Bug#1083015: openssh-known-hosts: Improve OpenPGP support

Sun, 29 Sep 2024 17:21:13 -0700 

Source: openssh-known-hosts
Source-Version: 0.6.2-1.1
Severity: wishlist
Tags: patch

Hi!

I've prepared a few patches to improve the OpenPGP support. I think at
least the one fixing the gpgv usage means that part is probably
currently unusable? Attached the patch series.

I'm also attaching a small patch for the packaging.

Thanks,
Guillem

From b32b285019eb749cfc650748fa4a4ce3b4fda736 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Mon, 30 Sep 2024 01:36:22 +0200
Subject: [PATCH 1/3] Use OpenPGP when referring to the standard or objects

These are OpenPGP signatures that any conforming implementation should
be able to handle. They are not specific to GnuPG, which is one of many
implementations, even though a very prominent one.
---
 examples/curl  | 2 +-
 examples/rsync | 2 +-
 plugins/curl   | 4 ++--
 plugins/rsync  | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/examples/curl b/examples/curl
index 18ed01b..b8f6d96 100644
--- a/examples/curl
+++ b/examples/curl
@@ -6,4 +6,4 @@ URL='https://www.example.com/known_hosts'
 
 # optional:
 SIGURL='http://www.example.com/known_hosts.sig'
-KEYRING='/path/to/gpgv-compatible.keyring'
+KEYRING='/path/to/openpgp-compatible.keyring'
diff --git a/examples/rsync b/examples/rsync
index 1d9fd4c..cbb6d64 100644
--- a/examples/rsync
+++ b/examples/rsync
@@ -11,5 +11,5 @@ URL='rsync://rsync.example.com/pub/known_hosts'
 
 # optional:
 SIGURL='rsync://rsync.example.com/pub/known_hosts.sig'
-KEYRING='/path/to/gpgv-compatible.keyring'
+KEYRING='/path/to/openpgp-compatible.keyring'
 
diff --git a/plugins/curl b/plugins/curl
index 9c47601..989891a 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -5,8 +5,8 @@
 # ENVIRONMENT VARIABLES:
 #	URL		URL to download known_hosts file from
 #	CURL_OPTIONS	options passed to curl
-#	SIGURL		URL of the GnuPG signature
-#	KEYRING		path to the keyring for use by gpgv
+#	SIGURL		URL of the OpenPGP signature
+#	KEYRING		path to the OpenPGP keyring with certificates
 #
 
 set -e
diff --git a/plugins/rsync b/plugins/rsync
index 1a57660..2ff5c1a 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -4,8 +4,8 @@
 #
 # ENVIRONMENT VARIABLES:
 #	URL		URL to download known_hosts file from
-#	SIGURL		URL of the GnuPG signature
-#	KEYRING		path to the keyring for use by gpgv
+#	SIGURL		URL of the OpenPGP signature
+#	KEYRING		path to the OpenPGP keyring with certificates
 #
 
 set -e
-- 
2.45.2


From 06ef4f03e5e898faa2e56cca67880960b44b61d8 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Mon, 30 Sep 2024 02:00:58 +0200
Subject: [PATCH 2/3] Current gpgv requires the datafile for detached
 signatures

Otherwise we get the following error:

  gpgv: no signed data
  gpgv: can't hash datafile: No data
---
 plugins/curl  | 2 +-
 plugins/rsync | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/curl b/plugins/curl
index 989891a..b9dd2cb 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -14,7 +14,7 @@ set -e
 if [ "${SIGURL}" ]; then
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
 	[ -e new ] || exit 0
-	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
+	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
 	# return 1 because it's not clear what other codes may used
 else
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}"
diff --git a/plugins/rsync b/plugins/rsync
index 2ff5c1a..1c2cae2 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -15,7 +15,7 @@ rsync -vt --timeout=300 "${URL}" new
 
 if [ "${SIGURL}" ]; then
 	rsync -vt --timeout=300 "${SIGURL}" new.sig
-	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig || exit 1
+	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
 	# return 1 because it's not clear what other codes may used
 fi	
 
-- 
2.45.2


From b5d88cde1899aa2a0b8b296df70f8ac8ead17e04 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Mon, 30 Sep 2024 01:39:13 +0200
Subject: [PATCH 3/3] Add sopv support

This is a subset of the Stateless OpenPGP CLI
<https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/>,
that can easily replace the GnuPG usage.

There are multiple implementations providing this interface.
---
 plugins/curl  | 8 ++++++--
 plugins/rsync | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/plugins/curl b/plugins/curl
index b9dd2cb..d4dec08 100755
--- a/plugins/curl
+++ b/plugins/curl
@@ -14,8 +14,12 @@ set -e
 if [ "${SIGURL}" ]; then
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new.sig "${SIGURL}" -o new "${URL}"
 	[ -e new ] || exit 0
-	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
-	# return 1 because it's not clear what other codes may used
+	if command -v sopv >/dev/null; then
+		sopv verify new.sig "${KEYRING}" <new
+	else
+		gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+		# return 1 because it's not clear what other codes may used
+	fi
 else
 	curl -fRz "./current" -m 300 ${CURL_OPTIONS} -o new "${URL}"
 fi
diff --git a/plugins/rsync b/plugins/rsync
index 1c2cae2..5423d10 100755
--- a/plugins/rsync
+++ b/plugins/rsync
@@ -15,8 +15,12 @@ rsync -vt --timeout=300 "${URL}" new
 
 if [ "${SIGURL}" ]; then
 	rsync -vt --timeout=300 "${SIGURL}" new.sig
-	gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
-	# return 1 because it's not clear what other codes may used
+	if command -v sopv >/dev/null; then
+		sopv verify new.sig "${KEYRING}" <new
+	else
+		gpgv --keyring "${KEYRING}" --status-fd 2 new.sig new || exit 1
+		# return 1 because it's not clear what other codes may used
+	fi
 fi	
 
 # vim:set ft=sh:
-- 
2.45.2


From b3de521b92d55f1fae487f45068dd18a81829990 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Mon, 30 Sep 2024 02:16:12 +0200
Subject: [PATCH] Update metadata for sopv support

Use OpenPGP when referring to the standard or its objects. Add sopv as
the primary alternative dependency to gpgv.
---
 debian/control | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/debian/control b/debian/control
index e112c89..b7458c9 100644
--- a/debian/control
+++ b/debian/control
@@ -12,13 +12,13 @@ Package: openssh-known-hosts
 Architecture: all
 Depends: lockfile-progs, ${misc:Depends}
 Recommends: openssh-client, cron
-Suggests: postgresql-client, rsync, curl, gpgv
+Suggests: postgresql-client, rsync, curl, sopv | gpgv
 Description: download, filter and merge known_hosts for OpenSSH
  This package allows you to download public hostkeys from multiple sources,
  filter the hostnames coming with them and merge them together into one
  file for use by OpenSSH. Plugins included:
-  * curl (optional GnuPG verification)
-  * rsync (optional GnuPG verification)
+  * curl (optional OpenPGP verification)
+  * rsync (optional OpenPGP verification)
   * psql
   * symlink
  New plugins can easily be written.
-- 
2.45.2

Reply via email to