[pkg-gnupg-maint] Bug#836554: Bug#836554: gnupg - file verification leaves agent running
Bastian Blank
waldi at debian.org
Sun Sep 4 14:51:13 UTC 2016
On Sun, Sep 04, 2016 at 10:04:54AM -0400, Daniel Kahn Gillmor wrote:
> On Sat 2016-09-03 18:40:26 -0400, Bastian Blank wrote:
> > Package: gnupg
> > Version: 2.1.15-2
> > Severity: grave
> I'm unclear as to why this is Severity: grave -- i've reset the Severity
> to normal, but i'm happy to have you reset the severity with an
> appropriate explanation.
I'm inclined to forward that to ctte, as this is a clear breakage in
backward compatibility and you already broke that transition pretty bad
anyway.
> > A simple verification of a inlined signed file leaves the agent running.
> > This makes it impossible to clean up the system properly.
> "impossible" is an overstatement, right? While i agree with you that
> it's better to not have the agent left running, it can at the very least
> be terminated manually (e.g. with "gpgconf --kill gpg-agent" or
> "gpg-connect-agent killagent /bye").
Well, you took over the gpg name, so you have to abide to the same
interface, which you obviously don't do.
> > This is for example used by cdebootstrap.
> A verification of a signature should not launch the agent at all, so i'm
> not convinced this is what's happening. With a dedicated GNUPGHOME you
> can observe the presence of the agent by looking for S.gpg-agent, which
> doesn't appear after file verification:
The only way to verify an inline-signed message and also get the
unescaped message is to use gpg --decrypt. --verify does not even
accept --output.
> So maybe it's not file verification that's causing the agent to spawn
> but some other operation?
The file is not encrypted, so not really.
> > As it is inline signed, it is not possible to use gpgv, which can't
> > decode messages.
> gpgv can verify inline-signed data, but does not produce output of the
> verified text. That's the concern, right? I've opened
> https://bugs.gnupg.org/gnupg/issue2668 to record that concern upstream.
Isn't gpgv a debian-ism?
> If you're talking about verifying InRelease, then that's a bit of a
> special case, because it has a constrained format that we can rely on.
> In particular, it's an RFC822 message, which means it has no lines with
> a leading hyphen (-) and it has no preamble or footer outside the
> signature. So it should be possible to convert it manually to separate
> files that can then be verified with gpgv and used independently.
You can do several modification to such signed files without changing
the signature, esp dash-escaping and whitespaces at line endings. What
is a sane way to undo all of this?
> Alternately, cdebootstrap could use Release and Release.gpg and avoid
> InRelease.
InRelease was introduced to fix race conditions, so no, this does not
work.
Nastian
--
Emotions are alien to me. I'm a scientist.
-- Spock, "This Side of Paradise", stardate 3417.3
More information about the pkg-gnupg-maint
mailing list