[pkg-gnupg-maint] Bug#852019: gpgv: unknown type of key resource 'trustedkeys.kbx'
Antoine Beaupre
anarcat at debian.org
Fri Jan 20 18:36:57 UTC 2017
Package: gpgv
Version: 2.1.17-2
Severity: important
For some reason, gpgv fails to verify a file that verifies properly
with gpg -v:
$ dget https://mentors.debian.net/debian/pool/main/d/dnsdiag/dnsdiag_1.4.0-1.dsc
dget: retrieving https://mentors.debian.net/debian/pool/main/d/dnsdiag/dnsdiag_1.4.0-1.dsc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1489 100 1489 0 0 2534 0 --:--:-- --:--:-- --:--:-- 2532
dget: using existing dnsdiag_1.4.0.orig.tar.gz
dget: using existing dnsdiag_1.4.0-1.debian.tar.xz
dnsdiag_1.4.0-1.dsc:
Good signature found
validating dnsdiag_1.4.0.orig.tar.gz
validating dnsdiag_1.4.0-1.debian.tar.xz
All files validated successfully.
gpgv: Signature made Sun Jan 15 08:40:29 2017 EST
gpgv: using RSA key A3200222CEE5D1A5
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./dnsdiag_1.4.0-1.dsc
dpkg-source: info: extracting dnsdiag in dnsdiag-1.4.0
dpkg-source: error: unpack target exists: dnsdiag-1.4.0
I can reproduce this with gpgv directly:
$ gpgv dnsdiag_1.4.0-1.dsc
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/anarcat/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Sun Jan 15 08:40:29 2017 EST
gpgv: using RSA key A3200222CEE5D1A5
gpgv: Can't check signature: No public key
It seems there's a problem with some kbx file. Oddly enough, gpg2
doesn't have that problem:
$ gpg -v dnsdiag*dsc
gpg: armor header: Hash: SHA256
gpg: original file name=''
gpg: dnsdiag_1.4.0-1.dsc: unknown suffix
Enter new filename: a
gpg: Signature made Sun Jan 15 08:40:29 2017 EST
gpg: using RSA key A3200222CEE5D1A5
gpg: using subkey A3200222CEE5D1A5 instead of primary key 95146A1CBA141817
gpg: using pgp trust model
gpg: Good signature from "Ana Custura (These are not the hammer.) <ana at netstat.org.uk>" [unknown]
gpg: aka "Ana Custura <a.custura at abdn.ac.uk>" [unknown]
gpg: aka "[jpeg image of size 3963]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0D35 E41F 0844 4E72 C1CC C3FF 9514 6A1C BA14 1817
Subkey fingerprint: 6A1F DFE3 2457 47F6 E3D9 49A6 A320 0222 CEE5 D1A5
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa2048
ie. it doesn't give the warning about the kbx file. Now, there's a
warning that the key is not trusted, but that's fine - i want gpg to
verify the file's integriy, and i TOFU the key... But dpkg-source
gives me a definite warning that it can't verify the file's content:
dpkg-source: warning: failed to verify signature on ./dnsdiag_1.4.0-1.dsc
That's bad! It means I need to use the `-u` flag to dget, it breaks
the trust path to the developr.
I tried verifying the key with the gnupg1 package, which works, but
that doesn't ship with a gpgv binary anymore, so I can't use that gpgv
either.
I wonder if this should be marked as 'grave' because it fails to
verify valid signatures, but since this is a corner case, I figured i
would stick with 'important'.
Thanks for the feedback,
A.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gpgv depends on:
ii libbz2-1.0 1.0.6-8
ii libc6 2.24-8
ii libgcrypt20 1.7.5-2
ii libgpg-error0 1.26-1
ii zlib1g 1:1.2.8.dfsg-4
gpgv recommends no packages.
Versions of packages gpgv suggests:
ii gnupg 2.1.17-2
-- no debconf information
More information about the pkg-gnupg-maint
mailing list