Bug#841910: uscan behaviour on multiple signatures

James McCoy jamessan at debian.org
Wed Oct 26 22:08:28 UTC 2016 

Control: retitle -1 [uscan] Add an exit status to indicate gpgv failure

On Mon, Oct 24, 2016 at 01:25:03PM +0200, Bernhard Schmidt wrote:
> Asterisk upstream sources are signed by several keys, see for example
> 
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz.asc
> 
> The set of keys can differ between released.
> 
> When there is one signature of a key not listed in
> debian/upstream/signing-key.asc a validation warning is thrown.

That's to be expected.  There are signatures that you aren't able to
validate with the known keys.

> asterisk$ uscan  
> uscan: Newest version of asterisk on remote site is 13.11.2, local
> version is 13.10.0~dfsg
>  (mangled local version is 13.10.0)
>  uscan:    => Newer package available from
>        http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz
> gpgv: Signature made Fri 09 Sep 2016 06:18:48 PM CEST
> gpgv:                using RSA key 368AB332B59975F3
> gpgv: Good signature from "George Joseph <gjoseph at digium.com>"
> gpgv: Signature made Fri 09 Sep 2016 06:26:07 PM CEST
> gpgv:                using DSA key 9C59F000777DCC45
> gpgv: Good signature from "Kevin Harwell <kharwell at digium.com>"
> gpgv: Signature made Fri 09 Sep 2016 07:22:47 PM CEST
> gpgv:                using DSA key 6CB44E557BD982D8
> gpgv: Good signature from "Richard Mudgett <rmudgett at digium.com>"
> gpgv: Signature made Fri 09 Sep 2016 07:41:46 PM CEST
> gpgv:                using DSA key 8438CBA18D0CAA72
> gpgv: Can't check signature: No public key
> uscan warn: OpenPGP signature did not verify.
> 
> In this case d/u/signing-key.asc contains 
> 
> asterisk$ gpg --import < debian/upstream/signing-key.asc 
> gpg: key DAB29B236B940F89: public key "Joshua Colp <jcolp at joshua-colp.com>" imported
> gpg: key 9C59F000777DCC45: public key "Kevin Harwell <kharwell at digium.com>" imported
> gpg: key 6CB44E557BD982D8: public key "Richard Mudgett <rmudgett at digium.com>" imported
> gpg: key 368AB332B59975F3: public key "George Joseph <gjoseph at digium.com>" imported
> gpg: Total number processed: 4
> gpg:               imported: 4
> 
> DAB29B236B940F89 is in signing-key.asc but there is no signature, and
> there is an additional signature from 8438CBA18D0CAA72
> 
> When this happens uscan exits with rc=0, but does not process the file
> further without any meaningful error message.

Indeed, uscan always exits with 0 if it found a newer version upstream.
When support for gpg verification was added, there wasn't an exit code
added to indicate that the verification failed.

> I did not find any documentation on how uscan deals with multiple
> signatures and/or multiple keys, but so far it looks like all signatures
> have to be made by keys provided in d/u/signing-key.asc.

This is all handled by gpgv.  It's nothing specific to uscan.

> Additional keys
> in d/u/signing-key.asc are not enforced.

Right, signing-key.asc should be a superset of the keys which are
expected to sign the archive.

> IMHO this behaviour does not make any sense. You need to check the
> authenticity of any additional key upstream might use before adding it
> to the repo,

Of course you do.  Why wouldn't you verify the authenticity of a key
before adding it to signing-key.asc?  Adding the key is indicating that
you trust it's a valid key to be used to sign the archive you're going
to use to create a new version of the Debian package.

> you cannot just use one known-good key and ignore the rest.
> This even makes an attack a bit more likely, since control over just one
> key in the set is enough to build and sign an accepted tarball.

How so?  Every signature on the archive needs to be verified for gpgv to
return success.  gpgv is already return a failing exit code in your
scenario because you have weren't able to verify one of the 4 signatures
on the archive.  uscan just needs to propagate gpgv failure to its own
exit code.

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

More information about the devscripts-devel mailing list