[PATCH] Fix a GPG validation bug.

Stuart Prescott stuart at debian.org
Sat Aug 30 14:06:55 UTC 2014


Hi all,

A while back I looked at #695932 and similar bugs and attempted to make some 
progress in addressing them. I was never really happy with what I came up 
with, but I should share some of my conclusions.

The key problem in each of the bugs is that what is signature-checked is 
different to what is parsed. In my reading on this, the gpg people said that 
they weren't intending to offer any sort of functionality to gpgv to give 
the validated data back (#695855 and other upstream threads). While #695932 
is fixed, I don't think dash-escaping is yet fixed in deb822.py and there 
could easily be further bugs hidden away there.

Using gpg rather than gpgv is the nicest way of killing all these bugs in 
one pass because you can ask gpg to give you back the signed data (--
decrypt) rather than just verify it.That said, I don't really think we can 
start depending on gpg rather than gpgv -- that would drag in gpg and all 
its dependencies into the standard installation.

Since we can't ask gpgv to give us back the data that was signed, the most 
reliable option will be to separate the signature and what python-debian 
believes is the payload and then pass the detached signature to gpgv. That 
way, if the separation of payload from armouring and signature is incorrect 
(such as these bugs), it turns into a signature failure. I suspect this 
means using temporary files are needed.

To successfully pull this off, it looked like a bit of refactoring of the 
reading code in deb822.py was required to reduce the number of different 
code paths for reading data into the parser.

I should dust off the work that I've already done and rebase it against the 
current git and then see what it actually achieves and what I was able to 
achieve with gpgv rather than gpg.

cheers
Stuart


-- 
Stuart Prescott    http://www.nanonanonano.net/   stuart at nanonanonano.net
Debian Developer   http://www.debian.org/         stuart at debian.org
GPG fingerprint    90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7






More information about the pkg-python-debian-maint mailing list