Package: libmodule-signature-perl
Version: 0.89-1
Severity: serious
Forwarded: https://github.com/audreyt/module-signature/pull/40
Tags: patch
Hi!
As part of the release process for dpkg, there's a CPAN distribution
generated from the source tree to be uploaded, and to sign it, this
module is being used.
When doing so as part of one of the last releases, the release script
got stuck during the CPAN signing. While debugging I tracked it down
to gpg-sq emitting unexpected output on stdout (reported upstream as
<https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/128>),
which then made the Module::Signature module get into an infinite
loop. I don't think that should really happen (even if gpg-sq is
not mimicking the gpg-g10code behavior here).
I've created a patch for that, which fixes the problematic code, and
submitted upstream, but that has not been merged yet. If there is
concern about its aptness, then a more minimal fix would be to simply
change both «while» keywords into «foreach» (which is what I did
initially on my system to be able to proceed with the release). I can
provide that instead if that would be the preference (this would also
avoid the spurious warning from Module::Signature about not finding the
key in any public keyserver due to gpg-sq not implementing the gpg
--search-keys option and also the warning about that option not being
implemented, see also
<https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/129>),
which would not seem like a huge loss, given that this code has been
pretty much inert all this time anyway.
Thanks,
Guillem
From b3711c50dbfaee412146561569f94b433c13d494 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Fri, 7 Mar 2025 03:27:15 +0100
Subject: [PATCH] Fix gpg output parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use «foreach» instead of «while» to traverse the GnuPG output array,
otherwise the topic variable never gets initialized, and the «while»
continuously evaluates the array in boolean context and we get into
infinite loops.
With GnuPG the infinite loop currently never triggers because it does
not output anything on stdout. But with the Sequoia GnuPG Chameleon it
outputs the original contents being verified (which is a divergence
that should probably be fixed upstream).
Force the output to stdout instead of stderr so that we can parse it,
and update the parser to match on current output lines. Although ideally
the parser should be switched to try to use one of the machine parseable
outputs such as --with-colons, otherwise there is no guarantee this will
not change again in the future, but this is the simplest minimal change.
---
lib/Module/Signature.pm | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/lib/Module/Signature.pm b/lib/Module/Signature.pm
index 40b4520..c2d51fb 100644
--- a/lib/Module/Signature.pm
+++ b/lib/Module/Signature.pm
@@ -462,14 +462,11 @@ sub _sign_gpg {
my $key_id;
my $key_name;
- # This doesn't work because the output from verify goes to STDERR.
- # If I try to redirect it using "--logger-fd 1" it just hangs.
- # WTF?
- my @verify = `$gpg --batch --verify $SIGNATURE`;
- while (@verify) {
- if (/key ID ([0-9A-F]+)$/) {
+ my @verify = `$gpg --batch --logger-fd 1 --verify $SIGNATURE`;
+ foreach (@verify) {
+ if (/key(?: ID)? ([0-9A-F]+)$/) {
$key_id = $1;
- } elsif (/signature from "(.+)"$/) {
+ } elsif (/signature from "(.+)"(?: \[[a-z]+\])?$/) {
$key_name = $1;
}
}
@@ -478,7 +475,7 @@ sub _sign_gpg {
my $found_key;
if (defined $key_id && defined $key_name) {
my $keyserver = _keyserver($version);
- while (`$gpg --batch --keyserver=$keyserver --search-keys '$key_name'`) {
+ foreach (`$gpg --batch --keyserver=$keyserver --search-keys '$key_name'`) {
if (/^\(\d+\)/) {
$found_name = 0;
} elsif ($found_name) {
--
2.47.2
