NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
PR/59823 CVS commit: [pkgsrc-2025Q4] pkgsrc/security/netpgpverify
The following reply was made to PR bin/59823; it has been noted by GNATS.
From: "Maya Rashish" <maya%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc:
Subject: PR/59823 CVS commit: [pkgsrc-2025Q4] pkgsrc/security/netpgpverify
Date: Sat, 24 Jan 2026 03:06:29 +0000
Module Name: pkgsrc
Committed By: maya
Date: Sat Jan 24 03:06:29 UTC 2026
Modified Files:
pkgsrc/security/netpgpverify [pkgsrc-2025Q4]: Makefile
pkgsrc/security/netpgpverify/files [pkgsrc-2025Q4]: Makefile.in
libverify.c
Added Files:
pkgsrc/security/netpgpverify/files [pkgsrc-2025Q4]: gpg2test
gpg2test.gpg2 keypubring.gpg2 keysecring.gpg2
Log Message:
Pullup ticket #7047 - requested by wiz
security/netpgpverify: Bug fix
Revisions pulled up:
- security/netpgpverify/Makefile 1.23
- security/netpgpverify/files/Makefile.in 1.10
- security/netpgpverify/files/gpg2test 1.1
- security/netpgpverify/files/gpg2test.gpg2 1.1
- security/netpgpverify/files/keypubring.gpg2 1.1
- security/netpgpverify/files/keysecring.gpg2 1.1
- security/netpgpverify/files/libverify.c 1.32
---
Module Name: pkgsrc
Committed By: riastradh
Date: Sun Jan 4 06:19:40 UTC 2026
Modified Files:
pkgsrc/security/netpgpverify: Makefile
pkgsrc/security/netpgpverify/files: Makefile.in libverify.c
Added Files:
pkgsrc/security/netpgpverify/files: gpg2test gpg2test.gpg2
keypubring.gpg2 keysecring.gpg2
Log Message:
security/netpgpverify: Handle issuer fingerprint subpackets.
This is an extremely dodgy stop-gap measure to verify signatures
produced by gpg2. It does nothing to address pervasive problems in
netpgpverify, like PR security/57449 or PR bin/59823, or even more
narrowly scoped problems with using keyids instead of fingerprints.
I'm a little reluctant to even commit this stop-gap because the
problems are so bad, and a band-aid won't fix a spurting carotid.
The symptom is:
> ./netpgpverify -k keypubring.gpg2 gpg2test.gpg2
> Ignoring unusual/reserved signature subpacket 34
> Signature did not match contents -- Signature key id 38fa6a2833ed1efa does not match onepass keyid
Test case generated by:
mkdir -m 0700 gpghome
gpg2 --homedir gpghome --batch --passphrase '' \
--quick-gen-key user%example.com@localhost rsa2048 sign never
echo hello world >gpg2test
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
--output gpg2test.gpg2 --sign gpg2test
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
--export-secret-keys >keysecring.gpg2
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
--export >keypubring.gpg2
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.42.1 pkgsrc/security/netpgpverify/Makefile
cvs rdiff -u -r1.9 -r1.9.42.1 pkgsrc/security/netpgpverify/files/Makefile.in
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/security/netpgpverify/files/gpg2test \
pkgsrc/security/netpgpverify/files/gpg2test.gpg2 \
pkgsrc/security/netpgpverify/files/keypubring.gpg2 \
pkgsrc/security/netpgpverify/files/keysecring.gpg2
cvs rdiff -u -r1.31 -r1.31.42.1 \
pkgsrc/security/netpgpverify/files/libverify.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Home |
Main Index |
Thread Index |
Old Index