[Pkg-rust-maintainers] Bug#1103016: incompatibility with gpg causing FTBFS

Justus Winter justus at sequoia-pgp.org
Mon Apr 14 09:05:20 BST 2025 

Rene Engelhard <rene at debian.org> writes:

> signing.cxx:1259:Assertion
> Test name: testODFGoodGPG::TestBody
> equality assertion failed
> - Expected: 1
> - Actual : 2
> - 2
>
> signing.cxx:1374:Assertion
> Test name: testPreserveMacroTemplateSignature12_ODF::TestBody
> equality assertion failed
> - Expected: 1
> - Actual : 2
> - ./xmlsecurity/qa/unit/signing/signing.cxx:1401
>
> Failures !!!
> Run: 43 Failure total: 2 Failures: 2 Errors: 0

[..]

> key material is
> https://cgit.freedesktop.org/libreoffice/core/tree/test/signing-keys?h=libreoffice-25-2-3

Looking purely at the key material I see:

teythoon at europ /tmp/core/test/signing-keys (git)-[libreoffice-25-2-3] % /bin/gpg --export | sq cert lint
gpg: WARNING: unsafe permissions on homedir '/tmp/core/test/signing-keys'
Certificate C468A04FCA526A9F is not valid under the standard policy: No binding signature at time 2025-04-14T07:40:22Z
Certificate C468A04FCA526A9F contains a User ID (test key - only signing <libreoffice at lists.freedesktop.org>) protected by SHA-1
Certificate 96BDBA932A7D4D05 is not valid under the standard policy: No binding signature at time 2025-04-14T07:40:22Z
Certificate 96BDBA932A7D4D05 contains a User ID (test key - only for encryption <libreoffice at lists.freedesktop.org>) protected by SHA-1
Certificate 96BDBA932A7D4D05, key C914B3CC9B60A3FB uses a SHA-1-protected binding signature.
Examined 3 certificates.
  0 certificates are invalid and were not linted. (GOOD)
  3 certificates were linted.
  2 of the 3 certificates (66%) have at least one issue. (BAD)
0 of the linted certificates were revoked.
  0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
3 of the non-revoked linted certificates have at least one non-revoked User ID:
  2 have at least one User ID protected by SHA-1. (BAD)
  2 have all User IDs protected by SHA-1. (BAD)
2 of the non-revoked linted certificates have at least one non-revoked, live subkey:
  1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
  0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)

  Error: 2 certificates have at least one issue

> Is that the explanation or is there some other incompatibility here?

It is not incompatible, just that gpg-from-sq rejects weak hash
algorithms.  Note that the signature extracted from
xmlsecurity/qa/unit/signing/data/goodGPG.odt is fine:

% sq packet dump sig
Signature Packet, old CTB, 380 bytes
    Version: 4
    Type: Binary
    Pk algo: RSA
    Hash algo: SHA512
    Hashed area:
      Signature creation time: 2017-12-06 12:04:15 UTC
      Notation: issuer-fpr at notations.openpgp.fifthhorseman.net: 93F7584031D9B74A57BB89DFC468A04FCA526A9F
    Unhashed area:
      Issuer: C468A04FCA526A9F
    Digest prefix: EFB3
    Level: 0 (signature over data)

Therefore, an easy way to recover is to fix the certificates:

teythoon at europ /tmp/core/test/signing-keys (git)-[libreoffice-25-2-3] % /bin/gpg --export-secret-keys | sq cert lint --fix | /bin/gpg --import
gpg: WARNING: unsafe permissions on homedir '/tmp/core/test/signing-keys'
gpg: WARNING: unsafe permissions on homedir '/tmp/core/test/signing-keys'
Certificate C468A04FCA526A9F is not valid under the standard policy: No binding signature at time 2025-04-14T07:57:29Z
Certificate C468A04FCA526A9F contains a User ID (test key - only signing <libreoffice at lists.freedesktop.org>) protected by SHA-1
Certificate 96BDBA932A7D4D05 is not valid under the standard policy: No binding signature at time 2025-04-14T07:57:29Z
Certificate 96BDBA932A7D4D05 contains a User ID (test key - only for encryption <libreoffice at lists.freedesktop.org>) protected by SHA-1
Certificate 96BDBA932A7D4D05, key C914B3CC9B60A3FB uses a SHA-1-protected binding signature.
Examined 2 certificates.
  0 certificates are invalid and were not linted. (GOOD)
  2 certificates were linted.
  2 of the 2 certificates (100%) have at least one issue. (BAD)
0 of the linted certificates were revoked.
  0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
2 of the non-revoked linted certificates have at least one non-revoked User ID:
  2 have at least one User ID protected by SHA-1. (BAD)
  2 have all User IDs protected by SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live subkey:
  1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
  0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
gpg: key C468A04FCA526A9F: "test key - only signing <libreoffice at lists.freedesktop.org>" 1 new signature
gpg: key C468A04FCA526A9F: secret key imported
gpg: key 96BDBA932A7D4D05: "test key - only for encryption <libreoffice at lists.freedesktop.org>" 2 new signatures
gpg: key 96BDBA932A7D4D05: secret key imported
gpg: Total number processed: 2
gpg:         new signatures: 3
gpg:       secret keys read: 2
gpg:  secret keys unchanged: 2
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
teythoon at europ /tmp/core/test/signing-keys (git)-[libreoffice-25-2-3] % gpg-sq -k
gpg: WARNING: unsafe permissions on homedir '/tmp/core/test/signing-keys'
/tmp/core/test/signing-keys/pubring.cert.d
------------------------------------------
pub   rsa2048 2017-05-30 [SC]
      237167E1A762AE7096F1F72EAE8850B494DC4F32
uid           [ unknown] <foo at bar.de>
sub   rsa2048 2017-05-30 [E]

pub   rsa2048 2017-12-06 [SC]
      93F7584031D9B74A57BB89DFC468A04FCA526A9F
uid           [ultimate] test key - only signing <libreoffice at lists.freedesktop.org>

pub   rsa2048 2018-01-11 [SC]
      BB87453F47FEBF396099210496BDBA932A7D4D05
uid           [ultimate] test key - only for encryption <libreoffice at lists.freedesktop.org>
sub   rsa2048 2018-01-11 [E]


Please let me know if you have more questions, or what I can do to help!

Best,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20250414/603e9724/attachment-0001.sig>

More information about the Pkg-rust-maintainers mailing list