Bug#841910: uscan behaviour on multiple signatures
Bernhard Schmidt
berni+deb at birkenwald.de
Mon Oct 24 11:25:03 UTC 2016
Package: devscripts
Version: 2.16.8
Severity: normal
File: /usr/bin/uscan
Hi,
Asterisk upstream sources are signed by several keys, see for example
http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz
http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz.asc
The set of keys can differ between released.
When there is one signature of a key not listed in
debian/upstream/signing-key.asc a validation warning is thrown.
asterisk$ uscan
uscan: Newest version of asterisk on remote site is 13.11.2, local
version is 13.10.0~dfsg
(mangled local version is 13.10.0)
uscan: => Newer package available from
http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz
gpgv: Signature made Fri 09 Sep 2016 06:18:48 PM CEST
gpgv: using RSA key 368AB332B59975F3
gpgv: Good signature from "George Joseph <gjoseph at digium.com>"
gpgv: Signature made Fri 09 Sep 2016 06:26:07 PM CEST
gpgv: using DSA key 9C59F000777DCC45
gpgv: Good signature from "Kevin Harwell <kharwell at digium.com>"
gpgv: Signature made Fri 09 Sep 2016 07:22:47 PM CEST
gpgv: using DSA key 6CB44E557BD982D8
gpgv: Good signature from "Richard Mudgett <rmudgett at digium.com>"
gpgv: Signature made Fri 09 Sep 2016 07:41:46 PM CEST
gpgv: using DSA key 8438CBA18D0CAA72
gpgv: Can't check signature: No public key
uscan warn: OpenPGP signature did not verify.
In this case d/u/signing-key.asc contains
asterisk$ gpg --import < debian/upstream/signing-key.asc
gpg: key DAB29B236B940F89: public key "Joshua Colp <jcolp at joshua-colp.com>" imported
gpg: key 9C59F000777DCC45: public key "Kevin Harwell <kharwell at digium.com>" imported
gpg: key 6CB44E557BD982D8: public key "Richard Mudgett <rmudgett at digium.com>" imported
gpg: key 368AB332B59975F3: public key "George Joseph <gjoseph at digium.com>" imported
gpg: Total number processed: 4
gpg: imported: 4
DAB29B236B940F89 is in signing-key.asc but there is no signature, and
there is an additional signature from 8438CBA18D0CAA72
When this happens uscan exits with rc=0, but does not process the file
further without any meaningful error message. I.e. the DFSG repack
specified in debian/watch is not executed at all. Exiting rc=0 even
tricks "gbp import-orig --uscan" into importing the non-dfsg upstream
tarball into the repo.
I did not find any documentation on how uscan deals with multiple
signatures and/or multiple keys, but so far it looks like all signatures
have to be made by keys provided in d/u/signing-key.asc. Additional keys
in d/u/signing-key.asc are not enforced.
IMHO this behaviour does not make any sense. You need to check the
authenticity of any additional key upstream might use before adding it
to the repo, you cannot just use one known-good key and ignore the rest.
This even makes an attack a bit more likely, since control over just one
key in the set is enough to build and sign an accepted tarball.
Best Regards,
Bernhard
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
Not present
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages devscripts depends on:
ii dpkg-dev 1.18.10
ii libc6 2.24-5
ii perl 5.24.1~rc3-3
pn python3:any <none>
Versions of packages devscripts recommends:
ii apt 1.3.1
ii at 3.1.20-1
ii curl 7.50.1-1
ii dctrl-tools 2.24-2
ii debian-keyring 2016.09.04
ii dput-ng [dput] 1.10
ii equivs 2.0.9+nmu1
ii fakeroot 1.21-2
ii file 1:5.28-4
ii gnupg 2.1.15-4
ii gnupg2 2.1.15-4
ii libdistro-info-perl 0.14
ii libencode-locale-perl 1.05-1
ii liblwp-protocol-https-perl 6.06-2
ii libsoap-lite-perl 1.20-1
ii liburi-perl 1.71-1
ii libwww-perl 6.15-1
ii licensecheck 3.0.24-1
ii lintian 2.5.48
ii man-db 2.7.5-1
ii patch 2.7.5-1
ii patchutils 0.3.4-1
ii python3-debian 0.1.29
ii python3-magic 1:5.28-4
ii sensible-utils 0.0.9
ii strace 4.13-0.1
ii unzip 6.0-20
ii wdiff 1.2.2-1+b1
ii wget 1.18-4
ii xz-utils 5.2.2-1.2
Versions of packages devscripts suggests:
pn adequate <none>
pn autopkgtest <none>
pn bls-standalone <none>
ii build-essential 12.2
pn check-all-the-things <none>
pn cvs-buildpackage <none>
pn devscripts-el <none>
ii diffoscope 61
pn disorderfs <none>
pn dose-extra <none>
pn duck <none>
pn faketime <none>
pn gnuplot <none>
ii gpgv 2.1.15-4
pn how-can-i-help <none>
ii libauthen-sasl-perl 2.1600-1
pn libfile-desktopentry-perl <none>
ii libnet-smtp-ssl-perl 1.03-1
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl <none>
pn mozilla-devscripts <none>
pn mutt <none>
ii openssh-client [ssh-client] 1:7.3p1-1
pn piuparts <none>
pn ratt <none>
pn reprotest <none>
ii s-nail [mailx] 14.8.12-1
pn svn-buildpackage <none>
pn w3m <none>
-- no debconf information
More information about the devscripts-devel
mailing list