Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#65311 - [mat2] sources lost gpg verification after transion from AUR
Attached to Project:
Community Packages
Opened by Jensen McKenzie (your_doomsday) - Tuesday, 28 January 2020, 23:25 GMT
Last edited by kpcyrd (kpcyrd) - Wednesday, 29 January 2020, 01:37 GMT
Opened by Jensen McKenzie (your_doomsday) - Tuesday, 28 January 2020, 23:25 GMT
Last edited by kpcyrd (kpcyrd) - Wednesday, 29 January 2020, 01:37 GMT
|
DetailsDescription:
mat2 package that landed in community repo verify source only through sha512/b2sums[1] (calculated locally as upstream doesn't provide those so strong hashes are security theatre here). Upstream provides gpg signatures for tar.gz archives and for git tags. The latter was used for source verification in AUR[2]. I think in general expectation is that repo packages should have higher standards that AUR packages, not lower. This can be easily fixed (also using modern git instead of old tarballs) with below additions/changes: makedepends=('git') source=("git+https://0xacab.org/jvoisin/mat2.git#tag=${pkgver}?signed") sha256sums=('SKIP') validpgpkeys=('9FCDEE9E1A381F311EA62A7404D041E8171901CC' # Julien (jvoisin) Voisin I'm setting category to security similarly how https://bugs.archlinux.org/task/64114 was assigned. Other issues: * python-setuptools should be makedepend. * optional kde/dolphin integration file isn't installed (was in AUR)[4]. Can be fixed with: install -Dm644 -t "$pkgdir/usr/share/kservices5/ServiceMenus" dolphin/mat2.desktop * check fails in clean chroot (could be upstream issue): ====================================================================== FAIL: test_all_parametred (tests.test_libmat2.TestCleaning) ---------------------------------------------------------------------- Traceback (most recent call last): File "/build/mat2/src/mat2-0.10.0/tests/test_libmat2.py", line 489, in test_all_parametred self.assertEqual(p2.get_meta(), case['expected_meta']) AssertionError: {'MajorBrand': 'MP4 Base Media v1 [IS0 144[457 chars]': 0} != {'CompatibleBrands': ['isom', 'iso2', 'avc1[432 chars]': 0} {'CompatibleBrands': ['isom', 'iso2', 'avc1', 'mp41'], 'CompressorID': 'avc1', 'GraphicsMode': 'srcCopy', 'HandlerDescription': 'SoundHandler', 'HandlerType': 'Metadata', 'HandlerVendorID': 'Apple', 'MajorBrand': 'MP4 Base Media v1 [IS0 14496-12:2003]', - 'MediaDataOffset': 48, - 'MediaDataSize': 379872, 'MediaHeaderVersion': 0, 'MinorVersion': '0.2.0', + 'MovieDataOffset': 48, 'MovieHeaderVersion': 0, 'NextTrackID': 3, 'PreferredRate': 1, 'Rotation': 0, 'TimeScale': 1000, 'TrackHeaderVersion': 0, 'TrackID': 1, 'TrackLayer': 0} [1] https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/mat2&id=2710c4ea98f62d7c3236d9ba7ba63decbd161242#n18 [2] https://0xacab.org/jvoisin/mat2/uploads/8c62aff50acf08820d5e2bbc30aca64e/mat2-0.10.0.tar.gz.asc [3] https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=mat2&id=47f9cfbdf06a5ce92605e1411a889b2874ce82b0#n15 [4] https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=mat2&id=47f9cfbdf06a5ce92605e1411a889b2874ce82b0#n27 |
This task depends upon
The original PKGBUILD was lacking this and was therefore vulnerable to targeted attacks if jvoisin and 0xacab.org ever decided to collude. Pinning by hash ensures there's one canonical build input and everybody is looking at the same bytes. Using just a signature ensures that the bytes you've received come from somebody with control over the right private key, but you can't tell if everybody else got the same bytes since it's impossible to prove that only one signature has ever been created. This is assuming the upstream author has never released a v0.10.0 tag in any other project since the PKGBUILD also would've accepted the tag of any other repo as valid if the tag name matches and is signed by the correct key. There is some research on the limitations of signatures in the binary transparency space if you're interested in this.
Do not use the snippet you posted unless you are also hardcoding the git commit sha1.
The remaining issues including the missing signature for the tarball have been addressed. I've traced the test failure to the perl-image-exiftool update that was released around the same time and patched the test. Thanks for your report.