[pkg-gnupg-maint] How (not) to detect if a keyring file is a keybox in apt-key

David Kalnischkies david at kalnischkies.de
Fri Jul 28 12:36:54 UTC 2017


Hi,

the apt team currently receives bugreports with (for users) strange apt
errors which turn out to be caused by keybox files in trusted.gpg{,.d}
as apt-key can't deal with them for plenty of reasons (including that
gpgv2 couldn't for a while, we need/want to support gpgv1 & gpgv2, 40
keyrings limit, …).

Internally apt-key cats all the files it assumes would be 'old-style'
keyrings together to a big single keyring as suggested by dkg a while
ago. That fails hard of course if a keybox is somewhere in that mix.
This is documented in the manpage, but of course old setups which
suddenly produce keybox (as it is the default in gnupg) don't read new
manpage sections…


So, the easiest solution would be to let apt-key skip over those
baddies, but for that we would need a predictable way of identifying
either and here it gets complicated as 'old-style' has "no" magic while
a keybox has a "late" magic (= appearing after length, type and version
makes me fear that version+1 will have a different one/place maybe).


Then I informally brought that up in a only slightly related discussion
a while back I got also informally the advice to whitelist old-style
assuming that false-positives are not very likely:

| You can do this by inspecting the first octet of the ostensible binary
| keyring for one of these three values:
|
|  * 0x98 -- old-format OpenPGP public key packet, up to 255 octets
|  * 0x99 -- old-format OpenPGP public key packet, 256-65535 octets
|  * 0xc6 -- new-format OpenPGP public key packet, any length


That sounds better in my ears than blacklisting keyboxes, but risks
false-negatives if that isn't catching all which would be sad, so
before I go about implementing this I would like to ask more formally
(& public) if this is the best option we have & keeps us in the
"reasonably supportable" set in the opinion of the gnupg maintainers.

Bonus points if there exists already [shell] code to that effect we
could reuse or at least take inspiration from.


Best regards

David Kalnischkies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170728/028a80e6/attachment.sig>


More information about the pkg-gnupg-maint mailing list