Bug#1100485: hopenpgp-tools: hokey canonicalize damages signature

Uwe Kleine-König ukleinek at debian.org
Fri Mar 14 11:45:55 GMT 2025 

Package: hopenpgp-tools
Version: 0.23.10-1
Severity: normal
X-Debbugs-Cc: ukleinek at debian.org

With gpg 2.2.46 I have:

	$ gpg --export 39CB544D6527CF60 | gpg --import
	gpg: key 39CB544D6527CF60: "Nicolas Pitre <nico at fluxnic.net>" not changed
	gpg: Total number processed: 1
	gpg:              unchanged: 1

	$ gpg --export 39CB544D6527CF60 | hokey canonicalize | gpg --import
	hokey (hopenpgp-tools) 0.23.10
	Copyright (C) 2012-2023  Clint Adams
	hokey comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions.
	gpg: key 39CB544D6527CF60: 1 bad signature
	gpg: key 39CB544D6527CF60: "Nicolas Pitre <nico at fluxnic.net>" not changed
	gpg: Total number processed: 1
	gpg:              unchanged: 1

So when piping the certificate through `hokey canonicalize`, gpg is
unhappy with the result ("1 bad signature").

I didn't try to debug, so maybe it's also gpg (or the public key) that
is wrong here. Another indication that it's indeed hokey that is broken
here is that Sequoia is also reports a broken signature:

	$ diff -u <(gpg --export 39CB544D6527CF60 | sq inspect --dump-bad-signatures) <(gpg --export 39CB544D6527CF60 | hokey canonicalize | sq inspect --dump-bad-signatures)
	hokey (hopenpgp-tools) 0.23.10
	Copyright (C) 2012-2023  Clint Adams
	hokey comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions.
	--- /dev/fd/63	2025-03-14 12:41:09.762163073 +0100
	+++ /dev/fd/62	2025-03-14 12:41:09.766163061 +0100
	@@ -7,10 +7,11 @@
		 Key flags: certification, signing

		    Subkey: E582CAEAF7CBA7AA04344A927F4A62820BF463B7
	+                   Invalid: No binding signature at time 2025-03-14T11:41:09Z
	+                   Invalid: No binding signature at time 2025-03-14T11:41:09Z
	   Public-key algo: RSA
	   Public-key size: 2048 bits
	     Creation time: 2014-08-27 18:44:41 UTC
	-        Key flags: signing

		    Subkey: 41DAFFF1E479BE87915F2E61CB32F57D9BA1D6FF
	   Public-key algo: RSA
	@@ -52,3 +53,34 @@
		    UserID: Nicolas Pitre <npitre at baylibre.com>
	    Certifications: 1, use --certifications to list

	+    Bad Signature:
	+                   Version: 4
	+                   Type: SubkeyBinding
	+                   Pk algo: RSA
	+                   Hash algo: SHA256
	+                   Hashed area:
	+                     Signature creation time: 2025-02-25 05:18:24 UTC (critical)
	+                     Issuer: 39CB544D6527CF60
	+                       Nicolas Pitre <nico at fluxnic.net> (UNAUTHENTICATED)
	+                     Notation: salt at notations.sequoia-pgp.org
	+                       00000000  1a 30 59 f3 ea fd 72 88  a3 2b 5e a5 1b e2 43 bd
	+                       00000010  89 d8 f6 37 92 11 28 a5  50 8d b1 af c8 e9 16 48
	+                     Key flags: S
	+                     Embedded signature:  (critical)
	+                                                Version: 4
	+                         Type: PrimaryKeyBinding
	+                         Pk algo: RSA
	+                         Hash algo: SHA256
	+                         Hashed area:
	+                           Signature creation time: 2025-02-25 05:18:24 UTC (critical)
	+                           Issuer: 7F4A62820BF463B7
	+                             Nicolas Pitre <nico at fluxnic.net> (UNAUTHENTICATED)
	+                           Notation: salt at notations.sequoia-pgp.org
	+                             00000000  d8 bd 36 7c ef bd c5 da  85 b8 f7 02 5d 3b 81 28
	+                             00000010  1b b8 e1 68 40 15 89 ec  b5 8b f0 eb d4 bb b0 f4
	+                           Issuer Fingerprint: E582CAEAF7CBA7AA04344A927F4A62820BF463B7
	+                             Nicolas Pitre <nico at fluxnic.net> (UNAUTHENTICATED)
	+                         Digest prefix: 4CA6
	+                         Level: 0 (signature over data)
	+                   Digest prefix: DB75
	+                   Level: 0 (signature over data)


The key 39CB544D6527CF60 is available on the keyservers if you want to
reproduce. (gpg --keyserver-options no-self-sigs-only --keyserver keyserver.ubuntu.com --recv 39CB544D6527CF60)

Best regards
Uwe

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (750, 'testing-debug'), (750, 'testing'), (700, 'stable-updates'), (700, 'stable-security'), (700, 'stable-debug'), (700, 'stable'), (600, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 6.12.6-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages hopenpgp-tools depends on:
ii  libbz2-1.0     1.0.8-6
ii  libc6          2.40-4
ii  libffi8        3.4.6-1
ii  libgmp10       2:6.3.0+dfsg-3
ii  libnettle8t64  3.10-1+b1
ii  libnuma1       2.0.18-1+b1
ii  libyaml-0-2    0.2.5-2
ii  zlib1g         1:1.3.dfsg+really1.3.1-1+b1

hopenpgp-tools recommends no packages.

hopenpgp-tools suggests no packages.

-- no debconf information

More information about the Pkg-haskell-maintainers mailing list