gnutls has a tendency to have additional signatures on their release tarballs in addition to the known designated signers. If I bump to 3.7.8, I get: ``` * Verifying gnutls-3.7.8.tar.xz ... gpg: Signature made Tue 27 Sep 2022 14:07:05 UTC gpg: using RSA key A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB gpg: Can't check signature: No public key gpg: Signature made Tue 27 Sep 2022 15:14:15 UTC gpg: using RSA key 462225C3B46F34879FC8496CD605848ED7E69871 gpg: Good signature from "Daiki Ueno <ueno@unixuser.org>" [ultimate] gpg: aka "Daiki Ueno <ueno@gnu.org>" [ultimate] gpg: Signature made Tue 27 Sep 2022 15:36:07 UTC gpg: using EDDSA key 5D46CB0F763405A7053556F47A75A648B3F9220C gpg: Good signature from "Zoltan Fridrich <zfridric@redhat.com>" [ultimate] * ERROR: net-libs/gnutls-3.7.8::gentoo failed (unpack phase): * PGP signature verification failed * * Call stack: * ebuild.sh, line 122: Called src_unpack * environment, line 1889: Called verify-sig_src_unpack * environment, line 2666: Called verify-sig_verify_detached '/var/tmp/portage/net-libs/gnutls-3.7.8/distdir/gnutls-3.7.8.tar.xz' '/var/tmp/portage/net-libs/gnutls-3.7.8/distdir/gnutls-3.7.8.tar.xz.sig' * environment, line 2689: Called die * The specific snippet of code: * gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- gpg --verify "${sig}" "${file}" || die "PGP signature verification failed" * ``` I don't think the unknown signature by A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB is really problematic as we have two good ones.
I suppose 1-out-of-n should be good enough. Any clue how to make gpg behave? ;-)
(In reply to Michał Górny from comment #1) > I suppose 1-out-of-n should be good enough. Any clue how to make gpg > behave? ;-) I was hoping you'd know!
I'm worried that we either need to remove signatures and re-verify (ew) or split the keyring into N keys and check if any pass (probably best). :|
Wouldn't splitting the keyring imply failure via unknown keys? Perhaps we should check what gemato does in the similar case, fix it to do what we want and then add a subcommand to handle other kinds of signatures.
(In reply to Michał Górny from comment #4) > Wouldn't splitting the keyring imply failure via unknown keys? Perhaps we > should check what gemato does in the similar case, fix it to do what we want > and then add a subcommand to handle other kinds of signatures. I was thinking loop & record if we found one which was valid. If not, continue to the end. Die if got there. But a gemato subcommand sounds like it's going to be a better fit, tbh.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b05770f31c02eeba93143907ed1592e49636af4f commit b05770f31c02eeba93143907ed1592e49636af4f Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-10 22:02:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-10 22:06:07 +0000 net-libs/gnutls: add 3.7.8 Bug: https://bugs.gentoo.org/873211 Signed-off-by: Sam James <sam@gentoo.org> net-libs/gnutls/Manifest | 2 + net-libs/gnutls/gnutls-3.7.8.ebuild | 144 ++++++++++++++++++++++++++++++++++++ profiles/base/package.use.mask | 6 ++ 3 files changed, 152 insertions(+)
I started to look at this then realised `gemato gpg-wrap` isn't what we actually use in the eclass. I'm not sure what form this should take in gemato given verify-sig just calls gpg-wrap. Would you mind having a look into this? I think it's beyond me for now. I just hit it again when trying to add verify-sig to Bitcoin given recent controversies...
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89c2617afbfe6250ee7dfd4ee4641c8f74c54004 commit 89c2617afbfe6250ee7dfd4ee4641c8f74c54004 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-01-23 08:23:18 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2023-02-12 15:13:56 +0000 verify-sig.eclass: Accept 1-out-of-n sigs on multisig files If a distfile has multiple detached signatures, pass verification if at least one of them can be verified rather than requiring all of them. This is particularly helpful for upstreams where the whole set of release keys is hard to come by. Closes: https://bugs.gentoo.org/873211 Closes: https://github.com/gentoo/gentoo/pull/29224 Signed-off-by: Michał Górny <mgorny@gentoo.org> eclass/verify-sig.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Change was reverted because of bug #894164.
commit 519f14fe6f74814196996da2d45c077003144db0 Author: Michał Górny <mgorny@gentoo.org> Date: Mon Jan 23 09:22:12 2023 +0100 verify-sig.eclass: Use gemato openpgp-verify-detached w/ 20.0+ Use openpgp-verify-detached when app-portage/gemato-20.0 is installed. This lets us test the new code paths on ~arch with minimal risk of breakage on stable. Signed-off-by: Michał Górny <mgorny@gentoo.org> commit 014a26bb2e7e746cbd4a474a3d84075132b6c916 Author: Michał Górny <mgorny@gentoo.org> Date: Mon Feb 13 20:26:19 2023 +0100 verify-sig.eclass: Revert "Use gemato openpgp-verify-detached" This is causing verification failures when verifying old signatures made with now-expired keys. Reverts: 75ea89a43b8d3efb6b264296f819d04d3c18c3af Bug: https://bugs.gentoo.org/894164 Signed-off-by: Michał Górny <mgorny@gentoo.org>
The actual 1-out-of-n support wasn't merged.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0611129171a7f43be5e554c3ace3880c981aea92 commit 0611129171a7f43be5e554c3ace3880c981aea92 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-01-23 08:23:18 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2024-01-08 14:48:15 +0000 verify-sig.eclass: Accept 1-out-of-n sigs on multisig files If a distfile has multiple detached signatures, pass verification if at least one of them can be verified rather than requiring all of them. This is particularly helpful for upstreams where the whole set of release keys is hard to come by. Closes: https://bugs.gentoo.org/873211 Closes: https://github.com/gentoo/gentoo/pull/29224 Signed-off-by: Michał Górny <mgorny@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/29592 Signed-off-by: Michał Górny <mgorny@gentoo.org> eclass/verify-sig.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
