Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear release team, Please consider the attached patch for upload to jessie. It is a backport of my patch for bug #847963: keyringer fails to handle OpenPGP keys which have subkeys that do not expire. I believe this bug qualifies for a patch in stable, given its impact: it makes keyrings that contain such a key unuseable, since keyringer errors-out on any operation, including reading secrets from the keyring. I also included a backport of my patch for #847964, fixing a more minor issue which only occurs when GnuPG lists keys multiple times (for instance when using the `keyring /usr/share/keyrings/debian-keyring.gpg` directive). Best, nicoo - -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- iQJNBAEBCgA3FiEEiWEbFKE2h/s1SpJPnU+IAQz+GeMFAliLrPgZHG5pY29sYXNA YnJhdWQtc2FudG9uaS5ldQAKCRCdT4gBDP4Z45EJEADcn9Ce5evljk2piSNWfAlq OsNyofbioUnynSxImGD/yPmwvdrT/vX0Pyu/vGP6hyu32HWs6NMic0WNnLB3d9AX Bj7fUsnp1PbYd8AbQC1a3IWAu/pqX8FVZpgRQTQLp8RzzlTlifRxn5PcnhkJXcpJ aXhRTnoP8POhCqsucucXyAchVyt3cN1MfsI6aPXrh3U80RfnvpOZpUWUOg+s4k8d 8V3xUuw50ajXYccEUm5lcPFO3cwEZjXBgQPb6H78ECzYibe6XY4Hn5hUwQdw9owd bipPnWEEjWEzNiEBMf0sSyfqXfsMI/zBlaR0IX9wmPaIHPA3QdC9AS7iA/G/MvOx L4qhosgJeVys0nTyKxwrdRkcE9peDr/M2OKhfeWy/nPqSUoBaggmKhxn0SWJOD5k iHFSE4m2sSr7yxxmAlZDb0sKJXYdyhgn35OL8wuav/ONKpRpJ+YA1Ge22YfXDBjy /gLs7xkxv9cUgHXDTwbrHpjnq6Btcfs93zsh/nF5tcFlR5sxm/9dL4dDgTFn/D0j C7AcLj4g+GJJO0z3+lfQLbDiTw7nEngWleNDklbjDGYXFdM2P/+7Rhqgt287muOw 0rEd7ehwlfWjanHso7x07BDV4MCbllnGlAsVLoJJKflCxhuPD0FtarHl/GAzutPK 3DMmq/3rTXMafm9M8EUCtw== =aoEH -----END PGP SIGNATURE-----
diff --git c/debian/changelog w/debian/changelog index cba6437..89fc5d4 100644 --- c/debian/changelog +++ w/debian/changelog @@ -1,3 +1,11 @@ +keyringer (0.3.7-1+deb8u1) jessie-proposed-updates; urgency=medium + + * debian/patches backported from version 0.5.0 + * Handle subkeys without expiration date (Closes: #847963) + * Handle public keys listed multiple times (Closes: #847964) + + -- Nicolas Braud-Santoni <nico...@braud-santoni.eu> Fri, 27 Jan 2017 21:10:30 +0100 + keyringer (0.3.7-1) unstable; urgency=low * Added .gitignore diff --git c/debian/patches/0001-Handle-subkeys-without-expiration-date.patch w/debian/patches/0001-Handle-subkeys-without-expiration-date.patch new file mode 100644 index 0000000..5f62421 --- /dev/null +++ w/debian/patches/0001-Handle-subkeys-without-expiration-date.patch @@ -0,0 +1,61 @@ +From: Nicolas Braud-Santoni <nico...@braud-santoni.eu> +Date: Fri, 27 Jan 2017 20:59:43 +0100 +Subject: Handle subkeys without expiration date + +Closes #847963 + +Backported from version 0.5.0, +commit c12b5c6c7eccb8e0922ff034bb3690774e12998c +--- + ChangeLog | 5 +++++ + lib/keyringer/functions | 14 +++++++++++--- + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 683c853..6b92025 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,8 @@ ++2017-01-27 - 0.3.7+deb8u1 - Nicolas Braud-Santoni <nico...@braud-santoni.eu> ++ ++ Make keyringer_check_expiration not fail on subkeys which do ++ not have an expiration date (Debian BTS #847963) ++ + 2014-08-21 - 0.3.7 - Silvio Rhatto <rha...@riseup.net> + + Init: just set git user/mail if needed +diff --git a/lib/keyringer/functions b/lib/keyringer/functions +index 42c047d..074f68e 100755 +--- a/lib/keyringer/functions ++++ b/lib/keyringer/functions +@@ -715,19 +715,27 @@ function keyringer_check_expiration { + fi + + # Check the subkeys +- expiry="" +- for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do ++ local subkey="" ++ for subkey in $(gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub); do ++ local expiry=$(cut -d : -f 7 <<< "$subkey") ++ ++ if [[ -z "$expiry" ]]; then ++ not_expired=1 ++ break ++ fi ++ + if [[ "$seconds" -lt "$expiry" ]]; then + not_expired="1" + + if [[ "$ahead" -gt "$expiry" ]] && [ "$BASENAME" == "check" ]; then + echo "Warning: subkey from $recipient will expire soon, on `date --date="@$expiry"`" + fi ++ break + fi + done + + # All subkeys are expired +- if [ ! -z "$expiry" ] && [ "$not_expired" != "1" ]; then ++ if [ ! -z "$subkey" ] && [ "$not_expired" != "1" ]; then + echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired." + exit 1 + fi diff --git c/debian/patches/0002-Handle-public-keys-listed-multiple-times.patch w/debian/patches/0002-Handle-public-keys-listed-multiple-times.patch new file mode 100644 index 0000000..2574f30 --- /dev/null +++ w/debian/patches/0002-Handle-public-keys-listed-multiple-times.patch @@ -0,0 +1,39 @@ +From: Nicolas Braud-Santoni <nico...@braud-santoni.eu> +Date: Fri, 27 Jan 2017 20:59:50 +0100 +Subject: Handle public keys listed multiple times + +Closes #847964 + +Backported from version 0.5.0, +commit 21ca00d0d8d6e206cb377dc1febe8f66694142d7 +--- + ChangeLog | 3 +++ + lib/keyringer/functions | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index 6b92025..9ec9d7a 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,8 @@ + 2017-01-27 - 0.3.7+deb8u1 - Nicolas Braud-Santoni <nico...@braud-santoni.eu> + ++ Fix keyringer_check_expiration failure if a public key is ++ listed multiple times (Debian #847964) ++ + Make keyringer_check_expiration not fail on subkeys which do + not have an expiration date (Debian BTS #847963) + +diff --git a/lib/keyringer/functions b/lib/keyringer/functions +index 074f68e..a5ba7eb 100755 +--- a/lib/keyringer/functions ++++ b/lib/keyringer/functions +@@ -696,7 +696,7 @@ function keyringer_check_expiration { + seconds="`date +%s`" + + # Check the main key +- expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`" ++ expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | head -n1 | cut -d : -f 7`" + + # TODO: Time to expire can be configured via repository options. + ahead="$((86400 * 30 + $seconds))" diff --git c/debian/patches/series w/debian/patches/series new file mode 100644 index 0000000..9a8cb87 --- /dev/null +++ w/debian/patches/series @@ -0,0 +1,2 @@ +0001-Handle-subkeys-without-expiration-date.patch +0002-Handle-public-keys-listed-multiple-times.patch