pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkg/54048: pkg_admin unable to verify signature
The following reply was made to PR pkg/54048; it has been noted by GNATS.
From: Alistair Crooks <agc%pkgsrc.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: pkg-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost
Subject: Re: pkg/54048: pkg_admin unable to verify signature
Date: Sun, 10 Mar 2019 13:27:30 -0700
--000000000000b0c5a00583c34945
Content-Type: text/plain; charset="UTF-8"
See RFC 4880, section 5.2.3.1
https://tools.ietf.org/html/rfc4880
The value of the subpacket type octet may be:
0 = Reserved
1 = Reserved
2 = Signature Creation Time
3 = Signature Expiration Time
4 = Exportable Certification
5 = Trust Signature
6 = Regular Expression
7 = Revocable
8 = Reserved
9 = Key Expiration Time
10 = Placeholder for backward compatibility
11 = Preferred Symmetric Algorithms
12 = Revocation Key
13 = Reserved
14 = Reserved
15 = Reserved
16 = Issuer
17 = Reserved
18 = Reserved
19 = Reserved
20 = Notation Data
21 = Preferred Hash Algorithms
22 = Preferred Compression Algorithms
23 = Key Server Preferences
24 = Preferred Key Server
25 = Primary User ID
26 = Policy URI
27 = Key Flags
28 = Signer's User ID
29 = Reason for Revocation
30 = Features
31 = Signature Target
32 = Embedded Signature
100 To 110 = Private or experimental
so I suspect something has added to the original spec - which package,
and how was it signed?
Regards,
Alistair
On Fri, 8 Mar 2019 at 22:28, <tiago%seco.ws@localhost> wrote:
> >Number: 54048
> >Category: pkg
> >Synopsis: pkg_admin unable to verify signature
> >Confidential: no
> >Severity: serious
> >Priority: medium
> >Responsible: pkg-manager
> >State: open
> >Class: sw-bug
> >Submitter-Id: net
> >Arrival-Date: Fri Mar 08 19:25:00 +0000 2019
> >Originator: Tiago Seco
> >Release: NetBSD 8.0 (GENERIC)
> >Organization:
> >Environment:
> NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC
> 2018 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC
> amd64
> >Description:
> pkg_admin fetch-pkg-vulnerabilities -s fails when verifying the signature
> with the following:
>
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> pkg_admin: unable to verify signature: Signature key id 706b677372632d73
> not found
>
> --
>
> gpg settings and keys:
> localhost# gpg -k
> /root/.gnupg/pubring.gpg
> ------------------------
> pub 4096R/9F80359C 2018-04-19 [expires: 2019-05-14]
> uid pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>
> uid pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>
> sub 4096R/FE41A229 2018-04-19 [expires: 2019-05-14]
>
>
> localhost# pkg_admin config-var GPG
> /usr/pkg/bin/gpg
> >How-To-Repeat:
> curl -sS https://pkgsrc.org/pkgsrc-security_pgp_key.asc | gpg --import
> pkg_admin fetch-pkg-vulnerabilities -s
> >Fix:
>
>
--000000000000b0c5a00583c34945
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr">See RFC 4880, section 5.2.3.1<div><br></d=
iv><div><a href=3D"https://tools.ietf.org/html/rfc4880";>https://tools.ietf.=
org/html/rfc4880</a></div><div><br></div><div><pre class=3D"gmail-newpage" =
style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before:=
page;color:rgb(0,0,0)">The value of the subpacket type octet may be:
0 =3D Reserved
1 =3D Reserved
2 =3D Signature Creation Time
3 =3D Signature Expiration Time
4 =3D Exportable Certification
5 =3D Trust Signature
6 =3D Regular Expression
</pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin-top:=
0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"> 7 =3D=
Revocable
8 =3D Reserved
9 =3D Key Expiration Time
10 =3D Placeholder for backward compatibility
11 =3D Preferred Symmetric Algorithms
12 =3D Revocation Key
13 =3D Reserved
14 =3D Reserved
15 =3D Reserved
16 =3D Issuer
17 =3D Reserved
18 =3D Reserved
19 =3D Reserved
20 =3D Notation Data
21 =3D Preferred Hash Algorithms
22 =3D Preferred Compression Algorithms
23 =3D Key Server Preferences
24 =3D Preferred Key Server
25 =3D Primary User ID
26 =3D Policy URI
27 =3D Key Flags
28 =3D Signer's User ID
29 =3D Reason for Revocation
30 =3D Features
31 =3D Signature Target
32 =3D Embedded Signature
100 To 110 =3D Private or experimental</pre><pre class=3D"gmail-newpage"=
style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before=
:page;color:rgb(0,0,0)"><br></pre><pre class=3D"gmail-newpage" style=3D"fon=
t-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before:page;color:r=
gb(0,0,0)"><font face=3D"arial, helvetica, sans-serif">so I suspect somethi=
ng has added to the original spec - which package, and how was it signed?</=
font></pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin=
-top:0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"><font face=
=3D"arial, helvetica, sans-serif"><br></font></pre><pre class=3D"gmail-newp=
age" style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-be=
fore:page;color:rgb(0,0,0)"><font face=3D"arial, helvetica, sans-serif">Reg=
ards,</font></pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px=
;margin-top:0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"><font=
face=3D"arial, helvetica, sans-serif">Alistair</font></pre></div></div></d=
iv><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On =
Fri, 8 Mar 2019 at 22:28, <<a href=3D"mailto:tiago%seco.ws@localhost";>tiago@seco.w=
s</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
>>Number:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A054048<br>
>Category:=C2=A0 =C2=A0 =C2=A0 =C2=A0pkg<br>
>Synopsis:=C2=A0 =C2=A0 =C2=A0 =C2=A0pkg_admin unable to verify signatur=
e<br>
>Confidential:=C2=A0 =C2=A0no<br>
>Severity:=C2=A0 =C2=A0 =C2=A0 =C2=A0serious<br>
>Priority:=C2=A0 =C2=A0 =C2=A0 =C2=A0medium<br>
>Responsible:=C2=A0 =C2=A0 pkg-manager<br>
>State:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 open<br>
>Class:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sw-bug<br>
>Submitter-Id:=C2=A0 =C2=A0net<br>
>Arrival-Date:=C2=A0 =C2=A0Fri Mar 08 19:25:00 +0000 2019<br>
>Originator:=C2=A0 =C2=A0 =C2=A0Tiago Seco<br>
>Release:=C2=A0 =C2=A0 =C2=A0 =C2=A0 NetBSD 8.0 (GENERIC)<br>
>Organization:<br>
>Environment:<br>
NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018=
=C2=A0 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC a=
md64<br>
>Description:<br>
pkg_admin fetch-pkg-vulnerabilities -s fails when verifying the signature w=
ith the following:<br>
<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
pkg_admin: unable to verify signature: Signature key id 706b677372632d73 no=
t found<br>
<br>
--<br>
<br>
gpg settings and keys:<br>
localhost# gpg -k<br>
/root/.gnupg/pubring.gpg<br>
------------------------<br>
pub=C2=A0 =C2=A04096R/9F80359C 2018-04-19 [expires: 2019-05-14]<br>
uid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pkgsrc Se=
curity Team <<a href=3D"mailto:pkgsrc-security%pkgsrc.org@localhost"; target=3D"_bl=
ank">pkgsrc-security%pkgsrc.org@localhost</a>><br>
uid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pkgsrc Se=
curity Team <pkgsrc-security%NetBSD.org@localhost><br>
sub=C2=A0 =C2=A04096R/FE41A229 2018-04-19 [expires: 2019-05-14]<br>
<br>
<br>
localhost#=C2=A0 pkg_admin=C2=A0 config-var GPG<br>
/usr/pkg/bin/gpg<br>
>How-To-Repeat:<br>
curl -sS <a href=3D"https://pkgsrc.org/pkgsrc-security_pgp_key.asc"; rel=3D"=
noreferrer" target=3D"_blank">https://pkgsrc.org/pkgsrc-security_pgp_key.as=
c</a> | gpg --import<br>
pkg_admin fetch-pkg-vulnerabilities -s<br>
>Fix:<br>
<br>
</blockquote></div>
--000000000000b0c5a00583c34945--
Home |
Main Index |
Thread Index |
Old Index