Bug#841910: uscan behaviour on multiple signatures
Bernhard Schmidt
berni at debian.org
Wed Oct 26 06:45:55 UTC 2016
Am 25.10.2016 um 16:07 schrieb Osamu Aoki:
Hi Osamu,
> This is very interesting report. I did not implement this feature so it
> is a learning experience for me. Please be patient.
>
>> When there is one signature of a key not listed in
>> debian/upstream/signing-key.asc a validation warning is thrown.
>
> This sounds good to me.
>
>> asterisk$ uscan
>> uscan: Newest version of asterisk on remote site is 13.11.2, local
>> version is 13.10.0~dfsg
>> (mangled local version is 13.10.0)
>> uscan: => Newer package available from
>> http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz
>> gpgv: Signature made Fri 09 Sep 2016 06:18:48 PM CEST
>> gpgv: using RSA key 368AB332B59975F3
>> gpgv: Good signature from "George Joseph <gjoseph at digium.com>"
>> gpgv: Signature made Fri 09 Sep 2016 06:26:07 PM CEST
>> gpgv: using DSA key 9C59F000777DCC45
>> gpgv: Good signature from "Kevin Harwell <kharwell at digium.com>"
>> gpgv: Signature made Fri 09 Sep 2016 07:22:47 PM CEST
>> gpgv: using DSA key 6CB44E557BD982D8
>> gpgv: Good signature from "Richard Mudgett <rmudgett at digium.com>"
>> gpgv: Signature made Fri 09 Sep 2016 07:41:46 PM CEST
>> gpgv: using DSA key 8438CBA18D0CAA72
>> gpgv: Can't check signature: No public key
>> uscan warn: OpenPGP signature did not verify.
>>
>> In this case d/u/signing-key.asc contains
>>
>> asterisk$ gpg --import < debian/upstream/signing-key.asc
>> gpg: key DAB29B236B940F89: public key "Joshua Colp <jcolp at joshua-colp.com>" imported
>> gpg: key 9C59F000777DCC45: public key "Kevin Harwell <kharwell at digium.com>" imported
>> gpg: key 6CB44E557BD982D8: public key "Richard Mudgett <rmudgett at digium.com>" imported
>> gpg: key 368AB332B59975F3: public key "George Joseph <gjoseph at digium.com>" imported
>> gpg: Total number processed: 4
>> gpg: imported: 4
>>
>> DAB29B236B940F89 is in signing-key.asc but there is no signature, and
>> there is an additional signature from 8438CBA18D0CAA72
>
> You can check 8438CBA18D0CAA72 key using the web of trust. Then you can
> check signature manually. As for gbp, you can use "gbp import-orig
> ...". Then you can go on life...
True, but at least for Asterisk there is no authoritative list of
signing keys, so whenever a new key appears you have to do some manual
checking for the sanity.
>> IMHO this behaviour does not make any sense. You need to check the
>> authenticity of any additional key upstream might use before adding it
>> to the repo, you cannot just use one known-good key and ignore the rest.
>
> I do not get your point here. What do you mean by "rest".
When I know all good releases are signed by A and several other people,
I could just add A to debian/upstream/signing-key.asc and be done with it.
>> This even makes an attack a bit more likely, since control over just one
>> key in the set is enough to build and sign an accepted tarball.
> We are rejecting tarball as precautionary measure. So you can make
> manual check with your intelligence. I do not see any security problem
> here.
As far as I get this:
- Keyring: A B C
- New release signed by: A B E
- I need to add E to the keyring to have it validated
- from this point on uscan would also accept releases _only_ signed by E
(since additional keys in the keyring don't throw an error, but
additional signatures do)
Bernhard
More information about the devscripts-devel
mailing list