Bug#1010171: sbuild's "unshare" test fails with gpg-agent 2.2.34-1

Wed, 27 Apr 2022 14:12:15 -0700 

Control: reopen 1010171
Control: reassign 1010171 src:gnupg2 2.2.34-1
Control: affects 1010171 + sbuild
Control: tags 1010171 + patch
Control: forwarded 1010171 https://dev.gnupg.org/T5953

I've tracked this problem down to a change in upstream that was intended
to accomodate non-standards-compliant secret key material.

I'm going to revert that change in debian (using the attached patch)
until we can figure out how to support both existing,
standards-compliant key material and the "SOS"-formatted secret keys.

The change made to sbuild (supplying --batch for key import) is still
the right change to make, but it was insufficient to resolve the
problem.

            --dkg


From a86a3026218c2d5ac7cd898666b8ef60a5734bb9 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Wed, 27 Apr 2022 16:57:28 -0400
Subject: [PATCH] gpg: import Ed25519 private keys as MPIs

* g10/parse-packet.c (parse_key): Use mpi_read for Ed25519 private
  key.

--

This functionally reverts 14de7b1e5904e78fcbe413a82d0f19b750bd8830,
because it caused breakage with sbuild's continuous integration
testing, which uses gpg via debsign (see
https://bugs.debian.org/1010171)

In particular, it fixes the use of the following two commands with an
unencrypted Ed25519 secret key where the full 256-bits are used in the
secret scalar:

    gpg --allow-secret-key-import --import
    gpg --batch --detach-sign

I guess this also unfortunately breaks importing "SOS"-formatted
secret keys as a byproduct, though I don't fully understand the
mechanism.

The upstream test suite should probably be updated to include samples
of each of these flavors of secret key material, and ensure that they
can be imported and used directly.
---
 g10/parse-packet.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index 6a529707a..7eb2d03b0 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -2805,10 +2805,7 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen,
                   goto leave;
                 }
               n = pktlen;
-              if (algorithm == PUBKEY_ALGO_EDDSA)
-                pk->pkey[i] = sos_read (inp, &n, 0);
-              else
-                pk->pkey[i] = mpi_read (inp, &n, 0);
+              pk->pkey[i] = mpi_read (inp, &n, 0);
               pktlen -= n;
               if (list_mode)
                 {
-- 
2.35.1

Attachment: signature.asc
Description: PGP signature

Reply via email to