Bug#1060146: libnews-article-nocem-perl: Signature hash hardcoded to SHA1

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Sat Jan 6 17:53:52 GMT 2024 

Russ Allbery wrote...

> Christoph Biedl <debian.axhn at manchmal.in-ulm.de> writes:
>
> > * Omitting the hash declaration is not an option either, perl-nocem
> >   fails then.
>
> I'm somewhat surprised by this, as my impression was that these Hash lines
> are optional and GnuPG did the right thing if they were omitted entirely
> (although you do still need a blank line).

That impression was on my side as well, and later the surprise. It would
habe been a quick solution.

It seems that pseudo-header is mandatory but I haven't checked further:
https://sources.debian.org/src/gnupg2/2.2.40-1.1/g10/sig-check.c/?hl=188#L188

So, a blank line doesn't help. The message by gpgv is

| gpgv: Signature made Fri Jan  5 18:21:01 2024 UTC
| gpgv:                using RSA key 87FB8F9D33883045A832B4FFD90D76CC97A7B20D
| gpgv: WARNING: signature digest conflict in message
| gpgv: Can't check signature: General error

and this leads to an error message from perl-nocem:

| Article <redacted>: unknown error (ID D90D76CC97A7B20D)

where "WARNING: signature digest conflict in message" is the same as
I had seen in the first place, when there was the hardcoded "SHA1".

For completeness, this is gpgv 2.2.40-1.1, from Debian 12 ("bookworm").
Also, neither the NoCeM message nor the key are publicly available.

> I have not looked into this in
> detail, but I thought the hash algorithm was also present in metadata
> inside the signature itself.

It is indeed present there, I used pgpdump to reveal the hash algorithm
is actually SHA512. So this is a design decision I don't quite follow,
but possibly there is or was a need to do things that way.

(...)

> perl-nocem itself doesn't seem to care and just copies the whole input
> into a temporary file for GnuPG.  What's the nature of the failure?  Is
> GnuPG failing to validate the resulting file if the hash algorithm is
> omitted?

See above.

    Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20240106/de136388/attachment.sig>

More information about the pkg-perl-maintainers mailing list