Package: libnews-article-nocem-perl Version: 0.09-3 Severity: important Tags: upstream X-Debbugs-Cc: libpgp-sign-p...@packages.debian.org, debian.a...@manchmal.in-ulm.de
Greetings, At the moment, NoCeM messages generated using News::Article::NoCeM declare a hard-coded signature hash algorithm SHA1: | $self->add_body("-----BEGIN PGP SIGNED MESSAGE-----"); | $self->add_body("Hash: SHA1"); [ll.202] This broke NoCeM processing here as the actual algorithm used was SHA512, and the verification in INN2's perl-nocem fails then (took a while to find out as the only way to debug perl-nocem is strace, and there was only a warning about a hash algorithm mismatch. But changing the above line made the problem go away). Following the robustness principle, the fix should be here, in News::Article::NoCeM. That however will be a bit delicate as I doubt this will be easy. Some *bad* ideas: * In my setup, signing is done using gpg (i.e. gpg2). Perhaps enforcing gpg1 resolves the issue - I haven't checked - but that's not the direction we should go. * Enforcing SHA1 in the signing might be doable (but not easy), still, no. That algorithm should be phased out. * Hard-coding a different algorithm is a no-go, for bad style to start with. * News::Article::NoCeM could inspect the generated signature and act accordingly. This adds a lot of code and feels pretty wrong. * Omitting the hash declaration is not an option either, perl-nocem fails then. So I guess this will require some co-ordination with PGP::Sign (Cc'd). It seems the latter does not provide an option to define the hash algorithm, unless perhaps via GnuPG's configuration file. That's somehting News::Article::NoCeM could do by switching to the OO interface of PGP::Sign. But at the same time, this voids a nonoutspoken goal of making GPG::Sign backend-agnostic (having more than gpg1 and gpg2 was desireable but that's something for another day). Another solution I can think of: PGP::Sign could, as an option, already provide the marker lines with a correct pseudo header about the hash algorithm, so News::Article::NoCeM does not have to do this. Or at least signalize the proper value. But there's nothing of that kind as far as I can see. But these are just thoughts - I'm looking for a robust way to generate NoCeMs and if that goal is met, I care little how this is actually done. Christoph -- System Information: Debian Release: 12.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (1, 'proposed-updates') Architecture: amd64 (x86_64) Kernel: Linux 6.1.69 (SMP w/8 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages libnews-article-nocem-perl depends on: ii libnews-article-perl 1.27-12 ii libpgp-sign-perl 1.04-1 ii perl 5.36.0-7+deb12u1 libnews-article-nocem-perl recommends no packages. libnews-article-nocem-perl suggests no packages. -- no debconf information
signature.asc
Description: PGP signature