[pkg-gnupg-maint] Bug#836554: Bug#836554: gnupg - file verification leaves agent running

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Sep 7 15:57:19 UTC 2016 

Control: affects 836554 + cdebootstrap

Hi Bastian--

On Sun 2016-09-04 16:51:13 +0200, Bastian Blank wrote:
> On Sun, Sep 04, 2016 at 10:04:54AM -0400, Daniel Kahn Gillmor wrote:
>> I'm unclear as to why this is Severity: grave -- i've reset the Severity
>> to normal, but i'm happy to have you reset the severity with an
>> appropriate explanation.
>
> I'm inclined to forward that to ctte, as this is a clear breakage in
> backward compatibility and you already broke that transition pretty bad
> anyway.

i'm sorry, but i don't see it as clearly as you do.  Yes, there is a
transition cost with moving to the modern version of GnuPG, and it's not
as clearly understood as a traditional C library transition, but it's
a transition that we can and will sort out.

> The only way to verify an inline-signed message and also get the
> unescaped message is to use gpg --decrypt.  --verify does not even
> accept --output.

so if gpgv supported --output would that suit your needs?

>> So maybe it's not file verification that's causing the agent to spawn
>> but some other operation?
>
> The file is not encrypted, so not really.

I believe the other operation is key import, as referenced in
https://bugs.gnupg.org/gnupg/issue2669 -- if we can get that resolved
upstream that might help out some.  But cdebootstrap should really be
using gpgv and not gpg in the first place.

>> > As it is inline signed, it is not possible to use gpgv, which can't
>> > decode messages.
>> gpgv can verify inline-signed data, but does not produce output of the
>> verified text.  That's the concern, right?  I've opened
>> https://bugs.gnupg.org/gnupg/issue2668 to record that concern upstream.
>
> Isn't gpgv a debian-ism?

no, gpgv is an upstream tool, designed for one specific use case, with a
dramatically simplified API.  For security-critical steps that meet this
API, we should use the simpler tool.

>> If you're talking about verifying InRelease, then that's a bit of a
>> special case, because it has a constrained format that we can rely on.
>> In particular, it's an RFC822 message, which means it has no lines with
>> a leading hyphen (-) and it has no preamble or footer outside the
>> signature.  So it should be possible to convert it manually to separate
>> files that can then be verified with gpgv and used independently.
>
> You can do several modification to such signed files without changing
> the signature, esp dash-escaping and whitespaces at line endings.  What
> is a sane way to undo all of this?
>
> InRelease was introduced to fix race conditions, so no, this does not
> work.

the race condition is that someone could download Release and then
Release.gpg, and they got Release from one rsync push and Release.gpg
From another.  is that right?

I'm attaching the source for openpgp-split-clearsigned.c -- i'd be happy
to ship something like this with the gpgv package, or as a separate,
trivial package.  it compiles to about 7KiB.  If upstream doesn't want
gpgv to support --output, would you be willing to have cdebootstrap
avoid using gpg by doing the equivalent of:

  openpgp-split-clearsigned <InRelease >Release 3>Release.gpg
  gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg Release.gpg Release

Or, if you like, you're welcome to use the code in cdebootstrap directly
so that it can make use of gpgv's simpler signature verification
interface.  (if cdebootstrap wants it under a different license, i'm
happy to oblige)

Let me know what you think!

All the best,

    --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-split-clearsigned.c
Type: text/x-csrc
Size: 3142 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160907/ef1e7197/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160907/ef1e7197/attachment.sig>

More information about the pkg-gnupg-maint mailing list