[BUG] [debsig-verify]

Wed, 02 Aug 2017 07:48:53 -0700 

All,

I have run into an issue with debsig-verify in combination with GnuPG
v2.1.18+ as seen in Debian 9.

With GnuPG 2.1.18+, the call used in `/src/gpg-parse.c` to parse the
keyring fails (error code 2), resulting in the failure of debsig-verify

```
root@bc88c35a95a8:~# debsig-verify -v -d --list-policies
gitlab-ce_8.1.0+git.3216.1f52045-rc1.ce.0_amd64.deb
debsig: Listing usable policies
debsig:         getSigKeyID: got 66D26543C0207D21 for origin key
debsig: Using policy directory: /etc/debsig/policies/66D26543C0207D21
debsig:   Policies in: /etc/debsig/policies/66D26543C0207D21
debsig:   Parsing policy file:
/etc/debsig/policies/66D26543C0207D21/gitlab.pol
debsig:     parsePolicyFile: parsing
'/etc/debsig/policies/66D26543C0207D21/gitlab.pol'
debsig:     parsePolicyFile: completed
debsig:     Checking Selection group(s).
debsig:       Processing 'origin' key...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: subprocess getKeyID returned error exit status 2
```

Doing some investigation with strace, I located the exact call being
attempted to the keyring in use, and called it manually in an attempt to
more directly replicate the failue:
```
# gpg --no-options --no-default-keyring --batch --no-secmem-warning
--no-permission-warning --list-packets -q
/usr/share/debsig/keyrings/66D26543C0207D21/gitlab.gpg
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
```

In the event that the keyring was somehow corrupt, I verified that GnuPG
could indeed interpret the keychain, and found no issue:
```
# gpg --no-permission-warning --no-default-keyring --keyring
/usr/share/debsig/keyrings/66D26543C0207D21/gitlab.gpg
-k
/usr/share/debsig/keyrings/66D26543C0207D21/gitlab.gpg
------------------------------------------------------
pub   rsa4096 2016-08-18 [SC]

     CC9524B59894C4C0A51ACD6266D26543C0207D21

uid           [ unknown] GitLab Inc. <supp...@gitlab.com>

sub   rsa4096 2016-08-18 [E]
```

For informational purposes, the keyring was generated with
```
gpg --no-default-keyring --batch --no-permission-warning --no-options \
    --keyring "$KEYRINGS/$KEYID/gitlab.gpg" \
    --import $KEYFILE
```


This may be an intentional change, or an incidental breakage from GnuPG. I
have not yet derived that, but wanted to bring this to your attention.

-- 
Jason Plum
GitLab

Reply via email to