Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574914 - Release signatures for distfiles et al should be using OpenPGP detached signatures
Summary: Release signatures for distfiles et al should be using OpenPGP detached signa...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-16 20:28 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2023-08-19 15:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-16 20:28:37 UTC
The OpenPGP signature files (.asc) are currently created using GnuPG's --clearsign . This has a few impacts on usability and security since the files are needed again to verify the integrity of the downloaded files. 

1) Because a file named .DIGESTS exists along side .DIGESTS.asc a warning is properly given by GnuPG that it is in fact not a detached signature being used:
$ gpg --verify stage3-amd64-20160211.tar.bz2.DIGESTS.asc 
gpg: Signature made Fri 12 Feb 2016 09:25:58 AM CET
gpg:                using RSA key 0xBB572E0E2D182910
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [full]
gpg: WARNING: not a detached signature; file 'stage3-amd64-20160211.tar.bz2.DIGESTS' was NOT verified!

2) sha512sum shows an additional warning if trying to verify against the .asc file directly:
$ sha512sum -c stage3-amd64-20160211.tar.bz2.DIGESTS.asc
stage3-amd64-20160211.tar.bz2: OK
stage3-amd64-20160211.tar.bz2: FAILED
stage3-amd64-20160211.tar.bz2.CONTENTS: OK
stage3-amd64-20160211.tar.bz2.CONTENTS: FAILED
sha512sum: WARNING: 20 lines are improperly formatted
sha512sum: WARNING: 2 computed checksums did NOT match

3) The data between .DIGESTs and .DIGESTS.asc is duplicated

Using detached signatures is normally superior to clearsigned (no line ending canonicalization and allows similar treatment for binary files as for text files). Is there any reason we're not just detach-signing (--armored) the files in question?
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2016-02-16 20:52:04 UTC
The --clearsign format has remained for long-standing compat with old tools. 
As a migration plan, how about this:
1. .DIGESTS file remain the same.
2. .DIGESTS.detached-sig is added.
3. .DIGESTS.asc clearsign format is announced to be sunset in 6 months.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2016-02-16 21:44:51 UTC
To clarify on tools:
I've seen some tools that depended on the fact that .asc was a clear-signed file, and only fetched the .asc, and not the other .DIGESTS file.

The usable path is:
====
T=$(mktemp)
rm -f $T
if ! gpg -o $T --decrypt livedvd-x86-amd64-32ul-20140826.iso.DIGESTS.asc; then
  echo "Unable to validate"
  exit 1
fi
sha512sum -c $T
====
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-16 22:05:22 UTC
(In reply to Robin Johnson from comment #2)
> To clarify on tools:
> I've seen some tools that depended on the fact that .asc was a clear-signed
> file, and only fetched the .asc, and not the other .DIGESTS file.
> 
> The usable path is:
> ====
> T=$(mktemp)
> rm -f $T
> if ! gpg -o $T --decrypt livedvd-x86-amd64-32ul-20140826.iso.DIGESTS.asc;
> then
>   echo "Unable to validate"
>   exit 1
> fi
> sha512sum -c $T
> ====

yeah, that is a sane path to convert the clearsigned file into a plain text variant, except for gpg not returning a non-zero return value in all cases it should be discarded, should use gpgv for that (certificate validity issues if not using a clean pubring)

But how about using a binary .sig detached signature as an alternative to detached-sig? (not that it matters that much, the proper way to verify is in any case gpg --verify <sig-file> <data-file> and --batch mode will fail without the dual-specification for the same reasons as the warning happens in interactive mode.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2016-02-18 06:00:18 UTC
Calling it .sig is fine by me.
I'm just blocking change to the format of '.asc';

Somewhere there was a tool that could convert between signature formats (clearsigned to detached). Have you seen it? Could we use it for this case?
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2016-02-18 06:04:01 UTC
(In reply to Robin Johnson from comment #4)
> Somewhere there was a tool that could convert between signature formats
> (clearsigned to detached). Have you seen it? Could we use it for this case?
P.S. I know that detached->clearsigned is hard due to the whitespace rules, but the other direction should be possible.