[pkg-gnupg-maint] Bug#796710: "moving a key signature to the correct place" loop

Stefano Zacchiroli zack at debian.org
Sun Aug 23 14:53:12 UTC 2015 

Package: gnupg
Version: 1.4.19-3
Severity: normal
Tags: upstream

[ filing the bug report, as discussed with dkg and Clint at DebConf 15 ]

Below you can find the screen log of a gpg session that, using a fresh
GNUPGHOME:

1) fetch/reresh my key from the SKS keyserver pool
2) edit the key...
3) ...resulting in gpg "moving a key signature to the correct place"
   multiple times
4) save the key
5) go to 1

i.e. it seems that whatever "fixing" gpg does to the wrong packages that
are present in the key material, it is undone by the next refresh from
the keyserver. Allegedly, this is a bug in both gpg and the keyserver
software running on the SKS pool.

Note that in the session below I did also try a second edit after
saving, without refreshing, and that does not make gpg trying to move
the signatures again. I.e. it seems that gpg "fixing" is stable on disk;
it is just not stable w.r.t. the key server.

I've also tested this with gpg2, obtaining the same result.

Cheers.

------------------------------------------------------------------------

zack at timira:~$ export KEYID=6D866396
zack at timira:~$ export GNUPGHOME=/tmp/gpg-bug
zack at timira:~$ mkdir -m 700 $GNUPGHOME
zack at timira:~$ gpg --keyserver pool.sks-keyservers.net --recv-keys $KEYID
gpg: keyring `/tmp/gpg-bug/secring.gpg' created
gpg: keyring `/tmp/gpg-bug/pubring.gpg' created
gpg: requesting key 6D866396 from hkp server pool.sks-keyservers.net
gpg: /tmp/gpg-bug/trustdb.gpg: trustdb created
gpg: key 6D866396: public key "Stefano Zacchiroli <zack at upsilon.cc>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

zack at timira:~$ gpg --edit-key $KEYID
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place

pub  4096R/6D866396  created: 2010-09-27  expires: 2016-09-02  usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/02D0E74C  created: 2010-09-27  expires: never       usage: E   
sub  4096R/93412799  created: 2012-12-01  expires: 2016-09-02  usage: S   
[ unknown] (1). Stefano Zacchiroli <zack at upsilon.cc>
[ unknown] (2)  Stefano Zacchiroli <zack at debian.org>
[ unknown] (3)  Stefano Zacchiroli <zack at cs.unibo.it>
[ revoked] (4)  Stefano Zacchiroli <zack at pps.jussieu.fr>
[ unknown] (5)  Stefano Zacchiroli <zack at pps.univ-paris-diderot.fr>
[ revoked] (6)  Stefano Zacchiroli (Debian Project Leader) <leader at debian.org>

gpg> save

zack at timira:~$ gpg --edit-key $KEYID
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/6D866396  created: 2010-09-27  expires: 2016-09-02  usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/02D0E74C  created: 2010-09-27  expires: never       usage: E   
sub  4096R/93412799  created: 2012-12-01  expires: 2016-09-02  usage: S   
[ unknown] (1). Stefano Zacchiroli <zack at upsilon.cc>
[ unknown] (2)  Stefano Zacchiroli <zack at debian.org>
[ unknown] (3)  Stefano Zacchiroli <zack at cs.unibo.it>
[ revoked] (4)  Stefano Zacchiroli <zack at pps.jussieu.fr>
[ unknown] (5)  Stefano Zacchiroli <zack at pps.univ-paris-diderot.fr>
[ revoked] (6)  Stefano Zacchiroli (Debian Project Leader) <leader at debian.org>

gpg> quit

zack at timira:~$ gpg --keyserver pool.sks-keyservers.net --recv-keys $KEYID
gpg: requesting key 6D866396 from hkp server pool.sks-keyservers.net
gpg: key 6D866396: "Stefano Zacchiroli <zack at upsilon.cc>" 13 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:         new signatures: 13

zack at timira:~$ gpg --edit-key $KEYID
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place
gpg: moving a key signature to the correct place

pub  4096R/6D866396  created: 2010-09-27  expires: 2016-09-02  usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/02D0E74C  created: 2010-09-27  expires: never       usage: E   
sub  4096R/93412799  created: 2012-12-01  expires: 2016-09-02  usage: S   
[ unknown] (1). Stefano Zacchiroli <zack at upsilon.cc>
[ unknown] (2)  Stefano Zacchiroli <zack at debian.org>
[ unknown] (3)  Stefano Zacchiroli <zack at cs.unibo.it>
[ revoked] (4)  Stefano Zacchiroli <zack at pps.jussieu.fr>
[ unknown] (5)  Stefano Zacchiroli <zack at pps.univ-paris-diderot.fr>
[ revoked] (6)  Stefano Zacchiroli (Debian Project Leader) <leader at debian.org>

gpg> save
zack at timira:~$ 


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  gpgv          1.4.19-3
ii  libbz2-1.0    1.0.6-8
ii  libc6         2.19-19
ii  libreadline6  6.3-8+b3
ii  libusb-0.1-4  2:0.1.12-25
ii  zlib1g        1:1.2.8.dfsg-2+b1

Versions of packages gnupg recommends:
ii  gnupg-curl     1.4.19-3
ii  libldap-2.4-2  2.4.41+dfsg-1

Versions of packages gnupg suggests:
ii  eog           3.16.2-1
pn  gnupg-doc     <none>
ii  imagemagick   8:6.8.9.9-5
ii  libpcsclite1  1.8.14-1
ii  parcimonie    0.9-2

-- no debconf information

More information about the pkg-gnupg-maint mailing list