Bug#888046: devscripts: Support signatures against uncompressed tarballs
Vagrant Cascadian
vagrant at debian.org
Tue Jan 23 18:46:55 UTC 2018
On 2018-01-23, Osamu Aoki wrote:
> I am in a good mood to do my user support duty :-) So let me show.
Thanks!
> On Mon, Jan 22, 2018 at 01:24:20PM -0800, Vagrant Cascadian wrote:
>> There are a number of projects hosted at kernel.org that use the
>> kup-client utility to handle uploads. While it may upload a signature to
>> verify the uploaded tarballs, those signatures are against the
>> uncompressed tarball, rather than the compressed tarballs.
>>
>> For example, for dtc version 1.4.6, there is:
>>
>> https://www.kernel.org/pub/software/utils/dtc/
>>
>> dtc-1.4.6.tar.gz
>> dtc-1.4.6.tar.sign
>> dtc-1.4.6.tar.xz
>>
>> I can download either .tar.gz or .tar.xz, decompress them, and then use
>> the .tar.sign to verify it, but I don't see any obvious way to do this
>> From debian/watch.
> The obvious way is to read the manpage of uscan. ... many ways but
> something along
I've read the uscan manpage quite a number of times, but even after
using uscan for well over a decade and reading the manpage many times
over the years, nothing really comes across as obvious. So there's a
difference between reading the fine manual and comprehending
it.
Fortunately, It's one of those things I get working once for a package
and infrequently need to update it, so that's good.
And yet...
> version=4
> opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
> https://www.kernel.org/pub/software/utils/dtc/ \
> @PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@ \
> debian uupdate
Thanks for the suggestion...
with debian/watch:
version=4
opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
https://www.kernel.org/pub/software/utils/dtc/ \
dtc- at ANY_VERSION@@ARCHIVE_EXT@ \
debian uupdate
Using @PACKAGE@ didn't work because of upstream is named differently
(device-tree-compiler vs. dtc).
But even with that fixed/worked around:
uscan: Newest version of device-tree-compiler on remote site is 1.4.6,
local version is 1.4.5
uscan: => Newer package available from
https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz
gpgv: Signature made Tue Jan 2 22:12:20 2018 PST
gpgv: using RSA key
75F46586AE61A66CC44E87DC6C38CACA20D9B392
gpgv: BAD signature from "David Gibson <david at gibson.dropbear.id.au>"
uscan die: OpenPGP signature did not verify.
If I manually take the files that uscan downloaded and verify them like
so:
$ xz -d dtc-1.4.6.tar.xz
$ gpg --verify $ gpg --verify dtc-1.4.6.tar.xz.n dtc-1.4.6.tar
gpg: Signature made Tue Jan 2 22:12:20 2018 PST
gpg: using RSA key
75F46586AE61A66CC44E87DC6C38CACA20D9B392
gpg: Good signature from "David Gibson <david at gibson.dropbear.id.au>"
[unknown]
gpg: aka "David Gibson (kernel.org) <dwg at kernel.org>"
[unknown]
gpg: aka "David Gibson (Red Hat) <dgibson at redhat.com>"
[unknown]
gpg: aka "David Gibson (ozlabs.org)
<dgibson at ozlabs.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392
I am fairly certain this is because the signature is not against the
.tar.xz, but against the uncompressed tarball.
Does uscan (attempt to) decompress the tarball before verifying the
signature? If not, I don't see how this could possibly work; in fact, if
it did, it would be a serious security bug, as the signature is against
the uncompressed tarball.
>> I'm also not sure the Debian archive supports uploading a signature file
>> against a file that isn't included in the distribution, so maybe this
>> isn't really an issue worth handling in uscan...
>
> That is not a uscan bug. I as the primary uscan committer want to hear
> your experience. Did you try? If you find out the answer, please let
> me know what shall be done.
I haven't tried because I haven't yet figured out a way to automate the
verification of the signature (short of writing something entirely
outside of uscan).
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20180123/e7dc7576/attachment-0001.sig>
More information about the devscripts-devel
mailing list