Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 873211

Summary: verify-sig.eclass: ignore additional unknown signatures if found known valid signature
Product: Gentoo Linux Reporter: Sam James <sam>
Component: EclassesAssignee: Michał Górny <mgorny>
Status: RESOLVED FIXED    
Severity: normal Keywords: PullRequest
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://gitlab.com/gnutls/web-pages/-/issues/3
https://github.com/projg2/gemato/issues/23
https://github.com/projg2/gemato/issues/24
https://github.com/gentoo/gentoo/pull/29224
https://bugs.gentoo.org/show_bug.cgi?id=894164
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 893992, 898580    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-09-27 17:47:04 UTC
gnutls has a tendency to have additional signatures on their release tarballs in addition to the known designated signers.

If I bump to 3.7.8, I get:
```
 * Verifying gnutls-3.7.8.tar.xz ...
gpg: Signature made Tue 27 Sep 2022 14:07:05 UTC
gpg:                using RSA key A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB
gpg: Can't check signature: No public key
gpg: Signature made Tue 27 Sep 2022 15:14:15 UTC
gpg:                using RSA key 462225C3B46F34879FC8496CD605848ED7E69871
gpg: Good signature from "Daiki Ueno <ueno@unixuser.org>" [ultimate]
gpg:                 aka "Daiki Ueno <ueno@gnu.org>" [ultimate]
gpg: Signature made Tue 27 Sep 2022 15:36:07 UTC
gpg:                using EDDSA key 5D46CB0F763405A7053556F47A75A648B3F9220C
gpg: Good signature from "Zoltan Fridrich <zfridric@redhat.com>" [ultimate]
 * ERROR: net-libs/gnutls-3.7.8::gentoo failed (unpack phase):
 *   PGP signature verification failed
 *
 * Call stack:
 *     ebuild.sh, line  122:  Called src_unpack
 *   environment, line 1889:  Called verify-sig_src_unpack
 *   environment, line 2666:  Called verify-sig_verify_detached '/var/tmp/portage/net-libs/gnutls-3.7.8/distdir/gnutls-3.7.8.tar.xz' '/var/tmp/portage/net-libs/gnutls-3.7.8/distdir/gnutls-3.7.8.tar.xz.sig'
 *   environment, line 2689:  Called die
 * The specific snippet of code:
 *               gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- gpg --verify "${sig}" "${file}" || die "PGP signature verification failed"
 *
```

I don't think the unknown signature by A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB is really problematic as we have two good ones.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-09-27 17:52:15 UTC
I suppose 1-out-of-n should be good enough.  Any clue how to make gpg behave? ;-)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-09-27 18:13:43 UTC
(In reply to Michał Górny from comment #1)
> I suppose 1-out-of-n should be good enough.  Any clue how to make gpg
> behave? ;-)

I was hoping you'd know!
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-09-27 19:26:02 UTC
I'm worried that we either need to remove signatures and re-verify (ew) or split the keyring into N keys and check if any pass (probably best). :|
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-09-27 19:34:49 UTC
Wouldn't splitting the keyring imply failure via unknown keys?  Perhaps we should check what gemato does in the similar case, fix it to do what we want and then add a subcommand to handle other kinds of signatures.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 00:57:41 UTC
(In reply to Michał Górny from comment #4)
> Wouldn't splitting the keyring imply failure via unknown keys?  Perhaps we
> should check what gemato does in the similar case, fix it to do what we want
> and then add a subcommand to handle other kinds of signatures.

I was thinking loop & record if we found one which was valid. If not, continue to the end. Die if got there.

But a gemato subcommand sounds like it's going to be a better fit, tbh.
Comment 6 Larry the Git Cow gentoo-dev 2022-10-10 22:06:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b05770f31c02eeba93143907ed1592e49636af4f

commit b05770f31c02eeba93143907ed1592e49636af4f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-10 22:02:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-10 22:06:07 +0000

    net-libs/gnutls: add 3.7.8
    
    Bug: https://bugs.gentoo.org/873211
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gnutls/Manifest            |   2 +
 net-libs/gnutls/gnutls-3.7.8.ebuild | 144 ++++++++++++++++++++++++++++++++++++
 profiles/base/package.use.mask      |   6 ++
 3 files changed, 152 insertions(+)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-05 10:31:45 UTC
I started to look at this then realised `gemato gpg-wrap` isn't what we actually use in the eclass.

I'm not sure what form this should take in gemato given verify-sig just calls gpg-wrap.

Would you mind having a look into this? I think it's beyond me for now. I just hit it again when trying to add verify-sig to Bitcoin given recent controversies...
Comment 8 Larry the Git Cow gentoo-dev 2023-02-12 15:14:37 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89c2617afbfe6250ee7dfd4ee4641c8f74c54004

commit 89c2617afbfe6250ee7dfd4ee4641c8f74c54004
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2023-01-23 08:23:18 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2023-02-12 15:13:56 +0000

    verify-sig.eclass: Accept 1-out-of-n sigs on multisig files
    
    If a distfile has multiple detached signatures, pass verification
    if at least one of them can be verified rather than requiring all
    of them.  This is particularly helpful for upstreams where the whole
    set of release keys is hard to come by.
    
    Closes: https://bugs.gentoo.org/873211
    Closes: https://github.com/gentoo/gentoo/pull/29224
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 eclass/verify-sig.eclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 9 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-02-13 19:29:30 UTC
Change was reverted because of bug #894164.
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-19 15:40:25 UTC
commit 519f14fe6f74814196996da2d45c077003144db0
Author: Michał Górny <mgorny@gentoo.org>
Date:   Mon Jan 23 09:22:12 2023 +0100

    verify-sig.eclass: Use gemato openpgp-verify-detached w/ 20.0+

    Use openpgp-verify-detached when app-portage/gemato-20.0 is installed.
    This lets us test the new code paths on ~arch with minimal risk
    of breakage on stable.

    Signed-off-by: Michał Górny <mgorny@gentoo.org>

commit 014a26bb2e7e746cbd4a474a3d84075132b6c916
Author: Michał Górny <mgorny@gentoo.org>
Date:   Mon Feb 13 20:26:19 2023 +0100

    verify-sig.eclass: Revert "Use gemato openpgp-verify-detached"

    This is causing verification failures when verifying old signatures
    made with now-expired keys.

    Reverts: 75ea89a43b8d3efb6b264296f819d04d3c18c3af
    Bug: https://bugs.gentoo.org/894164
    Signed-off-by: Michał Górny <mgorny@gentoo.org>
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-01-05 10:49:27 UTC
The actual 1-out-of-n support wasn't merged.
Comment 12 Larry the Git Cow gentoo-dev 2024-01-08 14:48:26 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0611129171a7f43be5e554c3ace3880c981aea92

commit 0611129171a7f43be5e554c3ace3880c981aea92
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2023-01-23 08:23:18 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2024-01-08 14:48:15 +0000

    verify-sig.eclass: Accept 1-out-of-n sigs on multisig files
    
    If a distfile has multiple detached signatures, pass verification
    if at least one of them can be verified rather than requiring all
    of them.  This is particularly helpful for upstreams where the whole
    set of release keys is hard to come by.
    
    Closes: https://bugs.gentoo.org/873211
    Closes: https://github.com/gentoo/gentoo/pull/29224
    Signed-off-by: Michał Górny <mgorny@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/29592
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 eclass/verify-sig.eclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)