[PATCH] Fix a GPG validation bug.
Stuart Prescott
stuart at debian.org
Sat Aug 30 14:06:55 UTC 2014
Hi all,
A while back I looked at #695932 and similar bugs and attempted to make some
progress in addressing them. I was never really happy with what I came up
with, but I should share some of my conclusions.
The key problem in each of the bugs is that what is signature-checked is
different to what is parsed. In my reading on this, the gpg people said that
they weren't intending to offer any sort of functionality to gpgv to give
the validated data back (#695855 and other upstream threads). While #695932
is fixed, I don't think dash-escaping is yet fixed in deb822.py and there
could easily be further bugs hidden away there.
Using gpg rather than gpgv is the nicest way of killing all these bugs in
one pass because you can ask gpg to give you back the signed data (--
decrypt) rather than just verify it.That said, I don't really think we can
start depending on gpg rather than gpgv -- that would drag in gpg and all
its dependencies into the standard installation.
Since we can't ask gpgv to give us back the data that was signed, the most
reliable option will be to separate the signature and what python-debian
believes is the payload and then pass the detached signature to gpgv. That
way, if the separation of payload from armouring and signature is incorrect
(such as these bugs), it turns into a signature failure. I suspect this
means using temporary files are needed.
To successfully pull this off, it looked like a bit of refactoring of the
reading code in deb822.py was required to reduce the number of different
code paths for reading data into the parser.
I should dust off the work that I've already done and rebase it against the
current git and then see what it actually achieves and what I was able to
achieve with gpgv rather than gpg.
cheers
Stuart
--
Stuart Prescott http://www.nanonanonano.net/ stuart at nanonanonano.net
Debian Developer http://www.debian.org/ stuart at debian.org
GPG fingerprint 90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7
More information about the pkg-python-debian-maint
mailing list