[Pkg-gnupg-maint] Bug#497825: gnupg: ignores expiry of archive keys

Thijs Kinkhorst thijs at debian.org
Wed Aug 18 13:53:28 UTC 2010 

Hi Peter,

On tongersdei 17 Juny 2010, Peter Palfrader wrote:
> | weasel at intrepid:~/tmp$ wget -nv
> | http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/dist
> | s/etch/volatile/Release{.gpg,} 2010-06-17 20:09:56
> | URL:http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/
> | dists/etch/volatile/Release.gpg [189/189] -> "Release.gpg" [1] 2010-06-17
> | 20:09:57
> | URL:http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/
> | dists/etch/volatile/Release [40688/40688] -> "Release" [1] FINISHED
> | --2010-06-17 20:09:57--
> | Downloaded: 2 files, 40K in 0s (76139 GB/s)
> | weasel at intrepid:~/tmp$ mkdir gnupghome
> | weasel at intrepid:~/tmp$ export GNUPGHOME=gnupghome
> | weasel at intrepid:~/tmp$ chmod go-rwx gnupghome
> | weasel at intrepid:~/tmp$ gpg
> | gpg: keyring `gnupghome/secring.gpg' created
> | gpg: keyring `gnupghome/pubring.gpg' created
> | gpg: Go ahead and type your message ...
> | ^C
> | gpg: Interrupt caught ... exiting
> | 
> | weasel at intrepid:~/tmp$ gpg --keyserver keys.gnupg.net --recv BBE55AB3
> | gpg: requesting key BBE55AB3 from hkp server keys.gnupg.net
> | gpg: gnupghome/trustdb.gpg: trustdb created
> | gpg: key BBE55AB3: public key "Debian-Volatile Archive Automatic Signing
> | Key (4.0/etch)" imported gpg: no ultimately trusted keys found
> | gpg: Total number processed: 1
> | gpg:               imported: 1
> | weasel at intrepid:~/tmp$
> | weasel at intrepid:~/tmp$ gpg --list-key BBE55AB3
> | pub   1024D/BBE55AB3 2007-03-31 [expired: 2010-03-30]
> | uid                  Debian-Volatile Archive Automatic Signing Key
> | (4.0/etch)
> | 
> | weasel at intrepid:~/tmp$ cp gnupghome/pubring.gpg gnupghome/trustedkeys.gpg
> | weasel at intrepid:~/tmp$
> | weasel at intrepid:~/tmp$
> | weasel at intrepid:~/tmp$ gpg --status-fd 2 --verify Release.gpg Release
> | gpg: Signature made Thu Sep  3 03:35:17 2009 CEST using DSA key ID
> | BBE55AB3 [GNUPG:] KEYEXPIRED 1269969909
> | [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
> | [GNUPG:] KEYEXPIRED 1269969909
> | [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
> | [GNUPG:] SIG_ID PloukF3ViGb7cZ/IkkSl6SbbY1g 2009-09-03 1251941717
> | [GNUPG:] KEYEXPIRED 1269969909
> | [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
> | [GNUPG:] EXPKEYSIG EC61E0B0BBE55AB3 Debian-Volatile Archive Automatic
> | Signing Key (4.0/etch) gpg: Good signature from "Debian-Volatile Archive
> | Automatic Signing Key (4.0/etch)" [GNUPG:] VALIDSIG
> | 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 2009-09-03 1251941717 0 3 0 17
> | 2 00 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 gpg: Note: This key has
> | expired!
> | Primary key fingerprint: 6039 406A 4EDC E124 CF08  7B0A EC61 E0B0 BBE5
> | 5AB3
> 
> no GOODSIG -> signature is not valid.
> 
> | weasel at intrepid:~/tmp$ gpgv Release.gpg Release
> | gpgv: Signature made Thu Sep  3 03:35:17 2009 CEST using DSA key ID
> | BBE55AB3 gpgv: Good signature from "Debian-Volatile Archive Automatic
> | Signing Key (4.0/etch)" weasel at intrepid:~/tmp$ echo $?
> | 0
> 
> exit code 0 -> signature is valid.
> 
> 
> At the risk of repeating myself, this means that gpg and gpgv disagree on
> what is a valid signature.
> 
> This is gnupg and gpgv both at version 1.4.10-2~bpo50+1.

Thanks for clarifying again what exactly you're observing. I can indeed 
reproduce that situation. However, aren't you comparing apples with oranges?

What I mean is that you compare checking the status-fd output of GnuPG with 
the exit code of gpgv. If I repeat your example, but compare gpg's status-fd 
output with gpgv's status-fd output, or compare gpg's exit code with gpgv's 
exit code, the results are consistent. Look at the following.

[thijs at morgana]/tmp$ wget -nv http://snapshot.debian.org/archive/debian-
volatile/20090903T013716Z/dists/etch/volatile/Release{.gpg,}
2010-08-18 15:28:29 URL:http://snapshot.debian.org/archive/debian-
volatile/20090903T013716Z/dists/etch/volatile/Release.gpg [189/189] -> 
"Release.gpg" [1]
2010-08-18 15:28:32 URL:http://snapshot.debian.org/archive/debian-
volatile/20090903T013716Z/dists/etch/volatile/Release [40688/40688] -> 
"Release" [1]
FINISHED --2010-08-18 15:28:32--
Downloaded: 2 files, 40K in 0s (76139 GB/s)
[thijs at morgana]/tmp$ mkdir gnupghome
[thijs at morgana]/tmp$ export GNUPGHOME=gnupghome
[thijs at morgana]/tmp$ chmod go-rwx gnupghome
[thijs at morgana]/tmp$ gpg
gpg: keyring `gnupghome/secring.gpg' created
gpg: keyring `gnupghome/pubring.gpg' created
gpg: Go ahead and type your message ...
gpg: processing message failed: eof
[thijs at morgana]/tmp$ gpg --keyserver keys.gnupg.net --recv BBE55AB3
gpg: requesting key BBE55AB3 from hkp server keys.gnupg.net
gpg: gnupghome/trustdb.gpg: trustdb created
gpg: key BBE55AB3: public key "Debian-Volatile Archive Automatic Signing Key 
(4.0/etch)" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
[thijs at morgana]/tmp$  cp gnupghome/pubring.gpg gnupghome/trustedkeys.gpg 
[thijs at morgana]/tmp$ gpg --status-fd 2 --verify Release.gpg Release
gpg: Signature made Thu 03 Sep 2009 03:35:17 CEST using DSA key ID BBE55AB3
[GNUPG:] KEYEXPIRED 1269969909
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] KEYEXPIRED 1269969909
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID PloukF3ViGb7cZ/IkkSl6SbbY1g 2009-09-03 1251941717
[GNUPG:] KEYEXPIRED 1269969909
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] EXPKEYSIG EC61E0B0BBE55AB3 Debian-Volatile Archive Automatic Signing 
Key (4.0/etch)
gpg: Good signature from "Debian-Volatile Archive Automatic Signing Key 
(4.0/etch)"
[GNUPG:] VALIDSIG 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 2009-09-03 
1251941717 0 3 0 17 2 00 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3
gpg: Note: This key has expired!
Primary key fingerprint: 6039 406A 4EDC E124 CF08  7B0A EC61 E0B0 BBE5 5AB3
[thijs at morgana]/tmp$ echo $?
0
[thijs at morgana]/tmp$ gpgv Release.gpg Release
gpgv: Signature made Thu 03 Sep 2009 03:35:17 CEST using DSA key ID BBE55AB3
gpgv: Good signature from "Debian-Volatile Archive Automatic Signing Key 
(4.0/etch)"
[thijs at morgana]/tmp$ echo $?
0

--> Note: both return exit code 0. Now run gpgv also with status-fd=2, just
    like we do when invoking gpg:

[thijs at morgana]/tmp$ gpgv --status-fd=2  Release.gpg Release
gpgv: Signature made Thu 03 Sep 2009 03:35:17 CEST using DSA key ID BBE55AB3
[GNUPG:] KEYEXPIRED 1269969909
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] KEYEXPIRED 1269969909
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] SIG_ID PloukF3ViGb7cZ/IkkSl6SbbY1g 2009-09-03 1251941717
[GNUPG:] KEYEXPIRED 1269969909
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead
[GNUPG:] EXPKEYSIG EC61E0B0BBE55AB3 Debian-Volatile Archive Automatic Signing 
Key (4.0/etch)
gpgv: Good signature from "Debian-Volatile Archive Automatic Signing Key 
(4.0/etch)"
[GNUPG:] VALIDSIG 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 2009-09-03 
1251941717 0 3 0 17 2 00 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3

No GOODSIG also for gpgv.

In your example both gpg and gpgv report exit code 0. Also 'gpg --status-fd=2' 
and 'gpgv --status-fd=2' both do not output GOODSIG in case of an expired key.


Cheers,
Thijs


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20100818/9afb4752/attachment.pgp>

More information about the Pkg-gnupg-maint mailing list