Your message dated Fri, 14 Mar 2025 18:21:32 +0000
with message-id <e1tt9f2-002srj...@fasolo.debian.org>
and subject line Bug#1100454: fixed in libmodule-signature-perl 0.89-2
has caused the Debian Bug report #1100454,
regarding libmodule-signature-perl: Infinite loop with gpg-sq
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1100454: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100454
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libmodule-signature-perl
Version: 0.89-1
Severity: serious
Forwarded: https://github.com/audreyt/module-signature/pull/40
Tags: patch
Hi!
As part of the release process for dpkg, there's a CPAN distribution
generated from the source tree to be uploaded, and to sign it, this
module is being used.
When doing so as part of one of the last releases, the release script
got stuck during the CPAN signing. While debugging I tracked it down
to gpg-sq emitting unexpected output on stdout (reported upstream as
<https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/128>),
which then made the Module::Signature module get into an infinite
loop. I don't think that should really happen (even if gpg-sq is
not mimicking the gpg-g10code behavior here).
I've created a patch for that, which fixes the problematic code, and
submitted upstream, but that has not been merged yet. If there is
concern about its aptness, then a more minimal fix would be to simply
change both «while» keywords into «foreach» (which is what I did
initially on my system to be able to proceed with the release). I can
provide that instead if that would be the preference (this would also
avoid the spurious warning from Module::Signature about not finding the
key in any public keyserver due to gpg-sq not implementing the gpg
--search-keys option and also the warning about that option not being
implemented, see also
<https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/129>),
which would not seem like a huge loss, given that this code has been
pretty much inert all this time anyway.
Thanks,
Guillem
From b3711c50dbfaee412146561569f94b433c13d494 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@hadrons.org>
Date: Fri, 7 Mar 2025 03:27:15 +0100
Subject: [PATCH] Fix gpg output parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use «foreach» instead of «while» to traverse the GnuPG output array,
otherwise the topic variable never gets initialized, and the «while»
continuously evaluates the array in boolean context and we get into
infinite loops.
With GnuPG the infinite loop currently never triggers because it does
not output anything on stdout. But with the Sequoia GnuPG Chameleon it
outputs the original contents being verified (which is a divergence
that should probably be fixed upstream).
Force the output to stdout instead of stderr so that we can parse it,
and update the parser to match on current output lines. Although ideally
the parser should be switched to try to use one of the machine parseable
outputs such as --with-colons, otherwise there is no guarantee this will
not change again in the future, but this is the simplest minimal change.
---
lib/Module/Signature.pm | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/lib/Module/Signature.pm b/lib/Module/Signature.pm
index 40b4520..c2d51fb 100644
--- a/lib/Module/Signature.pm
+++ b/lib/Module/Signature.pm
@@ -462,14 +462,11 @@ sub _sign_gpg {
my $key_id;
my $key_name;
- # This doesn't work because the output from verify goes to STDERR.
- # If I try to redirect it using "--logger-fd 1" it just hangs.
- # WTF?
- my @verify = `$gpg --batch --verify $SIGNATURE`;
- while (@verify) {
- if (/key ID ([0-9A-F]+)$/) {
+ my @verify = `$gpg --batch --logger-fd 1 --verify $SIGNATURE`;
+ foreach (@verify) {
+ if (/key(?: ID)? ([0-9A-F]+)$/) {
$key_id = $1;
- } elsif (/signature from "(.+)"$/) {
+ } elsif (/signature from "(.+)"(?: \[[a-z]+\])?$/) {
$key_name = $1;
}
}
@@ -478,7 +475,7 @@ sub _sign_gpg {
my $found_key;
if (defined $key_id && defined $key_name) {
my $keyserver = _keyserver($version);
- while (`$gpg --batch --keyserver=$keyserver --search-keys '$key_name'`) {
+ foreach (`$gpg --batch --keyserver=$keyserver --search-keys '$key_name'`) {
if (/^\(\d+\)/) {
$found_name = 0;
} elsif ($found_name) {
--
2.47.2
--- End Message ---
--- Begin Message ---
Source: libmodule-signature-perl
Source-Version: 0.89-2
Done: gregor herrmann <gre...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libmodule-signature-perl, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gre...@debian.org> (supplier of updated
libmodule-signature-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Mar 2025 18:44:14 +0100
Source: libmodule-signature-perl
Architecture: source
Version: 0.89-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: gregor herrmann <gre...@debian.org>
Closes: 1100454
Changes:
libmodule-signature-perl (0.89-2) unstable; urgency=medium
.
[ Guillem Jover ]
* Fix gpg output parsing.
Closes: #1100454
.
[ gregor herrmann ]
* Update years of packaging copyright.
* Declare compliance with Debian Policy 4.7.2.
Checksums-Sha1:
b1798386ada0b3a2d028d9297ef0c73c7e042c34 2505
libmodule-signature-perl_0.89-2.dsc
540417245e39fb27ca7e71524e26962c5ae0208f 7084
libmodule-signature-perl_0.89-2.debian.tar.xz
Checksums-Sha256:
f69f6b29357f99b17fd969704a91f29a57fc0d32093c2b8c7d582e47acca9e93 2505
libmodule-signature-perl_0.89-2.dsc
f079e9ebda6dab71e7b6f299428e0a602e117a0067fe08f6c89d0446f15c9cde 7084
libmodule-signature-perl_0.89-2.debian.tar.xz
Files:
fa62517c805cbc862ff2ca7a3a96c444 2505 perl optional
libmodule-signature-perl_0.89-2.dsc
3b85215bb0d1358e90122ed8e3013f29 7084 perl optional
libmodule-signature-perl_0.89-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmfUbKxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbx9w//beXgX6goatHl3uTwm2tUi5w+I1UoZ8iG2GuOymVxYwngz7vI6a88mizH
xiufsJRMX7xAk7Ujchxl+8JMHoTFmN2nUs8kKZdS9cXU65hz2z0fKjdOgjimLQzW
J/Y3XwNJjlTlhB23vPoLz9aCTx/4ZsdtRgg2W2slkP40SSeHV2NI6d1/+X2fsM2v
+si4CslAxLpwYZBOZOB26YLuS5ZIb3JbJcmmuMVCEzmlRjddjoGpHkSYixlkWsFu
NdqY9FUBjORItfL8pBYUpxeHE53CrZYZoXH1v/DLs33AW/iDFFw6RzAy6+mWnPrT
Txgb1wWhu1Wf2ayT0vUqWU2pmHDqkxS3DZybgITPoI41RwOFn6YQFILxjLJH0uRZ
OfGmcBJdlXXAOIKBBwB37n5Xvw64NlITxKknvYP0/jVBSUu0tzbDC2AgwGgTYfkR
rxa1yQfDkoHqoiq0Qsx7patSCu5Z3J39sW8ERntvRj7j3/Iw5VR9WckWEuQ4LxIf
L9LVB0OsMb+0owRcWZOkukbZsDogDTuk2uwIMs7dDdE89NN83IjPavmf/z20i8b7
VWr9tk79FL1lOyTyK88cS1/+B/SpxNGo1n+lIRl0Jp8M97y/PjLUG7LoRoyg0LBV
EfmHEVen/Uq3somCHyDY5LsA9jrpcELiwLjqdTCTPtduFx6ka98=
=l6qt
-----END PGP SIGNATURE-----
pgpjhmALQOhCW.pgp
Description: PGP signature
--- End Message ---
