NetBSD Problem Report #54048
From www@NetBSD.org Fri Mar 8 19:20:51 2019
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id F36147A1AB
for <gnats-bugs@gnats.NetBSD.org>; Fri, 8 Mar 2019 19:20:50 +0000 (UTC)
Message-Id: <20190308192049.DD9127A1D2@mollari.NetBSD.org>
Date: Fri, 8 Mar 2019 19:20:49 +0000 (UTC)
From: tiago@seco.ws
Reply-To: tiago@seco.ws
To: gnats-bugs@NetBSD.org
Subject: pkg_admin unable to verify signature
X-Send-Pr-Version: www-1.0
>Number: 54048
>Category: pkg
>Synopsis: pkg_admin unable to verify signature
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Mar 08 19:25:00 +0000 2019
>Last-Modified: Mon Oct 19 14:55:00 +0000 2020
>Originator: Tiago Seco
>Release: NetBSD 8.0 (GENERIC)
>Organization:
>Environment:
NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
pkg_admin fetch-pkg-vulnerabilities -s fails when verifying the signature with the following:
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
pkg_admin: unable to verify signature: Signature key id 706b677372632d73 not found
--
gpg settings and keys:
localhost# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/9F80359C 2018-04-19 [expires: 2019-05-14]
uid pkgsrc Security Team <pkgsrc-security@pkgsrc.org>
uid pkgsrc Security Team <pkgsrc-security@NetBSD.org>
sub 4096R/FE41A229 2018-04-19 [expires: 2019-05-14]
localhost# pkg_admin config-var GPG
/usr/pkg/bin/gpg
>How-To-Repeat:
curl -sS https://pkgsrc.org/pkgsrc-security_pgp_key.asc | gpg --import
pkg_admin fetch-pkg-vulnerabilities -s
>Fix:
>Release-Note:
>Audit-Trail:
From: Alistair Crooks <agc@pkgsrc.org>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/54048: pkg_admin unable to verify signature
Date: Sun, 10 Mar 2019 13:27:30 -0700
--000000000000b0c5a00583c34945
Content-Type: text/plain; charset="UTF-8"
See RFC 4880, section 5.2.3.1
https://tools.ietf.org/html/rfc4880
The value of the subpacket type octet may be:
0 = Reserved
1 = Reserved
2 = Signature Creation Time
3 = Signature Expiration Time
4 = Exportable Certification
5 = Trust Signature
6 = Regular Expression
7 = Revocable
8 = Reserved
9 = Key Expiration Time
10 = Placeholder for backward compatibility
11 = Preferred Symmetric Algorithms
12 = Revocation Key
13 = Reserved
14 = Reserved
15 = Reserved
16 = Issuer
17 = Reserved
18 = Reserved
19 = Reserved
20 = Notation Data
21 = Preferred Hash Algorithms
22 = Preferred Compression Algorithms
23 = Key Server Preferences
24 = Preferred Key Server
25 = Primary User ID
26 = Policy URI
27 = Key Flags
28 = Signer's User ID
29 = Reason for Revocation
30 = Features
31 = Signature Target
32 = Embedded Signature
100 To 110 = Private or experimental
so I suspect something has added to the original spec - which package,
and how was it signed?
Regards,
Alistair
On Fri, 8 Mar 2019 at 22:28, <tiago@seco.ws> wrote:
> >Number: 54048
> >Category: pkg
> >Synopsis: pkg_admin unable to verify signature
> >Confidential: no
> >Severity: serious
> >Priority: medium
> >Responsible: pkg-manager
> >State: open
> >Class: sw-bug
> >Submitter-Id: net
> >Arrival-Date: Fri Mar 08 19:25:00 +0000 2019
> >Originator: Tiago Seco
> >Release: NetBSD 8.0 (GENERIC)
> >Organization:
> >Environment:
> NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC
> 2018 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC
> amd64
> >Description:
> pkg_admin fetch-pkg-vulnerabilities -s fails when verifying the signature
> with the following:
>
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> Ignoring unusual/reserved signature subpacket 33
> pkg_admin: unable to verify signature: Signature key id 706b677372632d73
> not found
>
> --
>
> gpg settings and keys:
> localhost# gpg -k
> /root/.gnupg/pubring.gpg
> ------------------------
> pub 4096R/9F80359C 2018-04-19 [expires: 2019-05-14]
> uid pkgsrc Security Team <pkgsrc-security@pkgsrc.org>
> uid pkgsrc Security Team <pkgsrc-security@NetBSD.org>
> sub 4096R/FE41A229 2018-04-19 [expires: 2019-05-14]
>
>
> localhost# pkg_admin config-var GPG
> /usr/pkg/bin/gpg
> >How-To-Repeat:
> curl -sS https://pkgsrc.org/pkgsrc-security_pgp_key.asc | gpg --import
> pkg_admin fetch-pkg-vulnerabilities -s
> >Fix:
>
>
--000000000000b0c5a00583c34945
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr">See RFC 4880, section 5.2.3.1<div><br></d=
iv><div><a href=3D"https://tools.ietf.org/html/rfc4880">https://tools.ietf.=
org/html/rfc4880</a></div><div><br></div><div><pre class=3D"gmail-newpage" =
style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before:=
page;color:rgb(0,0,0)">The value of the subpacket type octet may be:
0 =3D Reserved
1 =3D Reserved
2 =3D Signature Creation Time
3 =3D Signature Expiration Time
4 =3D Exportable Certification
5 =3D Trust Signature
6 =3D Regular Expression
</pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin-top:=
0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"> 7 =3D=
Revocable
8 =3D Reserved
9 =3D Key Expiration Time
10 =3D Placeholder for backward compatibility
11 =3D Preferred Symmetric Algorithms
12 =3D Revocation Key
13 =3D Reserved
14 =3D Reserved
15 =3D Reserved
16 =3D Issuer
17 =3D Reserved
18 =3D Reserved
19 =3D Reserved
20 =3D Notation Data
21 =3D Preferred Hash Algorithms
22 =3D Preferred Compression Algorithms
23 =3D Key Server Preferences
24 =3D Preferred Key Server
25 =3D Primary User ID
26 =3D Policy URI
27 =3D Key Flags
28 =3D Signer's User ID
29 =3D Reason for Revocation
30 =3D Features
31 =3D Signature Target
32 =3D Embedded Signature
100 To 110 =3D Private or experimental</pre><pre class=3D"gmail-newpage"=
style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before=
:page;color:rgb(0,0,0)"><br></pre><pre class=3D"gmail-newpage" style=3D"fon=
t-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before:page;color:r=
gb(0,0,0)"><font face=3D"arial, helvetica, sans-serif">so I suspect somethi=
ng has added to the original spec - which package, and how was it signed?</=
font></pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin=
-top:0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"><font face=
=3D"arial, helvetica, sans-serif"><br></font></pre><pre class=3D"gmail-newp=
age" style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-be=
fore:page;color:rgb(0,0,0)"><font face=3D"arial, helvetica, sans-serif">Reg=
ards,</font></pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px=
;margin-top:0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"><font=
face=3D"arial, helvetica, sans-serif">Alistair</font></pre></div></div></d=
iv><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On =
Fri, 8 Mar 2019 at 22:28, <<a href=3D"mailto:tiago@seco.ws">tiago@seco.w=
s</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
>>Number:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A054048<br>
>Category:=C2=A0 =C2=A0 =C2=A0 =C2=A0pkg<br>
>Synopsis:=C2=A0 =C2=A0 =C2=A0 =C2=A0pkg_admin unable to verify signatur=
e<br>
>Confidential:=C2=A0 =C2=A0no<br>
>Severity:=C2=A0 =C2=A0 =C2=A0 =C2=A0serious<br>
>Priority:=C2=A0 =C2=A0 =C2=A0 =C2=A0medium<br>
>Responsible:=C2=A0 =C2=A0 pkg-manager<br>
>State:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 open<br>
>Class:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sw-bug<br>
>Submitter-Id:=C2=A0 =C2=A0net<br>
>Arrival-Date:=C2=A0 =C2=A0Fri Mar 08 19:25:00 +0000 2019<br>
>Originator:=C2=A0 =C2=A0 =C2=A0Tiago Seco<br>
>Release:=C2=A0 =C2=A0 =C2=A0 =C2=A0 NetBSD 8.0 (GENERIC)<br>
>Organization:<br>
>Environment:<br>
NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018=
=C2=A0 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC a=
md64<br>
>Description:<br>
pkg_admin fetch-pkg-vulnerabilities -s fails when verifying the signature w=
ith the following:<br>
<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
Ignoring unusual/reserved signature subpacket 33<br>
pkg_admin: unable to verify signature: Signature key id 706b677372632d73 no=
t found<br>
<br>
--<br>
<br>
gpg settings and keys:<br>
localhost# gpg -k<br>
/root/.gnupg/pubring.gpg<br>
------------------------<br>
pub=C2=A0 =C2=A04096R/9F80359C 2018-04-19 [expires: 2019-05-14]<br>
uid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pkgsrc Se=
curity Team <<a href=3D"mailto:pkgsrc-security@pkgsrc.org" target=3D"_bl=
ank">pkgsrc-security@pkgsrc.org</a>><br>
uid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pkgsrc Se=
curity Team <pkgsrc-security@NetBSD.org><br>
sub=C2=A0 =C2=A04096R/FE41A229 2018-04-19 [expires: 2019-05-14]<br>
<br>
<br>
localhost#=C2=A0 pkg_admin=C2=A0 config-var GPG<br>
/usr/pkg/bin/gpg<br>
>How-To-Repeat:<br>
curl -sS <a href=3D"https://pkgsrc.org/pkgsrc-security_pgp_key.asc" rel=3D"=
noreferrer" target=3D"_blank">https://pkgsrc.org/pkgsrc-security_pgp_key.as=
c</a> | gpg --import<br>
pkg_admin fetch-pkg-vulnerabilities -s<br>
>Fix:<br>
<br>
</blockquote></div>
--000000000000b0c5a00583c34945--
From: tiago@seco.ws
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/54048
Date: Mon, 11 Mar 2019 15:11:59 -0400
> so I suspect something has added to the original spec
That may have been the case, but if so I do not know when / where.
> - which package, and how was it signed?
I am not sure I understand the question. As far as I can tell the signature
verification fails when checking the vulnerability list file, not when
installing a package per-se.
Following is the list of packages I assume might be related to this issue:
pkg_install-20180425 Package management and administration tools for pkgsrc
pkgin-0.11.6nb1 Apt / yum like tool for managing pkgsrc binary packages
libgpg-error-1.33 Definitions of common error values for all GnuPG components
gnupg-1.4.23nb2 GNU Privacy Guard, public-Key encryption and digital signatures
# echo $PKG_PATH
http://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.0_STABLE/All/
# which pkg_admin
/usr/pkg/sbin/pkg_admin
Apologies if this is not what you asked.
For completeness sake, the output of
ktruss -id pkg_admin fetch-pkg-vulnerabilities -s 2>&1 can be found here:
https://termbin.com/0osw
/ts
From: reed@reedmedia.net
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/54048
Date: Sat, 28 Dec 2019 10:49:10 -0600 (CST)
Today I saw on netbsd irc about someone hitting this same issue.
So I tried it on NetBSD 8.0:
pkg_admin fetch-pkg-vulnerabilities -s
which resulted in:
pkg_admin: unable to verify signature: Signature key id 706b677372632d73 not found
Ignoring unusual/reserved signature subpacket 104
Ignoring unusual/reserved signature subpacket 105
Ignoring unusual/reserved signature subpacket 104
Ignoring unusual/reserved signature subpacket 105
Ignoring unusual/reserved signature subpacket 18
Ignoring unusual/reserved signature subpacket 18
Ignoring unusual/reserved signature subpacket 18
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
recog_userid: not 13
recog_primary_key: not userid
short pubring recognition???
Ignoring unusual/reserved signature subpacket 33
From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc:
Subject: Re: pkg/54048
Date: Fri, 2 Oct 2020 12:00:37 +0200
I tried sending this before, but I didn't see it in GNATS now, so here
it goes again.
Subpacket types 33-38 are defined in the draft for the next RFC
available here:
https://datatracker.ietf.org/doc/draft-ietf-openpgp-rfc4880bis/?include_text=1
| 33 | Issuer Fingerprint |
| 34 | Preferred AEAD Algorithms |
| 35 | Intended Recipient Fingerprint |
| 37 | Attested Certifications |
| 38 | Key Block |
For 33 in particular:
5.2.3.28. Issuer Fingerprint
(1 octet key version number, N octets of fingerprint)
The OpenPGP Key fingerprint of the key issuing the signature. This
subpacket SHOULD be included in all signatures. If the version of
the issuing key is 4 and an Issuer subpacket is also included in the
signature, the key ID of the Issuer subpacket MUST match the low 64
bits of the fingerprint.
Note that the length N of the fingerprint for a version 4 key is 20
octets; for a version 5 key N is 32.
Thomas
(18 is reserved and 100-110 are private/experimental)
From: Jonathan Perkin <jperkin@joyent.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
tiago@seco.ws
Subject: Re: pkg/54048
Date: Mon, 19 Oct 2020 15:52:49 +0100
The pkgsrc-security key has been updated, which will no longer cause
failures, but you will still see warnings due to the key being signed
by newer GnuPG keys (as far as we're aware).
For now I'm using this quick hack in my SmartOS/illumos and macOS
package sets to just ignore the warning:
https://github.com/joyent/pkgsrc/commit/1a171bc4c27a22eceb284af2e221fbef66282a4c
and "pkg_admin check-pkg-vulnerabilities -s" works again.
The NetBSD netpgp has been correctly patched to handle the subpacket,
and I'm hoping netpgpverify will also have a proper fix in due course.
--
Jonathan Perkin - Joyent, Inc. - www.joyent.com
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.