Bug#888046: devscripts: Support signatures against uncompressed tarballs

Vagrant Cascadian vagrant at debian.org
Tue Jan 23 18:46:55 UTC 2018 

On 2018-01-23, Osamu Aoki wrote:
> I am in a good mood to do my user support duty :-)  So let me show.

Thanks!


> On Mon, Jan 22, 2018 at 01:24:20PM -0800, Vagrant Cascadian wrote:
>> There are a number of projects hosted at kernel.org that use the
>> kup-client utility to handle uploads. While it may upload a signature to
>> verify the uploaded tarballs, those signatures are against the
>> uncompressed tarball, rather than the compressed tarballs.
>> 
>> For example, for dtc version 1.4.6, there is:
>> 
>>   https://www.kernel.org/pub/software/utils/dtc/
>> 
>>   dtc-1.4.6.tar.gz
>>   dtc-1.4.6.tar.sign
>>   dtc-1.4.6.tar.xz
>> 
>> I can download either .tar.gz or .tar.xz, decompress them, and then use
>> the .tar.sign to verify it, but I don't see any obvious way to do this
>> From debian/watch.


> The obvious way is to read the manpage of uscan. ... many ways but
> something along

I've read the uscan manpage quite a number of times, but even after
using uscan for well over a decade and reading the manpage many times
over the years, nothing really comes across as obvious. So there's a
difference between reading the fine manual and comprehending
it.

Fortunately, It's one of those things I get working once for a package
and infrequently need to update it, so that's good.


And yet...

> version=4
> opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
> https://www.kernel.org/pub/software/utils/dtc/ \
>   @PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@ \
>   debian uupdate

Thanks for the suggestion...

with debian/watch:

  version=4
  opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
  https://www.kernel.org/pub/software/utils/dtc/ \
    dtc- at ANY_VERSION@@ARCHIVE_EXT@ \
    debian uupdate

Using @PACKAGE@ didn't work because of upstream is named differently
(device-tree-compiler vs. dtc).

But even with that fixed/worked around:

  uscan: Newest version of device-tree-compiler on remote site is 1.4.6,
  local version is 1.4.5
  uscan:    => Newer package available from
        https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz
  gpgv: Signature made Tue Jan  2 22:12:20 2018 PST
  gpgv:                using RSA key
  75F46586AE61A66CC44E87DC6C38CACA20D9B392
  gpgv: BAD signature from "David Gibson <david at gibson.dropbear.id.au>"
  uscan die: OpenPGP signature did not verify.


If I manually take the files that uscan downloaded and verify them like
so:

  $ xz -d dtc-1.4.6.tar.xz
  $ gpg --verify $ gpg --verify dtc-1.4.6.tar.xz.n dtc-1.4.6.tar
  gpg: Signature made Tue Jan  2 22:12:20 2018 PST
  gpg:                using RSA key
    75F46586AE61A66CC44E87DC6C38CACA20D9B392
  gpg: Good signature from "David Gibson <david at gibson.dropbear.id.au>"
    [unknown]
  gpg:                 aka "David Gibson (kernel.org) <dwg at kernel.org>"
    [unknown]
  gpg:                 aka "David Gibson (Red Hat) <dgibson at redhat.com>"
    [unknown]
  gpg:                 aka "David Gibson (ozlabs.org)
    <dgibson at ozlabs.org>" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the
    owner.
  Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 B392


I am fairly certain this is because the signature is not against the
.tar.xz, but against the uncompressed tarball.

Does uscan (attempt to) decompress the tarball before verifying the
signature? If not, I don't see how this could possibly work; in fact, if
it did, it would be a serious security bug, as the signature is against
the uncompressed tarball.


>> I'm also not sure the Debian archive supports uploading a signature file
>> against a file that isn't included in the distribution, so maybe this
>> isn't really an issue worth handling in uscan...
>
> That is not a uscan bug.  I as the primary uscan committer want to hear
> your experience.  Did you try?  If you find out the answer, please let
> me know what shall be done.

I haven't tried because I haven't yet figured out a way to automate the
verification of the signature (short of writing something entirely
outside of uscan).


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20180123/e7dc7576/attachment-0001.sig>

More information about the devscripts-devel mailing list