pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2025Q4] pkgsrc/security/netpgpverify
Module Name: pkgsrc
Committed By: maya
Date: Sat Jan 24 03:06:29 UTC 2026
Modified Files:
pkgsrc/security/netpgpverify [pkgsrc-2025Q4]: Makefile
pkgsrc/security/netpgpverify/files [pkgsrc-2025Q4]: Makefile.in
libverify.c
Added Files:
pkgsrc/security/netpgpverify/files [pkgsrc-2025Q4]: gpg2test
gpg2test.gpg2 keypubring.gpg2 keysecring.gpg2
Log Message:
Pullup ticket #7047 - requested by wiz
security/netpgpverify: Bug fix
Revisions pulled up:
- security/netpgpverify/Makefile 1.23
- security/netpgpverify/files/Makefile.in 1.10
- security/netpgpverify/files/gpg2test 1.1
- security/netpgpverify/files/gpg2test.gpg2 1.1
- security/netpgpverify/files/keypubring.gpg2 1.1
- security/netpgpverify/files/keysecring.gpg2 1.1
- security/netpgpverify/files/libverify.c 1.32
---
Module Name: pkgsrc
Committed By: riastradh
Date: Sun Jan 4 06:19:40 UTC 2026
Modified Files:
pkgsrc/security/netpgpverify: Makefile
pkgsrc/security/netpgpverify/files: Makefile.in libverify.c
Added Files:
pkgsrc/security/netpgpverify/files: gpg2test gpg2test.gpg2
keypubring.gpg2 keysecring.gpg2
Log Message:
security/netpgpverify: Handle issuer fingerprint subpackets.
This is an extremely dodgy stop-gap measure to verify signatures
produced by gpg2. It does nothing to address pervasive problems in
netpgpverify, like PR security/57449 or PR bin/59823, or even more
narrowly scoped problems with using keyids instead of fingerprints.
I'm a little reluctant to even commit this stop-gap because the
problems are so bad, and a band-aid won't fix a spurting carotid.
The symptom is:
> ./netpgpverify -k keypubring.gpg2 gpg2test.gpg2
> Ignoring unusual/reserved signature subpacket 34
> Signature did not match contents -- Signature key id 38fa6a2833ed1efa does not match onepass keyid
Test case generated by:
mkdir -m 0700 gpghome
gpg2 --homedir gpghome --batch --passphrase '' \
--quick-gen-key user%example.com@localhost rsa2048 sign never
echo hello world >gpg2test
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
--output gpg2test.gpg2 --sign gpg2test
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
--export-secret-keys >keysecring.gpg2
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
--export >keypubring.gpg2
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.22.42.1 pkgsrc/security/netpgpverify/Makefile
cvs rdiff -u -r1.9 -r1.9.42.1 pkgsrc/security/netpgpverify/files/Makefile.in
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/security/netpgpverify/files/gpg2test \
pkgsrc/security/netpgpverify/files/gpg2test.gpg2 \
pkgsrc/security/netpgpverify/files/keypubring.gpg2 \
pkgsrc/security/netpgpverify/files/keysecring.gpg2
cvs rdiff -u -r1.31 -r1.31.42.1 \
pkgsrc/security/netpgpverify/files/libverify.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/netpgpverify/Makefile
diff -u pkgsrc/security/netpgpverify/Makefile:1.22 pkgsrc/security/netpgpverify/Makefile:1.22.42.1
--- pkgsrc/security/netpgpverify/Makefile:1.22 Sun Nov 1 11:28:35 2020
+++ pkgsrc/security/netpgpverify/Makefile Sat Jan 24 03:06:28 2026
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.22 2020/11/01 11:28:35 wiz Exp $
+# $NetBSD: Makefile,v 1.22.42.1 2026/01/24 03:06:28 maya Exp $
DISTNAME= netpgpverify-${VERSION}
+PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= # empty
DISTFILES= # empty
Index: pkgsrc/security/netpgpverify/files/Makefile.in
diff -u pkgsrc/security/netpgpverify/files/Makefile.in:1.9 pkgsrc/security/netpgpverify/files/Makefile.in:1.9.42.1
--- pkgsrc/security/netpgpverify/files/Makefile.in:1.9 Sun Nov 1 11:28:35 2020
+++ pkgsrc/security/netpgpverify/files/Makefile.in Sat Jan 24 03:06:29 2026
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.in,v 1.9 2020/11/01 11:28:35 wiz Exp $
+# $NetBSD: Makefile.in,v 1.9.42.1 2026/01/24 03:06:29 maya Exp $
PROG=netpgpverify
@@ -49,6 +49,8 @@ tst:
./${PROG} -k pubring.gpg noversion.asc
@echo "testing dash-escaped text"
./${PROG} -k pubring.gpg dash-escaped-text.asc
+ @echo "testing gpg2-generated signature"
+ ./${PROG} -k keypubring.gpg2 gpg2test.gpg2
clean:
rm -rf *.core ${OBJS} ${PROG}
Index: pkgsrc/security/netpgpverify/files/libverify.c
diff -u pkgsrc/security/netpgpverify/files/libverify.c:1.31 pkgsrc/security/netpgpverify/files/libverify.c:1.31.42.1
--- pkgsrc/security/netpgpverify/files/libverify.c:1.31 Sun Nov 1 11:28:35 2020
+++ pkgsrc/security/netpgpverify/files/libverify.c Sat Jan 24 03:06:29 2026
@@ -1183,10 +1183,29 @@ read_sig_subpackets(pgpv_t *pgp, pgpv_si
sigpkt->sig.revoked = *p++ + 1;
sigpkt->sig.why_revoked = (char *)(void *)p;
break;
- case SUBPKT_ISSUER_FINGERPRINT:
+ case SUBPKT_ISSUER_FINGERPRINT: {
+ /* RFC 9580, Sec. 5.2.3.35 Issuer Fingerprint */
+ unsigned N;
+
sigpkt->sig.ifver = *p;
+ switch (sigpkt->sig.ifver) {
+ case 4:
+ N = 20;
+ break;
+ case 6:
+ N = 32;
+ break;
+ default:
+ printf("unknown issuer fpr version %d\n",
+ sigpkt->sig.ifver);
+ return 0;
+ }
sigpkt->sig.issuer_fingerprint = &p[1];
+ memcpy(sigpkt->sig.signer,
+ &p[1 + N - sizeof(sigpkt->sig.signer)],
+ sizeof(sigpkt->sig.signer));
break;
+ }
default:
printf("Ignoring unusual/reserved signature subpacket %d\n", subpkt.tag);
break;
Added files:
Index: pkgsrc/security/netpgpverify/files/gpg2test
diff -u /dev/null pkgsrc/security/netpgpverify/files/gpg2test:1.1.2.2
--- /dev/null Sat Jan 24 03:06:29 2026
+++ pkgsrc/security/netpgpverify/files/gpg2test Sat Jan 24 03:06:29 2026
@@ -0,0 +1 @@
+hello world
Index: pkgsrc/security/netpgpverify/files/gpg2test.gpg2
Binary files are different
Index: pkgsrc/security/netpgpverify/files/keypubring.gpg2
Binary files are different
Index: pkgsrc/security/netpgpverify/files/keysecring.gpg2
Binary files are different
Home |
Main Index |
Thread Index |
Old Index