FS#56194 - GPG - Support new format packet

Attached to Project: Pacman
Opened by Morten Linderud (Foxboron) - Wednesday, 01 November 2017, 11:53 GMT
Last edited by Allan McRae (Allan) - Tuesday, 06 February 2018, 01:19 GMT
Task Type Feature Request
Category Backend/Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 5.0.1
Due in Version 5.1.0
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Summary and Info:
There are two types of packet formats for openpgp. pacman only supports the old format packet

https://tools.ietf.org/html/rfc4880#section-4.2.2

Relevant code section: https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1002

New format packet:
$ gpg --list-packets pass-otp-1.0.0-1-any.pkg.tar.xz.sig
# off=0 ctb=c2 tag=2 hlen=3 plen=540 new-ctb
:signature packet: algo 1, keyid 9C02FF419FECBE16
version 4, created 1509025693, md5len 0, sigclass 0x00
digest algo 8, begin of digest 42 2b
hashed subpkt 2 len 4 (sig created 2017-10-26)
hashed subpkt 16 len 8 (issuer key ID 9C02FF419FECBE16)
data: [4094 bits]


Steps to Reproduce:
Add repository http://pkgbuild.com/~foxboron/repos/x86_64/
attempt to install pass-otp, signature will fail.

Signature is created with the golang openpgp implementaton by this project:
https://github.com/Foxboron/clave
This task depends upon

Closed by  Allan McRae (Allan)
Tuesday, 06 February 2018, 01:19 GMT
Reason for closing:  Implemented
Additional comments about closing:  git commit e8462a4f
Comment by Morten Linderud (Foxboron) - Wednesday, 01 November 2017, 13:08 GMT
Pacman output:

$ sudo pacman -S foxboron/pass-otp
resolving dependencies...
looking for conflicting packages...

Package (1) New Version Net Change

foxboron/pass-otp 1.0.0-1 0.01 MiB

Total Installed Size: 0.01 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring [#############################] 100%
error: pass-otp: unsupported signature format
(0/1) checking package integrity
(1/1) checking package integrity [#############################] 100%
(1/1) loading package files [#############################] 100%
(1/1) checking for file conflicts [#############################] 100%
(1/1) checking available disk space [#############################] 100%
:: Processing package changes...
(1/1) installing pass-otp [#############################] 100%
Optional dependencies for pass-otp
qrencode: for generating QR code images [installed]
Comment by Christian Hesse (eworm) - Monday, 08 January 2018, 07:35 GMT
Is this an issue with pacman or with gpgme? Probably we just have to wait for upstream support, no?
Comment by Christian Hesse (eworm) - Monday, 08 January 2018, 07:44 GMT
Oh, I spoke too early. I will have a look if I find some spare time.
Comment by Allan McRae (Allan) - Wednesday, 10 January 2018, 08:44 GMT Comment by Allan McRae (Allan) - Tuesday, 06 February 2018, 01:18 GMT
This was implemented in commit e8462a4f. Ideally we will get extracting a key ID from a signature added to gpgme.

Loading...