Bug#1010955: uscan: configure multiple signature verification
On Thu 2022-09-15 18:57:59 -0400, Daniel Kahn Gillmor wrote:
> Control: affects 1010955 + src:gnupg2 src:pinentry
>
> On Sat 2022-05-14 07:55:36 +0200, Andreas Metzler wrote:
>> The latest gnutls tarballs have multiple signatures. I would like
>> to have uscan succeed if at least one of signatories is listed in
>> debian/upstream/signing-key.asc. Uscan currently requires all signatures
>> to verify with no way to configure differently afaict.
>
> Andreas is correct here that it only makes sense to require one valid
> signature for uscan's verification to succeed. Requiring every
> discovered signature to be valid is a mistake. For example, it means
> that projects that start publishing an OpenPGP v5 signature (when
> rfc4880bis is finally released) alongside their OpenPGP v4 signatures
> will fail to be validated.
fwiw, the problem here is pretty clearly gpgv's own built-in semantics.
from gpgv(1):
> RETURN VALUE
> The program returns 0 if everything is fine, 1 if at least one signa‐
> ture was bad, and other error codes for fatal errors.
all the code in lib/Devscripts/Verify/Uscan.pm eventually falls back on
gpgv, rather than using semantics like "sop verify", which succeeds when
at least one signature is valid and successful.
Ironically, it's GnuPG's own packages that are failing this verification
right now, because they're publishing multiple signatures. It's not a
bad thing for them to sign their software with multiple keys, but the
problem is that gpgv is being stricter than it needs to be to verify
them.
So i think to fix this in uscan, we have two choices:
(a) split out the signatures into separate files, and run gpgv on each
signature separately
(b) use an OpenPGP verification tool with a more sensible verification
policy, like any compliant "sop" implementation (e.g. sqop,
pgpainless-cli, gosop).
I'm not sure i actually know how to do (a) safely -- i guess we could
use `gpgsplit` (from the gnupg-utils) package into an empty tempdir, and
then repeatedly invoke `gpgv` on each resulting *.sig file, returning
success if any of them verify. I don't know how it would work for an
inline-signed packae ("pgpmode=self"). at any rate, this all sounds
painful to me.
I've proposed
https://salsa.debian.org/debian/devscripts/-/merge_requests/286 as a way
to implement (b). Happy to hear feedback on it.
--dkg
signature.asc
Description: PGP signature
Bug#1010955: uscan: configure multiple signature verification
Package: devscripts Version: 2.22.1 Severity: wishlist Hello, The latest gnutls tarballs have multiple signatures. I would like to have uscan succeed if at least one of signatories is listed in debian/upstream/signing-key.asc. Uscan currently requires all signatures to verify with no way to configure differently afaict. 8X-- ametzler@argenau:/tmp/GNUTLS/gnutls-3.7.4$ uscan --verbose --rename [...] uscan info: Requesting URL: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.5.tar.xz.sig uscan info: Verifying OpenPGP signature ../gnutls-3.7.5.tar.xz.sig for ../gnutls-3.7.5.tar.xz gpgv: Signature made Do 12 Mai 2022 15:15:36 CEST gpgv:using EDDSA key 5D46CB0F763405A7053556F47A75A648B3F9220C gpgv: Can't check signature: No public key gpgv: Signature made Do 12 Mai 2022 16:54:05 CEST gpgv:using RSA key 462225C3B46F34879FC8496CD605848ED7E69871 gpgv: Good signature from "Daiki Ueno " gpgv: aka "Daiki Ueno " uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 60. ametzler@argenau:/tmp/GNUTLS/gnutls-3.7.4$ 8X-- cu Andreas
Bug#1010955: uscan: configure multiple signature verification
Control: affects 1010955 + src:gnupg2 src:pinentry On Sat 2022-05-14 07:55:36 +0200, Andreas Metzler wrote: > The latest gnutls tarballs have multiple signatures. I would like > to have uscan succeed if at least one of signatories is listed in > debian/upstream/signing-key.asc. Uscan currently requires all signatures > to verify with no way to configure differently afaict. Andreas is correct here that it only makes sense to require one valid signature for uscan's verification to succeed. Requiring every discovered signature to be valid is a mistake. For example, it means that projects that start publishing an OpenPGP v5 signature (when rfc4880bis is finally released) alongside their OpenPGP v4 signatures will fail to be validated. The same failings happen for GnuPG and related projects like Pinentry, which typically have multiple signers attesting to each release. I think Andreas is wrong to argue that this should be configurable. If anything, the correct move here is to have uscan be satisfied as long as it finds *any* valid signature from any key in the keyring located in debian/upstream/signing-key.asc. Here's another way of looking at it: consider a malicious network adversary capable of interposing themselves and tampering with either the tarball or the signature -- it is trivial (and unavoidable) that the adversary can make a good signature fail; just fiddle some bits in the signature or the tarball. What we critically want to avoid is for them to be able to make a bad signature appear good. But note that if we believe every supplied signature must be good when a multiple signature is supplied, and one signature is from an unknown party, then a network attacker can simply *remove* the unknown signature, and the remaining signatures will all pass, converting a "bad" multi-sig into a "good" single-sig. The threat model for this approach is clearly muddled! By permitting a single signature from any signer to validate, we are not increasing the capabilities of the attacker at all. we're simply making the system more robust, and enabling upstream developers to smoothly migrate to new keys by signing with both keys for a period of time. On the off chance that some upstream project wants debian to ensure that *multiple* signers have indeed endorsed a release, then it's possible that uscan would want some configurability -- the debian maintainer would want to indicate that *at least N signatures from distinct signers in the known keyring* are present in the signature bundle, for example. But i know of no active projects that take this position at the moment, so making such a configurable option is entirely gravy at this point. It's more important that uscan *succeed* when at least one valid signature is found. --dkg signature.asc Description: PGP signature
