Bug#841910: uscan behaviour on multiple signatures

Guido Günther agx at sigxcpu.org
Thu Jul 6 07:16:50 UTC 2017 

On Wed, Oct 26, 2016 at 06:08:28PM -0400, James McCoy wrote:
> Control: retitle -1 [uscan] Add an exit status to indicate gpgv failure
> 
> On Mon, Oct 24, 2016 at 01:25:03PM +0200, Bernhard Schmidt wrote:
> > Asterisk upstream sources are signed by several keys, see for example
> > 
> > http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz
> > http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz.asc
> > 
> > The set of keys can differ between released.
> > 
> > When there is one signature of a key not listed in
> > debian/upstream/signing-key.asc a validation warning is thrown.
> 
> That's to be expected.  There are signatures that you aren't able to
> validate with the known keys.
> 
> > asterisk$ uscan  
> > uscan: Newest version of asterisk on remote site is 13.11.2, local
> > version is 13.10.0~dfsg
> >  (mangled local version is 13.10.0)
> >  uscan:    => Newer package available from
> >        http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz
> > gpgv: Signature made Fri 09 Sep 2016 06:18:48 PM CEST
> > gpgv:                using RSA key 368AB332B59975F3
> > gpgv: Good signature from "George Joseph <gjoseph at digium.com>"
> > gpgv: Signature made Fri 09 Sep 2016 06:26:07 PM CEST
> > gpgv:                using DSA key 9C59F000777DCC45
> > gpgv: Good signature from "Kevin Harwell <kharwell at digium.com>"
> > gpgv: Signature made Fri 09 Sep 2016 07:22:47 PM CEST
> > gpgv:                using DSA key 6CB44E557BD982D8
> > gpgv: Good signature from "Richard Mudgett <rmudgett at digium.com>"
> > gpgv: Signature made Fri 09 Sep 2016 07:41:46 PM CEST
> > gpgv:                using DSA key 8438CBA18D0CAA72
> > gpgv: Can't check signature: No public key
> > uscan warn: OpenPGP signature did not verify.
> > 
> > In this case d/u/signing-key.asc contains 
> > 
> > asterisk$ gpg --import < debian/upstream/signing-key.asc 
> > gpg: key DAB29B236B940F89: public key "Joshua Colp <jcolp at joshua-colp.com>" imported
> > gpg: key 9C59F000777DCC45: public key "Kevin Harwell <kharwell at digium.com>" imported
> > gpg: key 6CB44E557BD982D8: public key "Richard Mudgett <rmudgett at digium.com>" imported
> > gpg: key 368AB332B59975F3: public key "George Joseph <gjoseph at digium.com>" imported
> > gpg: Total number processed: 4
> > gpg:               imported: 4
> > 
> > DAB29B236B940F89 is in signing-key.asc but there is no signature, and
> > there is an additional signature from 8438CBA18D0CAA72
> > 
> > When this happens uscan exits with rc=0, but does not process the file
> > further without any meaningful error message.
> 
> Indeed, uscan always exits with 0 if it found a newer version upstream.
> When support for gpg verification was added, there wasn't an exit code
> added to indicate that the verification failed.

This is IMHO a security issues since it violates the principle of least
surprise and makes it hard to use in an automated way. Can uscan be
changed to exit non zero in case all signatures fail to validate? Maybe
with a separate option (--fail-on-bad-sig) ?

For the moment I've changed gbp to abort on all uscan warnings/errors
since we'd otherwise might end up with unverified tarballs that lack
e.g. the version mangle since uscan aborted processing.

Cheers and thanks a lot for maintaining uscan!
 -- Guido

> 
> > I did not find any documentation on how uscan deals with multiple
> > signatures and/or multiple keys, but so far it looks like all signatures
> > have to be made by keys provided in d/u/signing-key.asc.
> 
> This is all handled by gpgv.  It's nothing specific to uscan.
> 
> > Additional keys
> > in d/u/signing-key.asc are not enforced.
> 
> Right, signing-key.asc should be a superset of the keys which are
> expected to sign the archive.
> 
> > IMHO this behaviour does not make any sense. You need to check the
> > authenticity of any additional key upstream might use before adding it
> > to the repo,
> 
> Of course you do.  Why wouldn't you verify the authenticity of a key
> before adding it to signing-key.asc?  Adding the key is indicating that
> you trust it's a valid key to be used to sign the archive you're going
> to use to create a new version of the Debian package.
> 
> > you cannot just use one known-good key and ignore the rest.
> > This even makes an attack a bit more likely, since control over just one
> > key in the set is enough to build and sign an accepted tarball.
> 
> How so?  Every signature on the archive needs to be verified for gpgv to
> return success.  gpgv is already return a failing exit code in your
> scenario because you have weren't able to verify one of the 4 signatures
> on the archive.  uscan just needs to propagate gpgv failure to its own
> exit code.
> 
> Cheers,
> -- 
> James
> GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

More information about the devscripts-devel mailing list