Bug#1010955: uscan: configure multiple signature verification

Tue, 18 Oct 2022 00:45:20 -0700 

On Thu 2022-09-15 18:57:59 -0400, Daniel Kahn Gillmor wrote:
> Control: affects 1010955 + src:gnupg2 src:pinentry
>
> On Sat 2022-05-14 07:55:36 +0200, Andreas Metzler wrote:
>> The latest gnutls tarballs have multiple signatures. I would like
>> to have uscan succeed if at least one of signatories is listed in
>> debian/upstream/signing-key.asc. Uscan currently requires all signatures
>> to verify with no way to configure differently afaict.
>
> Andreas is correct here that it only makes sense to require one valid
> signature for uscan's verification to succeed.  Requiring every
> discovered signature to be valid is a mistake.  For example, it means
> that projects that start publishing an OpenPGP v5 signature (when
> rfc4880bis is finally released) alongside their OpenPGP v4 signatures
> will fail to be validated.

fwiw, the problem here is pretty clearly gpgv's own built-in semantics.
from gpgv(1):

> RETURN VALUE
>       The program returns 0 if everything is fine, 1 if at least  one  signa‐
>       ture was bad, and other error codes for fatal errors.


all the code in lib/Devscripts/Verify/Uscan.pm eventually falls back on
gpgv, rather than using semantics like "sop verify", which succeeds when
at least one signature is valid and successful.

Ironically, it's GnuPG's own packages that are failing this verification
right now, because they're publishing multiple signatures.  It's not a
bad thing for them to sign their software with multiple keys, but the
problem is that gpgv is being stricter than it needs to be to verify
them.

So i think to fix this in uscan, we have two choices:

 (a) split out the signatures into separate files, and run gpgv on each
     signature separately

 (b) use an OpenPGP verification tool with a more sensible verification
     policy, like any compliant "sop" implementation (e.g. sqop,
     pgpainless-cli, gosop).

I'm not sure i actually know how to do (a) safely -- i guess we could
use `gpgsplit` (from the gnupg-utils) package into an empty tempdir, and
then repeatedly invoke `gpgv` on each resulting *.sig file, returning
success if any of them verify.  I don't know how it would work for an
inline-signed packae ("pgpmode=self").  at any rate, this all sounds
painful to me.

I've proposed
https://salsa.debian.org/debian/devscripts/-/merge_requests/286 as a way
to implement (b).  Happy to hear feedback on it.

   --dkg

Attachment: signature.asc
Description: PGP signature

Reply via email to