FS#49241 : [pacman-key] Spurious fail on verifying signatures

FS#49241 - [pacman-key] Spurious fail on verifying signatures

Attached to Project: Pacman
Opened by Leonid Isaev (lisaev) - Saturday, 07 May 2016, 01:20 GMT
Last edited by Allan McRae (Allan) - Wednesday, 18 May 2016, 10:14 GMT

Task Type	Bug Report
Category	Scripts & Tools
Status	Closed
Assigned To	Allan McRae (Allan)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version	5.0.1
Due in Version	5.0.2
Due Date	Undecided
Percent Complete
Votes	2 Pierre Schmitz (Pierre) (2016-05-11) Christian Hesse (eworm) (2016-05-07)
Private	No

Details

gnupg 2.1.12 (currently in [core]) changed the was key trust is displayed. Namely:
----------
$ gpg --status-fd 1 --homedir /etc/pacman.d/gnupg/ --verify /tmp/glibc-2.23-1-x86_64.pkg.tar.xz.sig
gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg/'
gpg: assuming signed data in '/tmp/glibc-2.23-1-x86_64.pkg.tar.xz'
[GNUPG:] NEWSIG
gpg: Signature made Fri 19 Feb 2016 05:54:29 PM MST using RSA key ID EAE999BD
[GNUPG:] SIG_ID oU8xcebVo4xViJtX73T2vNKh+Tk 2016-02-20 1455929669
gpg: Note: trustdb not writable
[GNUPG:] GOODSIG F99FFE0FEAE999BD Allan McRae <me@allanmcrae.com>
gpg: Good signature from "Allan McRae <me@allanmcrae.com>" [full]
gpg: aka "Allan McRae (Developer) <allan@archlinux.org>" [full]
[GNUPG:] VALIDSIG 6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD 2016-02-20 1455929669 0 4 0 1 8 00 6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD
[GNUPG:] TRUST_FULLY 0 pgp
----------
The last line now contains "0 pgp" which breaks pacman-key:

----------
$ pacman-key -v /tmp/glibc-2.23-1-x86_64.pkg.tar.xz.sig
==> Checking /tmp/glibc-2.23-1-x86_64.pkg.tar.xz.sig...
gpg: assuming signed data in '/tmp/glibc-2.23-1-x86_64.pkg.tar.xz'
gpg: Signature made Fri 19 Feb 2016 05:54:29 PM MST using RSA key ID EAE999BD
gpg: Note: trustdb not writable
gpg: Good signature from "Allan McRae <me@allanmcrae.com>" [full]
gpg: aka "Allan McRae (Developer) <allan@archlinux.org>" [full]
==> ERROR: The signature identified by /tmp/glibc-2.23-1-x86_64.pkg.tar.xz.sig could not be verified.
$ echo $?
1
----------
This is because in pacman-key:655 the output of gpg is piped to grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE)$' which never matches. This can be fixed by changing regexp to '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$' to avoid future breakages.

Thanks!

This task depends upon

Closed by Allan McRae (Allan)
Wednesday, 18 May 2016, 10:14 GMT
Reason for closing: Fixed
Additional comments about closing: git commit 892a1076

Comment by Leonid Isaev (lisaev) - Sunday, 08 May 2016, 00:21 GMT

A trivial patch...

pacman-key.patch (1.2 KiB)

Comment by Allan McRae (Allan) - Sunday, 08 May 2016, 03:43 GMT

What is the point of adding ".*$" at the end of the grep?

Comment by Olivier Brunel (jjacky) - Sunday, 08 May 2016, 09:23 GMT

The dollar sign was already there actually, only ".*" is being added before it.

You could also remove the dollar sign instead, both should match similarly (i.e. regardless of whether or not there's something else on the line).

Comment by Leonid Isaev (lisaev) - Sunday, 08 May 2016, 20:00 GMT

Yeah, good point. It was stupid of me :) However, are there any subtle regexp parsing flaws associated with special characters, which can be triggered by just matching the TRUST_... pattern (without $ or .*)?

	Tasks related to this task (0)

Duplicate tasks of this task (2)
~~FS#49259 - [gnupg] breaks pacman-key --verify~~
~~FS#49302 - [pacman][gnupg] pacman-key incompatible with gnupg 2.1.12~~

Arch Linux

FS#49241 - [pacman-key] Spurious fail on verifying signatures

Details

Loading...