Skip to content
Snippets Groups Projects

Update arojas key

Merged Antonio Rojas requested to merge arojas/archlinux-keyring:new-key into master

Blocked by #185 (closed)

Edited by Levente Polyak

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • mentioned in issue #178 (closed)

  • The CI failure looks more like a bug in keyringctl rather than something wrong with this merge request: It complains about an unexpected packet fingerprint:

    Traceback (most recent call last):
      File "/builds/arojas/archlinux-keyring/./keyringctl", line 8, in <module>
        main()
      File "/builds/arojas/archlinux-keyring/libkeyringctl/cli.py", line 217, in main
        verify(
      File "/builds/arojas/archlinux-keyring/libkeyringctl/verify.py", line 57, in verify
        verify_integrity(certificate=certificate, all_fingerprints=all_fingerprints)
      File "/builds/arojas/archlinux-keyring/libkeyringctl/verify.py", line 207, in verify_integrity
        assert_filename_matches_packet_issuer_fingerprint(path=sig, check=certificate.name)
      File "/builds/arojas/archlinux-keyring/libkeyringctl/verify.py", line 258, in assert_filename_matches_packet_issuer_fingerprint
        raise Exception(f"Unexpected packet fingerprint in file {str(path)}: {fingerprint}")
    Exception: Unexpected packet fingerprint in file /builds/arojas/archlinux-keyring/keyring/packager/arojas/9D74DF6F91B7BDABD5815CA84AC5588F941C2A25/subkey/1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4/certification/9D74DF6F91B7BDABD5815CA84AC5588F941C2A25.asc: 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4

    The sq packet dump for the objectionable file looks like this:

    Signature Packet, new CTB, 1020 bytes
        Version: 4
        Type: SubkeyBinding
        Pk algo: RSA (Encrypt or Sign)
        Hash algo: SHA256
        Hashed area:
          Signature creation time: 2022-07-09 20:32:24 UTC (critical)
          Issuer: 4AC5588F941C2A25
          Notation: salt@notations.sequoia-pgp.org
            00000000  b0 6a 0c 4d 66 12 b4 c8  cc fd ea 07 e1 a8 5c c1
            00000010  e3 4c 09 64 3a 3d 94 d4  0d 7e d5 a1 46 15 94 f5
          Key flags: S
          Embedded signature:  (critical)
            Signature Packet
              Version: 4
              Type: PrimaryKeyBinding
              Pk algo: RSA (Encrypt or Sign)
              Hash algo: SHA256
              Hashed area:
                Signature creation time: 2022-07-09 20:32:24 UTC (critical)
                Issuer: 7A4E76095D8A52E4
                Notation: salt@notations.sequoia-pgp.org
                  00000000  ff 53 50 36 f9 5e b1 8e  34 13 50 db 46 96 ab cf
                  00000010  e4 97 ac 88 2b 55 3e 18  a3 a8 b2 72 98 85 b6 47
                Issuer Fingerprint: 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4
              Digest prefix: D3F5
              Level: 0 (signature over data)
            
          Issuer Fingerprint: 9D74DF6F91B7BDABD5815CA84AC5588F941C2A25
        Digest prefix: 97D0
        Level: 0 (signature over data)

    1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4 is the fingerprint of the signing subkey, which seems perfectly reasonable here. In contrast, signing subkeys output by GnuPG seem to have a slightly different, but altogether quite similar structure:

    # sq packet dump keyring/packager/diabonas/FE2E6249201CA54A4FB90D066E80CA1446879D04/subkey/D191A78F1881F384753C967E686B063AC4BC0EC9/certification/FE2E6249201CA54A4FB90D066E80CA1446879D04.asc 
    Signature Packet, new CTB, 1138 bytes
        Version: 4
        Type: SubkeyBinding
        Pk algo: RSA (Encrypt or Sign)
        Hash algo: SHA512
        Hashed area:
          Key flags: S
          Issuer Fingerprint: FE2E6249201CA54A4FB90D066E80CA1446879D04
          Signature creation time: 2022-06-30 13:29:13 UTC
          Key expiration time: P1759DT54210S
        Unhashed area:
          Issuer: 6E80CA1446879D04
          Embedded signature: 
            Signature Packet
              Version: 4
              Type: PrimaryKeyBinding
              Pk algo: RSA (Encrypt or Sign)
              Hash algo: SHA512
              Hashed area:
                Issuer Fingerprint: D191A78F1881F384753C967E686B063AC4BC0EC9
                Signature creation time: 2019-09-04 22:25:43 UTC
              Unhashed area:
                Issuer: 686B063AC4BC0EC9
              Digest prefix: 372E
              Level: 0 (signature over data)
            
        Digest prefix: B50D
        Level: 0 (signature over data)

    Note that there is also an "Issuer Fingerprint" field containing the subkey fingerprint, though it is in the "Unhashed area" this time.

    @anthraxx, @dvzrv, any idea?

  • It's likely that the parser is not handling this correctly. I'll try to have a look at this the coming days!

  • Ah, this is definitely a bug: assert_filename_matches_packet_issuer_fingerprint uses packet_dump_field to find "Issuer Fingerprint". These files contain two of these fields though, so packet_dump_field simply takes the first one it finds, which is the wrong one in case of this merge request.

    I am a bit unsure how to fix this: we need to somehow select the "least indented" Issuer Fingerprint from the outermost Hashed area.

  • Jonas Witschel approved this merge request

    approved this merge request

  • Christian Hesse approved this merge request

    approved this merge request

  • Jonas Witschel added 1 commit

    added 1 commit

    • 1334e741 - Add signature from diabonas for arojas

    Compare with previous version

  • I'll put my main key signature for your key here for now. If nobody beats me to it, I will try to figure out over the weekend how to fix keyringctl so that this (otherwise perfectly fine) merge request can be merged.

  • mentioned in issue #185 (closed)

  • Blocked by #185 (closed)

    Edited by Levente Polyak
  • Levente Polyak changed the description

    changed the description

  • Jonas Witschel added 52 commits

    added 52 commits

    Compare with previous version

  • Jonas Witschel approved this merge request

    approved this merge request

  • David Runge approved this merge request

    approved this merge request

Please register or sign in to reply
Loading