Package: libnews-article-nocem-perl Version: 0.09-3 Severity: important Tags: upstream X-Debbugs-Cc: libpgp-sign-p...@packages.debian.org, debian.a...@manchmal.in-ulm.de
Greetings,
At the moment, NoCeM messages generated using News::Article::NoCeM
declare a hard-coded signature hash algorithm SHA1:
| $self->add_body("-----BEGIN PGP SIGNED MESSAGE-----");
| $self->add_body("Hash: SHA1");
[ll.202]
This broke NoCeM processing here as the actual algorithm used was
SHA512, and the verification in INN2's perl-nocem fails then (took a
while to find out as the only way to debug perl-nocem is strace, and
there was only a warning about a hash algorithm mismatch. But changing
the above line made the problem go away).
Following the robustness principle, the fix should be here, in
News::Article::NoCeM. That however will be a bit delicate as I doubt
this will be easy.
Some *bad* ideas:
* In my setup, signing is done using gpg (i.e. gpg2). Perhaps enforcing
gpg1 resolves the issue - I haven't checked - but that's not the
direction we should go.
* Enforcing SHA1 in the signing might be doable (but not easy), still,
no. That algorithm should be phased out.
* Hard-coding a different algorithm is a no-go, for bad style to start
with.
* News::Article::NoCeM could inspect the generated signature and
act accordingly. This adds a lot of code and feels pretty wrong.
* Omitting the hash declaration is not an option either, perl-nocem
fails then.
So I guess this will require some co-ordination with PGP::Sign (Cc'd).
It seems the latter does not provide an option to define the hash
algorithm, unless perhaps via GnuPG's configuration file. That's
somehting News::Article::NoCeM could do by switching to the OO interface
of PGP::Sign. But at the same time, this voids a nonoutspoken goal of
making GPG::Sign backend-agnostic (having more than gpg1 and gpg2 was
desireable but that's something for another day).
Another solution I can think of: PGP::Sign could, as an option, already
provide the marker lines with a correct pseudo header about the hash
algorithm, so News::Article::NoCeM does not have to do this. Or at
least signalize the proper value. But there's nothing of that kind as
far as I can see.
But these are just thoughts - I'm looking for a robust way to generate
NoCeMs and if that goal is met, I care little how this is actually done.
Christoph
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable'), (1, 'proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.69 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libnews-article-nocem-perl depends on:
ii libnews-article-perl 1.27-12
ii libpgp-sign-perl 1.04-1
ii perl 5.36.0-7+deb12u1
libnews-article-nocem-perl recommends no packages.
libnews-article-nocem-perl suggests no packages.
-- no debconf information
signature.asc
Description: PGP signature
