FS#45085 - {dbscripts}[pacman][devtools] Ensure signatures use binary format

Attached to Project: Arch Linux
Opened by Evangelos Foutras (foutrelis) - Monday, 25 May 2015, 21:22 GMT
Last edited by Eli Schwartz (eschwartz) - Tuesday, 01 August 2017, 22:25 GMT
Task Type Bug Report
Category Arch Projects
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

GnuPG can be configured to generate ASCII-armored signatures by default (by putting "armor" in ~/.gnupg/gpg.conf). In such cases, pacman will refuse to install the package (will print "signature format error") and archweb will display an empty details page. [1]

We need to make sure commitpkg generates binary signatures and that dbscripts (or repo-add?) refuses to add to the repository packages with ASCII-armored signatures. It's possible that the --no-armor option can be used in both cases.

[1] https://bugs.archlinux.org/task/45084
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Tuesday, 01 August 2017, 22:25 GMT
Reason for closing:  Fixed
Additional comments about closing:  fixed in commitpkg and repo-add, and fixed in git for pacman-key (which will fix dbscripts)
Comment by Johannes Löthberg (demize) - Monday, 25 May 2015, 22:05 GMT
There are two parts to this, the generation of signatures, and adding them to the DB.

For the former, adding `--no-armor` will solve it, in both commitpkg and repo-add (since it has the option to sign DBs.)

For adding them to the DB, the only option I can think of is having repo-add check if it's an armored signature and error out if it is, like in the attached patch.

Any comments on the patch are welcome.
   0002-repo-add-Reject-armored-... (1 KiB)
Comment by Allan McRae (Allan) - Tuesday, 26 May 2015, 01:03 GMT
makepkg uses:
gpg --detach-sign --use-agent ${SIGNWITHKEY} --no-armor "$filename" &>/dev/null || ret=$?
Comment by Allan McRae (Allan) - Tuesday, 26 May 2015, 01:04 GMT
Please sent the repo-add patch to the pacman-dev mailing list for review.
Comment by Johannes Löthberg (demize) - Tuesday, 26 May 2015, 09:48 GMT
Devtools signs it on its own, instead of copying the signature from the chroot if there is one.

Patch sent.
Comment by Evangelos Foutras (foutrelis) - Wednesday, 27 May 2015, 19:14 GMT
I looked into dbscripts, and the db-update script uses 'pacman-key -v' to verify the signatures. Since gpg can read armored signatures, the check succeeds.

@Allan: Is pacman supposed to accept armored signatures? If not, should 'pacman-key -v' be changed to pass --no-armor to gpg?
Comment by Johannes Löthberg (demize) - Wednesday, 27 May 2015, 19:36 GMT
Sadly that doesn't work, which is why I opted for grepping and erroring out instead in repo-add.
Comment by Evangelos Foutras (foutrelis) - Wednesday, 27 May 2015, 19:51 GMT
Doing this check in repo-add is fine, but as far as dbscripts is concerned it's too late and it leaves things in an inconsistent state.
Comment by Johannes Löthberg (demize) - Wednesday, 27 May 2015, 21:12 GMT
Yeah, sure, I'm just saying that gpg won't reject it, so the same approach would have to be taken in dbscripts, or for the signature to actually be parsed, but that sounds... yeah..

Newest repo-add patch is at <https://lists.archlinux.org/pipermail/pacman-dev/2015-May/020147.html> so you can see how I did that.
Comment by Allan McRae (Allan) - Wednesday, 27 May 2015, 23:45 GMT
I guess a simalar check could be added to "pacman-key -v"
Comment by Allan McRae (Allan) - Sunday, 12 June 2016, 04:28 GMT
Patch submitted for pacman-key.
Comment by Eli Schwartz (eschwartz) - Tuesday, 01 August 2017, 22:21 GMT
This is now fixed in pacman-git (and should be available whenever pacman 5.1 is released) as of commit 1291c04961e6c27e93ef376583d46ec2aa3036a1, which should mean this is fixed everywhere.

Loading...