FS#69459 - Makepkg assumes .asc files are detached signatures
Attached to Project:
Pacman
Opened by Setpill (setpill) - Thursday, 28 January 2021, 14:25 GMT
Last edited by Allan McRae (Allan) - Sunday, 02 January 2022, 15:16 GMT
Opened by Setpill (setpill) - Thursday, 28 January 2021, 14:25 GMT
Last edited by Allan McRae (Allan) - Sunday, 02 January 2022, 15:16 GMT
|
Details
Summary and Info:
Maintainers of lnd switched their binary signing scheme from a manifest + detached signature to multiple manifests (from different devs) with attached signatures. Makepkg does not understand this, and errors out when you have some_source_file.asc but no some_source_file. I've managed to work around this limitation for now by renaming the signed manifests to .txt (instead of .txt.asc) and performing gpg signature checks in prepare(), but this is an ugly workaround that neuters validpgpkeys. Steps to Reproduce: 1. In a PKGBUILD, source any .asc file that consists of a signed message with attached signature. E.g. https://github.com/lightningnetwork/lnd/releases/download/v0.12.0-beta/manifest-roasbeef-v0.12.0-beta.txt.asc 2. Try to build it. |
This task depends upon
Closed by Allan McRae (Allan)
Sunday, 02 January 2022, 15:16 GMT
Reason for closing: Won't implement
Sunday, 02 January 2022, 15:16 GMT
Reason for closing: Won't implement
The solution would be to fix that function to be able to handle attached signatures.
For detached signatures you *need* `gpg --verify manifest-roasbeef-v0.12.0-beta.txt.asc manifest-roasbeef-v0.12.0-beta.txt`, else you can encounter scenarios where it's not clear what is being authenticated.
- they should be scripting this, at which point the number does not matter
- they should consider a dedicated website listing that lets them use something other than the Github Releases simple file list.
e.g. you could then list lines to reduce cognitive overhead like
Source code:
lnd-source-v0.12.0-beta.tar.gz (GPG)
Windows Binaries:
lnd-windows-386-v0.12.0-beta.zip (GPG)
lnd-windows-amd64-v0.12.0-beta.zip (GPG)
Linux Binaries:
lnd-linux-386-v0.12.0-beta.tar.gz (GPG)
lnd-linux-amd64-v0.12.0-beta.tar.gz (GPG)
lnd-linux-arm64-v0.12.0-beta.tar.gz (GPG)
MacOS Binaries:
lnd-darwin-amd64-v0.12.0-beta.tar.gz (GPG)
Other binaries:
lnd-netbsd-amd64-v0.12.0-beta.tar.gz (GPG)
lnd-openbsd-386-v0.12.0-beta.tar.gz (GPG)
lnd-solaris-amd64-v0.12.0-beta.tar.gz (GPG)
lnd-dragonfly-amd64-v0.12.0-beta.tar.gz (GPG)
Github Pages could do this. Would entail either linking to the chaotic Releases attachments, or checking the files into a github repo "lightningnetwork.github.io" which might grow in size quite fast due to retaining old releases.
I don't think this is accurate. The script already contains the following code:
```
149 │ case "$ext" in
150 │ gz) decompress="gzip -c -d -f" ;;
151 │ bz2) decompress="bzip2 -c -d -f" ;;
152 │ xz) decompress="xz -c -d" ;;
153 │ lrz) decompress="lrzip -q -d" ;;
154 │ lzo) decompress="lzop -c -d -q" ;;
155 │ Z) decompress="uncompress -c -f" ;;
156 │ "") decompress="cat" ;;
157 │ esac
158 │
159 │ $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
```
For clearsigned files, "cat" decompression works perfectly fine if the `--verify "$file"` is ommitted and `$sourcefile` has the value of `$file`. The only pitfall is that the clearsigned file shouldn't be used directly but rather the output of a `gpg -o` command.
@eschwartz you assert this is how upstream should do things, but it is not clear to me why. Is there anything about that way of doing things that would actually increase security?
We're not implementing all of them, and we're not implementing some of them just to have people protest that theirs was left out.
It's a big fat hassle and has no real advantage if upstream does things correctly. There are only a tiny handful of upstream projects that provide signed manifests but not signed archives. Most projects, if they provide manifests at all, provide UNSIGNED manifests. The last AUR package that was used to justify this feature request no longer needs it because upstream now signs the binary directly.