Update arojas key
Blocked by #185 (closed)
Merge request reports
Activity
mentioned in issue #178 (closed)
The CI failure looks more like a bug in keyringctl rather than something wrong with this merge request: It complains about an unexpected packet fingerprint:
Traceback (most recent call last): File "/builds/arojas/archlinux-keyring/./keyringctl", line 8, in <module> main() File "/builds/arojas/archlinux-keyring/libkeyringctl/cli.py", line 217, in main verify( File "/builds/arojas/archlinux-keyring/libkeyringctl/verify.py", line 57, in verify verify_integrity(certificate=certificate, all_fingerprints=all_fingerprints) File "/builds/arojas/archlinux-keyring/libkeyringctl/verify.py", line 207, in verify_integrity assert_filename_matches_packet_issuer_fingerprint(path=sig, check=certificate.name) File "/builds/arojas/archlinux-keyring/libkeyringctl/verify.py", line 258, in assert_filename_matches_packet_issuer_fingerprint raise Exception(f"Unexpected packet fingerprint in file {str(path)}: {fingerprint}") Exception: Unexpected packet fingerprint in file /builds/arojas/archlinux-keyring/keyring/packager/arojas/9D74DF6F91B7BDABD5815CA84AC5588F941C2A25/subkey/1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4/certification/9D74DF6F91B7BDABD5815CA84AC5588F941C2A25.asc: 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4
The
sq packet dump
for the objectionable file looks like this:Signature Packet, new CTB, 1020 bytes Version: 4 Type: SubkeyBinding Pk algo: RSA (Encrypt or Sign) Hash algo: SHA256 Hashed area: Signature creation time: 2022-07-09 20:32:24 UTC (critical) Issuer: 4AC5588F941C2A25 Notation: salt@notations.sequoia-pgp.org 00000000 b0 6a 0c 4d 66 12 b4 c8 cc fd ea 07 e1 a8 5c c1 00000010 e3 4c 09 64 3a 3d 94 d4 0d 7e d5 a1 46 15 94 f5 Key flags: S Embedded signature: (critical) Signature Packet Version: 4 Type: PrimaryKeyBinding Pk algo: RSA (Encrypt or Sign) Hash algo: SHA256 Hashed area: Signature creation time: 2022-07-09 20:32:24 UTC (critical) Issuer: 7A4E76095D8A52E4 Notation: salt@notations.sequoia-pgp.org 00000000 ff 53 50 36 f9 5e b1 8e 34 13 50 db 46 96 ab cf 00000010 e4 97 ac 88 2b 55 3e 18 a3 a8 b2 72 98 85 b6 47 Issuer Fingerprint: 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4 Digest prefix: D3F5 Level: 0 (signature over data) Issuer Fingerprint: 9D74DF6F91B7BDABD5815CA84AC5588F941C2A25 Digest prefix: 97D0 Level: 0 (signature over data)
1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4
is the fingerprint of the signing subkey, which seems perfectly reasonable here. In contrast, signing subkeys output by GnuPG seem to have a slightly different, but altogether quite similar structure:# sq packet dump keyring/packager/diabonas/FE2E6249201CA54A4FB90D066E80CA1446879D04/subkey/D191A78F1881F384753C967E686B063AC4BC0EC9/certification/FE2E6249201CA54A4FB90D066E80CA1446879D04.asc Signature Packet, new CTB, 1138 bytes Version: 4 Type: SubkeyBinding Pk algo: RSA (Encrypt or Sign) Hash algo: SHA512 Hashed area: Key flags: S Issuer Fingerprint: FE2E6249201CA54A4FB90D066E80CA1446879D04 Signature creation time: 2022-06-30 13:29:13 UTC Key expiration time: P1759DT54210S Unhashed area: Issuer: 6E80CA1446879D04 Embedded signature: Signature Packet Version: 4 Type: PrimaryKeyBinding Pk algo: RSA (Encrypt or Sign) Hash algo: SHA512 Hashed area: Issuer Fingerprint: D191A78F1881F384753C967E686B063AC4BC0EC9 Signature creation time: 2019-09-04 22:25:43 UTC Unhashed area: Issuer: 686B063AC4BC0EC9 Digest prefix: 372E Level: 0 (signature over data) Digest prefix: B50D Level: 0 (signature over data)
Note that there is also an "Issuer Fingerprint" field containing the subkey fingerprint, though it is in the "Unhashed area" this time.
Ah, this is definitely a bug:
assert_filename_matches_packet_issuer_fingerprint
usespacket_dump_field
to find "Issuer Fingerprint". These files contain two of these fields though, sopacket_dump_field
simply takes the first one it finds, which is the wrong one in case of this merge request.I am a bit unsure how to fix this: we need to somehow select the "least indented"
Issuer Fingerprint
from the outermostHashed area
.added scopebug scoperegression scopesecurity labels
mentioned in issue #185 (closed)
Blocked by #185 (closed)
Edited by Levente Polyakadded 52 commits
-
1334e741...099df52a - 50 commits from branch
archlinux:master
- 58def932 - Update arojas key
- c34e8cca - Add signature from diabonas for arojas
-
1334e741...099df52a - 50 commits from branch