[pkg-gnupg-maint] Bug#836554: Bug#836554: gnupg - file verification leaves agent running

Sun Sep 4 14:51:13 UTC 2016

On Sun, Sep 04, 2016 at 10:04:54AM -0400, Daniel Kahn Gillmor wrote:
> On Sat 2016-09-03 18:40:26 -0400, Bastian Blank wrote:
> > Package: gnupg
> > Version: 2.1.15-2
> > Severity: grave
> I'm unclear as to why this is Severity: grave -- i've reset the Severity
> to normal, but i'm happy to have you reset the severity with an
> appropriate explanation.

I'm inclined to forward that to ctte, as this is a clear breakage in
backward compatibility and you already broke that transition pretty bad
anyway.

> > A simple verification of a inlined signed file leaves the agent running.
> > This makes it impossible to clean up the system properly.
> "impossible" is an overstatement, right?  While i agree with you that
> it's better to not have the agent left running, it can at the very least
> be terminated manually (e.g. with "gpgconf --kill gpg-agent" or
> "gpg-connect-agent killagent /bye").

Well, you took over the gpg name, so you have to abide to the same
interface, which you obviously don't do.

> > This is for example used by cdebootstrap.
> A verification of a signature should not launch the agent at all, so i'm
> not convinced this is what's happening.  With a dedicated GNUPGHOME you
> can observe the presence of the agent by looking for S.gpg-agent, which
> doesn't appear after file verification:

The only way to verify an inline-signed message and also get the
unescaped message is to use gpg --decrypt.  --verify does not even
accept --output.

> So maybe it's not file verification that's causing the agent to spawn
> but some other operation?

The file is not encrypted, so not really.

> > As it is inline signed, it is not possible to use gpgv, which can't
> > decode messages.
> gpgv can verify inline-signed data, but does not produce output of the
> verified text.  That's the concern, right?  I've opened
> https://bugs.gnupg.org/gnupg/issue2668 to record that concern upstream.

Isn't gpgv a debian-ism?

> If you're talking about verifying InRelease, then that's a bit of a
> special case, because it has a constrained format that we can rely on.
> In particular, it's an RFC822 message, which means it has no lines with
> a leading hyphen (-) and it has no preamble or footer outside the
> signature.  So it should be possible to convert it manually to separate
> files that can then be verified with gpgv and used independently.

You can do several modification to such signed files without changing
the signature, esp dash-escaping and whitespaces at line endings.  What
is a sane way to undo all of this?

> Alternately, cdebootstrap could use Release and Release.gpg and avoid
> InRelease.

InRelease was introduced to fix race conditions, so no, this does not
work.

Nastian

-- 
Emotions are alien to me.  I'm a scientist.
		-- Spock, "This Side of Paradise", stardate 3417.3