Package: debmirror Version: 1:2.32 Severity: important Dear Maintainer,
When debmirror splits InRelease files using split_clearsigned_file, it can produce text and signature files that gpgv reports as having a "BAD signature." Yet gpgv reports "Good signature" for the original InRelease file, by itself. What I found is that most files work but some do not. Attached is a standalone split command, using the code from debmirror. This is what I see when I test the debian-archive wheezy-backports InRelease file: # md5sum wheezy-inrelease a3f7caeef19f3e3797ec08748409d413 wheezy-inrelease # head -n 20 wheezy-inrelease -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Origin: Debian Backports Label: Debian Backports Suite: wheezy-backports Version: Codename: wheezy-backports Date: Wed, 24 Jan 2018 08:51:34 UTC NotAutomatic: yes ButAutomaticUpgrades: yes Architectures: amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc Components: main contrib non-free Description: Backports for the Wheezy Distribution MD5Sum: 21206181d8c101b785f51c82820acef7 118763 contrib/Contents-amd64 85c8255dffc0437f45d71e2e0d27401b 2704 contrib/Contents-amd64.diff/Index 01c60695e6465dc1a3f2035d7060de57 10211 contrib/Contents-amd64.gz 01d265b9bcabbad6969c560a69550890 72100 contrib/Contents-armel e03cee735398401fedf5b505fdc0cdbc 1720 contrib/Contents-armel.diff/Index # gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyring /usr/share/keyrings/debian-archive-removed-keys.gpg -v wheezy-inrelease gpgv: armor header: Hash: SHA256 gpgv: original file name='' gpgv: Signature made Wed 24 Jan 2018 03:51:53 AM EST gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 gpgv: Good signature from "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmas...@debian.org>" gpgv: textmode signature, digest algorithm SHA256, key algorithm rsa4096 gpgv: Signature made Wed 24 Jan 2018 03:51:53 AM EST gpgv: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 gpgv: Good signature from "Debian Archive Automatic Signing Key (8/jessie) <ftpmas...@debian.org>" gpgv: textmode signature, digest algorithm SHA256, key algorithm rsa4096 # ./split_clearsigned_file wheezy-inrelease # gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg --keyring /usr/share/keyrings/debian-archive-removed-keys.gpg -v wheezy-inrelease-sig wheezy-inrelease-txt gpgv: Signature made Wed 24 Jan 2018 03:51:53 AM EST gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 gpgv: BAD signature from "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmas...@debian.org>" gpgv: textmode signature, digest algorithm SHA256, key algorithm rsa4096 It does not always fail in this way. The jessie-backports InRelease file works fine. Here's the source I used for split_clearsigned_file: #!/usr/bin/perl -w # isolate split_clearsigned_file from debmirror my $infile = $ARGV[0]; open my $sfd, '>', "$infile-sig" or die "$infile-sig\n"; open my $tfd, '>', "$infile-txt" or die "$infile-txt\n"; split_clearsigned_file($infile, $tfd, $sfd) or die "split failed\n"; # Split a clearsigned message into data and signature. # Based on the similar SplitClearSignedFile in APT. sub split_clearsigned_file { my ($filename, $content_fh, $signature_fh) = @_; my $found_message_start = ''; my $found_message_end = ''; my $skip_until_empty_line = ''; my $found_signature = ''; my $first_line = 1; my $signed_message_not_on_first_line = ''; my $found_garbage = ''; open my $handle, "<", $filename or die "can't open $filename: $1"; while (my $line = <$handle>) { $line =~ s/[\n\r]+$//; if (not $found_message_start) { if ($line eq '-----BEGIN PGP SIGNED MESSAGE-----') { $found_message_start = 1; $skip_until_empty_line = 1; } else { $signed_message_not_on_first_line = 1; $found_garbage = 1; } } elsif ($skip_until_empty_line) { if ($line eq '') { $skip_until_empty_line = ''; } } elsif (not $found_signature) { if ($line eq '-----BEGIN PGP SIGNATURE-----') { $found_signature = 1; $found_message_end = 1; print $signature_fh "$line\n"; } elsif (not $found_message_end) { # we are in the message block # We don't have any fields that need to be dash-escaped, but # implementations are free to encode all lines. $line =~ s/^- //; if ($first_line) { # first line does not need a newline $first_line = ''; } else { print $content_fh "\n"; } print $content_fh $line; } else { $found_garbage = 1; } } else { print $signature_fh "$line\n"; if ($line eq '-----END PGP SIGNATURE-----') { $found_signature = ''; } } } $content_fh->flush; $signature_fh->flush; if ($found_message_start) { if ($signed_message_not_on_first_line) { die "Clearsigned file '$filename' does not start with a signed message block.\n"; } elsif ($found_garbage) { die "Clearsigned file '$filename' contains unsigned lines or multiple signed message blocks.\n"; } } if ($found_signature) { die "Signature in file $filename wasn't closed.\n"; } if ($first_line and not $found_message_start and not $found_message_end) { # This is an unsigned file, so don't generate an error, but splitting # was unsuccessful nonetheless. return 0; } elsif ($first_line or not $found_message_start or not $found_message_end) { # Syntax error. die "Splitting of $filename failed as it doesn't contain all expected signature parts."; } return 1; } The system information below is not from the system running debmirror, but it is running buster. -- System Information: Debian Release: 10.1 APT prefers stable APT policy: (750, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages debmirror depends on: ii bzip2 1.0.6-9.2~deb10u1 pn libdigest-md5-perl <none> pn libdigest-sha-perl <none> pn liblockfile-simple-perl <none> ii libwww-perl 6.36-2 ii perl [libnet-perl] 5.28.1-6 ii rsync 3.1.3-6 ii xz-utils 5.2.4-1 Versions of packages debmirror recommends: pn ed <none> ii gpgv 2.2.12-1+deb10u1 ii patch 2.7.6-3+deb10u1 Versions of packages debmirror suggests: ii gnupg 2.2.12-1+deb10u1