[pkg-gnupg-maint] Bug#1042391: gpgv: add --min-rsa-length

Julian Andres Klode jak at debian.org
Tue Jan 16 11:25:23 GMT 2024 

On Tue, Jan 16, 2024 at 11:02:28AM +0100, Julian Andres Klode wrote:
> Control: severity -1 important
> 
> On Thu, Jul 27, 2023 at 12:16:54PM +0200, Julian Andres Klode wrote:
> > Package: gpgv
> > Version: 2.2.40-1.1ubuntu1
> > Severity: normal
> > X-Debbugs-Cc: jak at debian.org
> > 
> > I believe this allows APT to request a safe minimum RSA length from gpgv for
> > verification purposes, and then we could even run gpgv a 2nd time
> > without the flag and print a diagnostic for an orderly transition to
> > at least 2048R.
> 
> Bumping this. 1024R keys are becoming increasingly unsafe, and this
> will eventually become release critical for trixie because we shouldn't
> ship it with trust for those keys.
> 
> And APT is not capable of checking the key size itself because gpg
> status fd doesn't expose it - that'd be an alternative solution.

OK the option does not do what it said back then. Logs are below; tl,dr is:

1. Without de-vs compliance setting, it is ignored silently
2. With de-vs compliance setting it is still a good signature
3. Only way to notice it is to also set --require-compliance

For APT we want to just ban sub-2048R keys, possibly sub-3072R keys (apparently
2048R is no longer considered safe enough for some draft standards).

-- logs:

root at n:~# gpg --compliance de-vs --require-compliance --min-rsa-length 4096 --status-fd 2 --no-options --homedir /tmp/x --keyring /root/vlc.gpg --verify /var/lib/apt/lists/ppa.launchpadcontent.net_videolan_master-daily_ubuntu_dists_noble_InRelease ; echo $?
gpg: WARNING: unsafe permissions on homedir '/tmp/x'
[GNUPG:] NEWSIG
gpg: Signature made Tue Jan 16 10:30:22 2024 UTC
gpg:                using RSA key 3361E59FF5029E6B90A9A80D09589874801DF724
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] SIG_ID sSNe0v8YekIqvdODJR2bHE3DiZY 2024-01-16 1705401022
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] GOODSIG 09589874801DF724 Launchpad Daily Build of master branch
gpg: Good signature from "Launchpad Daily Build of master branch" [unknown]
[GNUPG:] VALIDSIG 3361E59FF5029E6B90A9A80D09589874801DF724 2024-01-16 1705401022 0 4 0 1 10 01 3361E59FF5029E6B90A9A80D09589874801DF724
gpg: WARNING: This key is not suitable for signing in --compliance=de-vs mode
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] TRUST_UNDEFINED 0 pgp
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3361 E59F F502 9E6B 90A9  A80D 0958 9874 801D F724
[GNUPG:] FAILURE compliance-check 33554683
gpg: operation forced to fail due to unfulfilled compliance rules
2
root at n:~# gpg --compliance de-vs  --min-rsa-length 4096 --status-fd 2 --no-options --homedir /tmp/x --keyring /root/vlc.gpg --verify /var/lib/apt/lists/ppa.launchpadcontent.net_videolan_master-daily_ubuntu_dists_noble_InRelease ; echo $?
gpg: WARNING: unsafe permissions on homedir '/tmp/x'
[GNUPG:] NEWSIG
gpg: Signature made Tue Jan 16 10:30:22 2024 UTC
gpg:                using RSA key 3361E59FF5029E6B90A9A80D09589874801DF724
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] SIG_ID sSNe0v8YekIqvdODJR2bHE3DiZY 2024-01-16 1705401022
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] GOODSIG 09589874801DF724 Launchpad Daily Build of master branch
gpg: Good signature from "Launchpad Daily Build of master branch" [unknown]
[GNUPG:] VALIDSIG 3361E59FF5029E6B90A9A80D09589874801DF724 2024-01-16 1705401022 0 4 0 1 10 01 3361E59FF5029E6B90A9A80D09589874801DF724
gpg: WARNING: This key is not suitable for signing in --compliance=de-vs mode
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] TRUST_UNDEFINED 0 pgp
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3361 E59F F502 9E6B 90A9  A80D 0958 9874 801D F724
0
root at n:~# gpg --require-compliance --min-rsa-length 4096 --status-fd 2 --no-options --homedir /tmp/x --keyring /root/vlc.gpg --verify /var/lib/apt/lists/ppa.launchpadcontent.net_videolan_master-daily_ubuntu_dists_noble_InRelease ; echo $?
gpg: WARNING: unsafe permissions on homedir '/tmp/x'
[GNUPG:] NEWSIG
gpg: Signature made Tue Jan 16 10:30:22 2024 UTC
gpg:                using RSA key 3361E59FF5029E6B90A9A80D09589874801DF724
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] SIG_ID sSNe0v8YekIqvdODJR2bHE3DiZY 2024-01-16 1705401022
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] GOODSIG 09589874801DF724 Launchpad Daily Build of master branch
gpg: Good signature from "Launchpad Daily Build of master branch" [unknown]
[GNUPG:] VALIDSIG 3361E59FF5029E6B90A9A80D09589874801DF724 2024-01-16 1705401022 0 4 0 1 10 01 3361E59FF5029E6B90A9A80D09589874801DF724
[GNUPG:] KEY_CONSIDERED 3361E59FF5029E6B90A9A80D09589874801DF724 0
[GNUPG:] TRUST_UNDEFINED 0 pgp
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3361 E59F F502 9E6B 90A9  A80D 0958 9874 801D F724
0

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20240116/5a081751/attachment.sig>

More information about the pkg-gnupg-maint mailing list