On Thu, Jun 20, 2024 at 12:39:39PM GMT, Julian Andres Klode wrote:
> Control: reassign -1 gpgv-from-sq
> Control: affects -1 apt
> Control: severity -1 serious
>
> On Wed, Jun 19, 2024 at 09:59:52AM GMT, Pti Zoom wrote:
> > Package: apt
> > Version: 2.9.5
> > Followup-For: Bug #896834
> >
> > Dear Maintainer,
> >
> > *** Reporter, please consider answering these questions, where appropriate
> > ***
> >
> > *_InRelease files fails signing,
> >
> > since 17/06/2024,
> >
> > when upgraded unstable gpgv to 2.2.43-{6,7} !
> >
> > then the package updates are quite stalled.
> >
> > oh dear...should have listened to gpgv package maintainer instead of madly
> > upgrading....
> >
> > symptoms are also similare to bug...
> >
> > #896834 /usr/bin/apt-key: apt-key fails in an lxc environment after
> > upgrade to stretch
> >
> > which from ...
> >
> > apt -o Debug::Acquire::gpgv=1 update
> >
> > gives...
> >
> > "...
> > inside VerifyGetSigners
> > ...
> > Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd
> > 3 /tmp/apt.sig.dQFfP7 /tmp/apt.data.mOm9vr
> > ...
> > 0% [Working]gpgv exited with status 1
> >
> >
> >
> > Summary:
> > Good:
> > Valid:
> > Bad:
> > Worthless:
> > SoonWorthless:
> > NoPubKey:
> > Signed-By:
> > NODATA: no
> > Err:3 http://deb.debian.org/debian stable InRelease
> > At least one invalid signature was encountered.
> > ...
> > Warning: An error occurred during the signature verification. The
> > repository is not updated and the previous index files will be used. GPG
> > error: http://deb.debian.org/debian stable InRelease: At least one invalid
> > signature was encountered.
> > ..."
> >
> > etc...
> >
> > maybe I shall downgrade to gpgv 2.2.40-1.1+b3 or is there a better setting
> > for gpgv ?
>
> The culprit is gpgv-from-sq as DonKult said, and it is:
>
> jak@jak-t14-g3:~:master$ apt-key verify --keyring
> /usr/share/keyrings/ubuntu-archive-keyring.gpg
> /var/lib/apt/lists/snapshot.ubuntu.com_ubuntu_dists_oracular_InRelease
> gpgv: error: While parsing rule "ed448"
> gpgv: because: Invalid argument: Unknown public key algorithm: ed
>
> So now it claims it accepts the argument but then it complains about
> unknown public key algorithms. You can verify manually with something
> like:
>
> jak@jak-t14-g3:~:master$ gpgv --assert-pubkey-algo ">=rsa2048,ed25519,ed448"
> --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
> /var/lib/apt/lists/snapshot.ubuntu.com_ubuntu_dists_oracular_InRelease
> gpgv: error: While parsing rule "ed448"
> gpgv: because: Invalid argument: Unknown public key algorithm: ed
>
> (Adjusted for your sources, I'm testing Ubuntu :D)
>
> There are two bugs here:
>
> 1. sq strips the numerical bit from ed448, pretending it is a size. Maybe it
> doesn't support ed448?
> 2. sq fails on unknown algorithms, when it should silently ignore them. These
> are not safety critical, it is an allow list after all. If it doesn't
> support
> ed448 the right place to fail is when it actually encounters an ed448
> signature.
> I want to reiterate what I said upstream: We strongly need this feature, we have a _temporary_ workaround in place, but this is not a long term solution, but rather a release critical bug - we should not release trixie with an APT that is not able to enforce it's crypto policy. Hence we need this implemented in gpgv-from-sq in addition to gpgv from gnupg2, or we need to declare Conflicts: gpgv-from-sq to make sure APT keeps working correctly. We need to talk about gnupg 2.4 too at some point; this or a backport is necessary for the APT feature to work, and I will raise this as an RC bug eventually. Alternatively implementing it just in sq's gpgv implementation and forcing apt to that also would work I suppose and may be the preferable solution for Debian anyhow. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
