Summary: | verify-sig.eclass: ignore additional unknown signatures if found known valid signature | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Sam James <sam> |
Component: | Eclasses | Assignee: | Michał Górny <mgorny> |
Status: | RESOLVED FIXED | ||
Severity: | normal | Keywords: | PullRequest |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://gitlab.com/gnutls/web-pages/-/issues/3 https://github.com/projg2/gemato/issues/23 https://github.com/projg2/gemato/issues/24 https://github.com/gentoo/gentoo/pull/29224 https://bugs.gentoo.org/show_bug.cgi?id=894164 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 893992, 898580 | ||
Bug Blocks: |
Description
Sam James
2022-09-27 17:47:04 UTC
I suppose 1-out-of-n should be good enough. Any clue how to make gpg behave? ;-) (In reply to Michał Górny from comment #1) > I suppose 1-out-of-n should be good enough. Any clue how to make gpg > behave? ;-) I was hoping you'd know! I'm worried that we either need to remove signatures and re-verify (ew) or split the keyring into N keys and check if any pass (probably best). :| Wouldn't splitting the keyring imply failure via unknown keys? Perhaps we should check what gemato does in the similar case, fix it to do what we want and then add a subcommand to handle other kinds of signatures. (In reply to Michał Górny from comment #4) > Wouldn't splitting the keyring imply failure via unknown keys? Perhaps we > should check what gemato does in the similar case, fix it to do what we want > and then add a subcommand to handle other kinds of signatures. I was thinking loop & record if we found one which was valid. If not, continue to the end. Die if got there. But a gemato subcommand sounds like it's going to be a better fit, tbh. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b05770f31c02eeba93143907ed1592e49636af4f commit b05770f31c02eeba93143907ed1592e49636af4f Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-10 22:02:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-10 22:06:07 +0000 net-libs/gnutls: add 3.7.8 Bug: https://bugs.gentoo.org/873211 Signed-off-by: Sam James <sam@gentoo.org> net-libs/gnutls/Manifest | 2 + net-libs/gnutls/gnutls-3.7.8.ebuild | 144 ++++++++++++++++++++++++++++++++++++ profiles/base/package.use.mask | 6 ++ 3 files changed, 152 insertions(+) I started to look at this then realised `gemato gpg-wrap` isn't what we actually use in the eclass. I'm not sure what form this should take in gemato given verify-sig just calls gpg-wrap. Would you mind having a look into this? I think it's beyond me for now. I just hit it again when trying to add verify-sig to Bitcoin given recent controversies... The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89c2617afbfe6250ee7dfd4ee4641c8f74c54004 commit 89c2617afbfe6250ee7dfd4ee4641c8f74c54004 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-01-23 08:23:18 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2023-02-12 15:13:56 +0000 verify-sig.eclass: Accept 1-out-of-n sigs on multisig files If a distfile has multiple detached signatures, pass verification if at least one of them can be verified rather than requiring all of them. This is particularly helpful for upstreams where the whole set of release keys is hard to come by. Closes: https://bugs.gentoo.org/873211 Closes: https://github.com/gentoo/gentoo/pull/29224 Signed-off-by: Michał Górny <mgorny@gentoo.org> eclass/verify-sig.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Change was reverted because of bug #894164. commit 519f14fe6f74814196996da2d45c077003144db0 Author: Michał Górny <mgorny@gentoo.org> Date: Mon Jan 23 09:22:12 2023 +0100 verify-sig.eclass: Use gemato openpgp-verify-detached w/ 20.0+ Use openpgp-verify-detached when app-portage/gemato-20.0 is installed. This lets us test the new code paths on ~arch with minimal risk of breakage on stable. Signed-off-by: Michał Górny <mgorny@gentoo.org> commit 014a26bb2e7e746cbd4a474a3d84075132b6c916 Author: Michał Górny <mgorny@gentoo.org> Date: Mon Feb 13 20:26:19 2023 +0100 verify-sig.eclass: Revert "Use gemato openpgp-verify-detached" This is causing verification failures when verifying old signatures made with now-expired keys. Reverts: 75ea89a43b8d3efb6b264296f819d04d3c18c3af Bug: https://bugs.gentoo.org/894164 Signed-off-by: Michał Górny <mgorny@gentoo.org> The actual 1-out-of-n support wasn't merged. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0611129171a7f43be5e554c3ace3880c981aea92 commit 0611129171a7f43be5e554c3ace3880c981aea92 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-01-23 08:23:18 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2024-01-08 14:48:15 +0000 verify-sig.eclass: Accept 1-out-of-n sigs on multisig files If a distfile has multiple detached signatures, pass verification if at least one of them can be verified rather than requiring all of them. This is particularly helpful for upstreams where the whole set of release keys is hard to come by. Closes: https://bugs.gentoo.org/873211 Closes: https://github.com/gentoo/gentoo/pull/29224 Signed-off-by: Michał Górny <mgorny@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/29592 Signed-off-by: Michał Górny <mgorny@gentoo.org> eclass/verify-sig.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) |