NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/59936: netpgpverify needs big update
>Number: 59936
>Category: bin
>Synopsis: netpgpverify needs big update
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jan 23 16:05:00 +0000 2026
>Originator: Thomas Klausner
>Release: NetBSD 11.99.4
>Organization:
>Environment:
Architecture: x86_64
Machine: amd64
>Description:
I wanted to use less ancient software to create the pkgsrc-security
key and tried creating one with gpg2 but had to find out that
netpgpverify doesn't support this. So we still have to create the keys
with gpg1 and also create the signatures with gpg1.
In addition, netpgpverify can not read gpg keyrings any longer, and reports
very weird error messages about this.
I did a couple tests with the current pkgsrc-security key (created by gpg1)
and a to-be-the-new-one (created with gpg2), both RSA 4096 keys.
I then created signed files in the same way that the signed
pkg-vulnerabilities files are created, and verified them with gpg1,
gpg2, netpgpverify from NetBSD 11.99.4 and netpgpverify from
pkgsrc-current.
netpgpverify could not read the default GPG keyring, so I had to
manually export and import the keys into a separate keyring created
with netpgpkeys. The import of the gpg2-created key failed.
>How-To-Repeat:
1. Create signed test files:
$ gpg -sta --clearsign --no-options --output=signed.old.gpg1 -u D90AFC4C78205993C7215B93F485518FD115DA12 test-input
$ gpg -sta --clearsign --no-options --output=signed.new.gpg1 -u 518DD6CC3111CB806B5C0A37185D84F136FDCB2D test-input
$ gpg2 -sta --clearsign --no-options --output=signed.old.gpg2 -u D90AFC4C78205993C7215B93F485518FD115DA12 test-input
$ gpg2 -sta --clearsign --no-options --output=signed.new.gpg2 -u 518DD6CC3111CB806B5C0A37185D84F136FDCB2D test-input
2. Test them with gpg1, gpg2 - success.
$ gpg --verify signed.old.gpg1
gpg: Signature made 23. Jänner 2026 16:21:52 CET using RSA key ID D115DA12
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>"
gpg: aka "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>"
$ gpg --verify signed.old.gpg2
gpg: Signature made 23. Jänner 2026 16:20:31 CET using RSA key ID D115DA12
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>"
gpg: aka "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>"
$ gpg --verify signed.new.gpg1
gpg: Signature made 23. Jänner 2026 16:22:37 CET using RSA key ID 36FDCB2D
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>"
gpg: aka "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>"
$ gpg --verify signed.new.gpg2
gpg: Signature made 23. Jänner 2026 16:19:13 CET using RSA key ID 36FDCB2D
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>"
gpg: aka "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>"
$ gpg2 --verify signed.old.gpg1
gpg: Signature made 23. Jänner 2026 16:21:52 CET
gpg: using RSA key F485518FD115DA12
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>" [full]
gpg: aka "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>" [full]
$ gpg2 --verify signed.old.gpg2
gpg: Signature made 23. Jänner 2026 16:20:31 CET
gpg: using RSA key D90AFC4C78205993C7215B93F485518FD115DA12
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>" [full]
gpg: aka "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>" [full]
$ gpg2 --verify signed.new.gpg1
gpg: Signature made 23. Jänner 2026 16:22:37 CET
gpg: using RSA key 185D84F136FDCB2D
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>" [ultimate]
gpg: aka "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>" [ultimate]
$ gpg2 --verify signed.new.gpg2
gpg: Signature made 23. Jänner 2026 16:19:13 CET
gpg: using RSA key 518DD6CC3111CB806B5C0A37185D84F136FDCB2D
gpg: Good signature from "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>" [ultimate]
gpg: aka "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>" [ultimate]
3. Try using (either) netpgpverify to do the same - FAILS because of
keyring reading problems (it reads /home/wiz/.gnupg/pubring.gpg,
verified using ktrace)
$ /usr/pkg/bin/netpgpverify signed.new.gpg2
Ignoring unusual/reserved signature subpacket 34
Ignoring unusual/reserved signature subpacket 34
weird type of sig! 22
read_sigpkt: can't read sigs, v4
can't read keyring
(doesn't matter which file, doesn't even try verifying them)
4. Create a new keyring for netpgpverify using netpgpkeys - works for
old key, fails for GPG2-create key (both exported with gpg1, just to
be sure that that is not the problem):
$ gpg --export -a D90AFC4C78205993C7215B93F485518FD115DA12 > D90AFC4C78205993C7215B93F485518FD115DA12
$ gpg --export -a 518DD6CC3111CB806B5C0A37185D84F136FDCB2D > 518DD6CC3111CB806B5C0A37185D84F136FDCB2D
$ netpgpkeys --keyring netpgp.keyring --import D90AFC4C78205993C7215B93F485518FD115DA12
1 key
pub 4096/RSA (Encrypt or Sign) f485518fd115da12 2024-12-31 [EXPIRES 2026-01-25]
Key fingerprint: d90a fc4c 7820 5993 c721 5b93 f485 518f d115 da12
uid pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>
uid pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>
encryption 4096/RSA (Encrypt or Sign) a6968b63a729b32a 2024-12-31 [EXPIRES 2026-01-25]
$ netpgpkeys --keyring netpgp.keyring --import 518DD6CC3111CB806B5C0A37185D84F136FDCB2D
Can't free 546 (0x222)
Can't free 546 (0x222)
/usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:1864: PGP_E_R_UNCONSUMED_DATA, Unconsumed data (5)
/usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:1838: PGP_E_PROTO_UNKNOWN_SS, Unknown signature subpacket type (34)
/usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:1864: PGP_E_R_UNCONSUMED_DATA, Unconsumed data (5)
/usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:1838: PGP_E_PROTO_UNKNOWN_SS, Unknown signature subpacket type (34)
Cannot import key from file 518DD6CC3111CB806B5C0A37185D84F136FDCB2D
$ netpgpkeys --keyring netpgp.keyring --list-keys
1 key found
"pub" 4096/"RSA (Encrypt or Sign)" "f485518fd115da12" 2024-12-31 [EXPIRES 2026-01-25]
Key fingerprint: "d90a fc4c 7820 5993 c721 5b93 f485 518f d115 da12 "
uid "pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>" ""
uid "pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>" ""
encryption 4096/"RSA (Encrypt or Sign)" "a6968b63a729b32a" 2024-12-31
encryption 4096/"RSA (Encrypt or Sign)" "a6968b63a729b32a" 2024-12-31
5. Verify signed files using netpgp and the specially created keyring
$ netpgpverify -k netpgp.keyring signed.old.gpg1
Good signature for signed.old.gpg1 made Fri Jan 23 16:21:52 2026
signature 4096/RSA (Encrypt or Sign) f485518fd115da12 2024-12-31
fingerprint d90a fc4c 7820 5993 c721 5b93 f485 518f d115 da12
uid pkgsrc Security Team <pkgsrc-security%pkgsrc.org@localhost>
uid pkgsrc Security Team <pkgsrc-security%NetBSD.org@localhost>
$ netpgpverify -k netpgp.keyring signed.old.gpg2
Signature did not match contents -- Signature key id 93c7215b93f48551 not found
$ netpgpverify -k netpgp.keyring signed.new.gpg1
Signature did not match contents -- Signature key id 185d84f136fdcb2d not found
$ netpgpverify -k netpgp.keyring signed.new.gpg2
Signature did not match contents -- Signature key id 806b5c0a37185d84 not found
Please note that the lines for the gpg2-created files show a different
key ID - comparing it to the output from gpg1/2 above you can see that
this is an earlier part of the hex string of the GPG key, so
netpgpverify seems to be parsing the wrong location for the key
"fingerprint" (last hex digits).
>Fix:
I think the following fixes are needed:
- support keys created by gpg2
- support signatures created by gpg2
- support GPG(2?) keyrings
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index