NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

PR/59823 CVS commit: pkgsrc/security/netpgpverify

The following reply was made to PR bin/59823; it has been noted by GNATS.

From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/59823 CVS commit: pkgsrc/security/netpgpverify
Date: Sun, 4 Jan 2026 06:19:40 +0000

 Module Name:	pkgsrc
 Committed By:	riastradh
 Date:		Sun Jan  4 06:19:40 UTC 2026
 
 Modified Files:
 	pkgsrc/security/netpgpverify: Makefile
 	pkgsrc/security/netpgpverify/files: Makefile.in libverify.c
 Added Files:
 	pkgsrc/security/netpgpverify/files: gpg2test gpg2test.gpg2
 	    keypubring.gpg2 keysecring.gpg2
 
 Log Message:
 security/netpgpverify: Handle issuer fingerprint subpackets.
 
 This is an extremely dodgy stop-gap measure to verify signatures
 produced by gpg2.  It does nothing to address pervasive problems in
 netpgpverify, like PR security/57449 or PR bin/59823, or even more
 narrowly scoped problems with using keyids instead of fingerprints.
 I'm a little reluctant to even commit this stop-gap because the
 problems are so bad, and a band-aid won't fix a spurting carotid.
 
 The symptom is:
 
 > ./netpgpverify -k keypubring.gpg2 gpg2test.gpg2
 > Ignoring unusual/reserved signature subpacket 34
 > Signature did not match contents -- Signature key id 38fa6a2833ed1efa does not match onepass keyid
 
 Test case generated by:
 
 mkdir -m 0700 gpghome
 gpg2 --homedir gpghome --batch --passphrase '' \
     --quick-gen-key user%example.com@localhost rsa2048 sign never
 echo hello world >gpg2test
 gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
     --output gpg2test.gpg2 --sign gpg2test
 gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
     --export-secret-keys >keysecring.gpg2
 gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
     --export >keypubring.gpg2
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.22 -r1.23 pkgsrc/security/netpgpverify/Makefile
 cvs rdiff -u -r1.9 -r1.10 pkgsrc/security/netpgpverify/files/Makefile.in
 cvs rdiff -u -r0 -r1.1 pkgsrc/security/netpgpverify/files/gpg2test \
     pkgsrc/security/netpgpverify/files/gpg2test.gpg2 \
     pkgsrc/security/netpgpverify/files/keypubring.gpg2 \
     pkgsrc/security/netpgpverify/files/keysecring.gpg2
 cvs rdiff -u -r1.31 -r1.32 pkgsrc/security/netpgpverify/files/libverify.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.
Home | Main Index | Thread Index | Old Index