github-digitorus-pkcs7
Version: 0.0~git20230818.3a137a8-2
Severity: serious
Tags: ftbfs trixie sid


Dear maintainer:

During a rebuild of all packages in unstable, your package failed to build:

--------------------------------------------------------------------------------
[...]
 debian/rules clean
dh clean --builddirectory=_build --buildsystem=golang
   dh_auto_clean -O--builddirectory=_build -O--buildsystem=golang
   dh_autoreconf_clean -O--builddirectory=_build -O--buildsystem=golang
   dh_clean -O--builddirectory=_build -O--buildsystem=golang
 debian/rules binary
dh binary --builddirectory=_build --buildsystem=golang
   dh_update_autotools_config -O--builddirectory=_build -O--buildsystem=golang
   dh_autoreconf -O--builddirectory=_build -O--buildsystem=golang
   dh_auto_configure -O--builddirectory=_build -O--buildsystem=golang
   dh_auto_build -O--builddirectory=_build -O--buildsystem=golang
        cd _build && go install -trimpath -v -p 2 github.com/digitorus/pkcs7
internal/unsafeheader
internal/goarch
internal/cpu
internal/abi
internal/bytealg
internal/byteorder
internal/coverage/rtcov
internal/chacha8rand
internal/godebugs
internal/goexperiment
internal/goos
internal/profilerecord
internal/runtime/atomic
internal/asan
internal/msan
internal/race
internal/runtime/exithook
internal/runtime/math
internal/runtime/sys
internal/runtime/syscall
internal/runtime/maps
internal/stringslite
sync/atomic
internal/sync
math/bits
unicode
runtime
unicode/utf8
math
crypto/internal/fips140/alias
crypto/internal/fips140deps/byteorder
crypto/internal/fips140deps/cpu
crypto/internal/fips140/subtle
internal/itoa
cmp
crypto/internal/boring/sig
unicode/utf16
vendor/golang.org/x/crypto/cryptobyte/asn1
internal/nettrace
encoding
internal/reflectlite
sync
errors
iter
internal/bisect
io
strconv
bytes
hash
internal/godebug
crypto
strings
crypto/internal/fips140deps/godebug
crypto/internal/impl
crypto/internal/fips140
internal/oserror
syscall
crypto/internal/fips140/sha256
crypto/internal/fips140/sha3
crypto/internal/fips140/sha512
crypto/internal/fips140/hmac
crypto/internal/fips140/check
crypto/internal/fips140/aes
internal/syscall/unix
path
slices
time
internal/syscall/execenv
internal/testlog
math/rand/v2
crypto/internal/randutil
crypto/subtle
reflect
io/fs
internal/filepathlite
internal/poll
os
crypto/internal/sysrand
crypto/internal/entropy
crypto/internal/fips140/drbg
crypto/internal/fips140/aes/gcm
crypto/internal/fips140only
internal/fmtsort
fmt
crypto/cipher
crypto/internal/boring
crypto/aes
crypto/des
math/rand
crypto/internal/fips140/nistec/fiat
math/big
crypto/internal/fips140/nistec
crypto/dsa
crypto/internal/fips140/edwards25519/field
crypto/internal/boring/bbig
crypto/internal/fips140/bigmod
crypto/sha3
crypto/internal/fips140/ecdh
crypto/elliptic
crypto/ecdh
crypto/internal/fips140/ecdsa
crypto/internal/fips140hash
crypto/sha512
encoding/asn1
crypto/internal/fips140/edwards25519
vendor/golang.org/x/crypto/cryptobyte
crypto/internal/fips140/ed25519
crypto/rand
crypto/ed25519
crypto/ecdsa
crypto/internal/fips140/rsa
crypto/rsa
crypto/sha1
crypto/md5
crypto/sha256
encoding/hex
encoding/binary
crypto/x509/pkix
maps
context
vendor/golang.org/x/net/dns/dnsmessage
encoding/base64
encoding/pem
internal/singleflight
weak
unique
runtime/cgo
net/netip
net/url
path/filepath
io/ioutil
os/exec
net
sort
flag
bufio
internal/sysinfo
runtime/debug
runtime/trace
testing
crypto/x509
github.com/digitorus/pkcs7
   debian/rules override_dh_auto_test
make[1]: Entering directory '/<<PKGBUILDDIR>>'
env GODEBUG=x509sha1=1 dh_auto_test 
        cd _build && go test -vet=off -v -p 2 github.com/digitorus/pkcs7
=== RUN   TestBer2Der
--- PASS: TestBer2Der (0.00s)
=== RUN   TestBer2Der_Negatives
--- PASS: TestBer2Der_Negatives (0.00s)
=== RUN   TestBer2Der_NestedMultipleIndefinite
--- PASS: TestBer2Der_NestedMultipleIndefinite (0.00s)
=== RUN   TestVerifyIndefiniteLengthBer
--- PASS: TestVerifyIndefiniteLengthBer (0.00s)
=== RUN   TestDecrypt
--- PASS: TestDecrypt (0.00s)
=== RUN   TestEncrypt
--- PASS: TestEncrypt (0.11s)
=== RUN   TestEncryptUsingPSK
--- PASS: TestEncryptUsingPSK (0.00s)
=== RUN   TestPad
--- PASS: TestPad (0.00s)
=== RUN   TestSign
    sign_test.go:60: test SHA1-RSA/SHA1-RSA/SHA1-RSA: cannot add signer: pkcs7: 
certificate signature from parent is invalid: x509: cannot verify signature: 
insecure algorithm SHA1-RSA
--- FAIL: TestSign (0.00s)
=== RUN   TestDSASignAndVerifyWithOpenSSL
--- PASS: TestDSASignAndVerifyWithOpenSSL (0.00s)
=== RUN   TestSignWithoutAttributes
    sign_test.go:213: test SHA1-RSA/SHA1-RSA: cannot verify signed data: pkcs7: 
failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA1-RSA/SHA1-RSA: cannot verify signed data: pkcs7: 
failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA1-RSA/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA1-RSA/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA256-RSA/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA256-RSA/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA256-RSA/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA256-RSA/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA512-RSA/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA512-RSA/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA512-RSA/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test SHA512-RSA/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm SHA1-RSA" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA1/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA1/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA1/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA1/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA256/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA256/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA256/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA256/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA384/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA384/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA384/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA384/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA512/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA512/SHA1-RSA: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA512/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
    sign_test.go:213: test ECDSA-SHA512/ECDSA-SHA1: cannot verify signed data: 
pkcs7: failed to verify certificate chain: x509: certificate signed by unknown 
authority (possibly because of "x509: cannot verify signature: insecure 
algorithm ECDSA-SHA1" while trying to verify candidate authority certificate 
"PKCS7 Test Root CA")
--- FAIL: TestSignWithoutAttributes (0.37s)
=== RUN   TestSetContentType
--- PASS: TestSetContentType (0.00s)
=== RUN   TestUnmarshalSignedAttribute
--- PASS: TestUnmarshalSignedAttribute (0.02s)
=== RUN   TestDegenerateCertificate
--- PASS: TestDegenerateCertificate (0.00s)
=== RUN   TestSkipCertificates
--- PASS: TestSkipCertificates (0.02s)
=== RUN   TestVerify
--- PASS: TestVerify (0.00s)
=== RUN   TestVerifyAppStore
--- PASS: TestVerifyAppStore (0.00s)
=== RUN   TestVerifyApkEcdsa
--- PASS: TestVerifyApkEcdsa (0.00s)
=== RUN   TestVerifyFirefoxAddon
--- PASS: TestVerifyFirefoxAddon (0.00s)
=== RUN   TestSignWithOpenSSLAndVerify
    verify_test.go:576: Verify failed with error: pkcs7: failed to verify 
certificate chain: x509: certificate signed by unknown authority (possibly 
because of "x509: cannot verify signature: insecure algorithm SHA1-RSA" while 
trying to verify candidate authority certificate "PKCS7 Test Intermediate Cert")
--- FAIL: TestSignWithOpenSSLAndVerify (0.01s)
FAIL
FAIL    github.com/digitorus/pkcs7      0.550s
FAIL
dh_auto_test: error: cd _build && go test -vet=off -v -p 2 
github.com/digitorus/pkcs7 returned exit code 1
make[1]: *** [debian/rules:7: override_dh_auto_test] Error 25
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [debian/rules:4: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
--------------------------------------------------------------------------------

The above is just how the build ends and not necessarily the most relevant part.
If required, the full build log is available here:

https://people.debian.org/~sanvila/build-logs/202502/

About the archive rebuild: The build was made on virtual machines from AWS,
using sbuild and a reduced chroot with only build-essential packages.

If you could not reproduce the bug please contact me privately, as I
am willing to provide ssh access to a virtual machine where the bug is
fully reproducible.

If this is really a bug in one of the build-depends, please use
reassign and add an affects on src:golang-github-digitorus-pkcs7, so that this 
is still
visible in the BTS web page for this package.

Thanks.

Bug#1098553: golang-github-digitorus-pkcs7: FTBFS: verify_test.go:576: Verify failed with error: pkcs7: failed to verify certificate chain

Reply via email to