Package: debsig-verify Version: 0.23+b2 Severity: important Tags: patch Hey Guillem,
Updating our derived distro from bullseye to bookworm, we've moved on from 0.23 to 0.28. We're using subkeys for signing our debs, and that no longer works. I can see that the change you've made to no longer fall back if a fingerprint doesn't match (849d9633ebf809398c848821c603148ae0470278) has broken this. Here's a patch that I've added locally on top of 0.28 to also attempt to match subkey fingerprints. This passes tests here and makes subkeys work for us again. Cheers, Steve -- System Information: Debian Release: 11.8 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldoldstable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-26-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages debsig-verify depends on: ii gnupg 2.2.27-2+deb11u2 ii gpg 2.2.27-2+deb11u2 ii libc6 2.31-13+deb11u7 ii libexpat1 2.2.10-2+deb11u5 debsig-verify recommends no packages. Versions of packages debsig-verify suggests: ii debian-keyring 2021.09.25 ii debsigs 0.1.25 -- no debconf information
diff --git a/src/openpgp-gpg.c b/src/openpgp-gpg.c index 4c29b7f..97ec3a4 100644 --- a/src/openpgp-gpg.c +++ b/src/openpgp-gpg.c @@ -115,6 +115,7 @@ enum keyid_state { KEYID_FPR, KEYID_UID, KEYID_SIG, + KEYID_SUB, }; enum colon_fields { @@ -221,7 +222,7 @@ gpg_getKeyID(const char *keyring, const char *match_id) /* Certificate found. */ state = KEYID_PUB; - } else if (state == KEYID_PUB) { + } else if (state == KEYID_PUB || state == KEYID_SUB) { if (!match_prefix(buf, "fpr:")) continue; fpr = get_colon_field(buf, COLON_FIELD_FPR_ID); @@ -241,6 +242,7 @@ gpg_getKeyID(const char *keyring, const char *match_id) continue; if (strcmp(uid, match_id) != 0) { free(uid); + state = KEYID_SUB; continue; } free(uid);