NetBSD Problem Report #54048

From www@NetBSD.org  Fri Mar  8 19:20:51 2019
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id F36147A1AB
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  8 Mar 2019 19:20:50 +0000 (UTC)
Message-Id: <20190308192049.DD9127A1D2@mollari.NetBSD.org>
Date: Fri,  8 Mar 2019 19:20:49 +0000 (UTC)
From: tiago@seco.ws
Reply-To: tiago@seco.ws
To: gnats-bugs@NetBSD.org
Subject: pkg_admin unable to verify signature
X-Send-Pr-Version: www-1.0

>Number:         54048
>Category:       pkg
>Synopsis:       pkg_admin unable to verify signature
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 08 19:25:00 +0000 2019
>Last-Modified:  Mon Oct 19 14:55:00 +0000 2020
>Originator:     Tiago Seco
>Release:        NetBSD 8.0 (GENERIC)
>Organization:
>Environment:
NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
pkg_admin fetch-pkg-vulnerabilities -s fails when verifying the signature with the following:

Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
Ignoring unusual/reserved signature subpacket 33
pkg_admin: unable to verify signature: Signature key id 706b677372632d73 not found

--

gpg settings and keys:
localhost# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub   4096R/9F80359C 2018-04-19 [expires: 2019-05-14]
uid                  pkgsrc Security Team <pkgsrc-security@pkgsrc.org>
uid                  pkgsrc Security Team <pkgsrc-security@NetBSD.org>
sub   4096R/FE41A229 2018-04-19 [expires: 2019-05-14]


localhost#  pkg_admin  config-var GPG
/usr/pkg/bin/gpg
>How-To-Repeat:
curl -sS https://pkgsrc.org/pkgsrc-security_pgp_key.asc | gpg --import
pkg_admin fetch-pkg-vulnerabilities -s
>Fix:

>Release-Note:

>Audit-Trail:
From: Alistair Crooks <agc@pkgsrc.org>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/54048: pkg_admin unable to verify signature
Date: Sun, 10 Mar 2019 13:27:30 -0700

 --000000000000b0c5a00583c34945
 Content-Type: text/plain; charset="UTF-8"

 See RFC 4880, section 5.2.3.1

 https://tools.ietf.org/html/rfc4880

 The value of the subpacket type octet may be:

             0 = Reserved
             1 = Reserved
             2 = Signature Creation Time
             3 = Signature Expiration Time
             4 = Exportable Certification
             5 = Trust Signature
             6 = Regular Expression

             7 = Revocable
             8 = Reserved
             9 = Key Expiration Time
            10 = Placeholder for backward compatibility
            11 = Preferred Symmetric Algorithms
            12 = Revocation Key
            13 = Reserved
            14 = Reserved
            15 = Reserved
            16 = Issuer
            17 = Reserved
            18 = Reserved
            19 = Reserved
            20 = Notation Data
            21 = Preferred Hash Algorithms
            22 = Preferred Compression Algorithms
            23 = Key Server Preferences
            24 = Preferred Key Server
            25 = Primary User ID
            26 = Policy URI
            27 = Key Flags
            28 = Signer's User ID
            29 = Reason for Revocation
            30 = Features
            31 = Signature Target
            32 = Embedded Signature
    100 To 110 = Private or experimental


 so I suspect something has added to the original spec - which package,
 and how was it signed?


 Regards,

 Alistair


 On Fri, 8 Mar 2019 at 22:28, <tiago@seco.ws> wrote:

 > >Number:         54048
 > >Category:       pkg
 > >Synopsis:       pkg_admin unable to verify signature
 > >Confidential:   no
 > >Severity:       serious
 > >Priority:       medium
 > >Responsible:    pkg-manager
 > >State:          open
 > >Class:          sw-bug
 > >Submitter-Id:   net
 > >Arrival-Date:   Fri Mar 08 19:25:00 +0000 2019
 > >Originator:     Tiago Seco
 > >Release:        NetBSD 8.0 (GENERIC)
 > >Organization:
 > >Environment:
 > NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC
 > 2018  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC
 > amd64
 > >Description:
 > pkg_admin fetch-pkg-vulnerabilities -s fails when verifying the signature
 > with the following:
 >
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > Ignoring unusual/reserved signature subpacket 33
 > pkg_admin: unable to verify signature: Signature key id 706b677372632d73
 > not found
 >
 > --
 >
 > gpg settings and keys:
 > localhost# gpg -k
 > /root/.gnupg/pubring.gpg
 > ------------------------
 > pub   4096R/9F80359C 2018-04-19 [expires: 2019-05-14]
 > uid                  pkgsrc Security Team <pkgsrc-security@pkgsrc.org>
 > uid                  pkgsrc Security Team <pkgsrc-security@NetBSD.org>
 > sub   4096R/FE41A229 2018-04-19 [expires: 2019-05-14]
 >
 >
 > localhost#  pkg_admin  config-var GPG
 > /usr/pkg/bin/gpg
 > >How-To-Repeat:
 > curl -sS https://pkgsrc.org/pkgsrc-security_pgp_key.asc | gpg --import
 > pkg_admin fetch-pkg-vulnerabilities -s
 > >Fix:
 >
 >

 --000000000000b0c5a00583c34945
 Content-Type: text/html; charset="UTF-8"
 Content-Transfer-Encoding: quoted-printable

 <div dir=3D"ltr"><div dir=3D"ltr">See RFC 4880, section 5.2.3.1<div><br></d=
 iv><div><a href=3D"https://tools.ietf.org/html/rfc4880">https://tools.ietf.=
 org/html/rfc4880</a></div><div><br></div><div><pre class=3D"gmail-newpage" =
 style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before:=
 page;color:rgb(0,0,0)">The value of the subpacket type octet may be:

             0 =3D Reserved
             1 =3D Reserved
             2 =3D Signature Creation Time
             3 =3D Signature Expiration Time
             4 =3D Exportable Certification
             5 =3D Trust Signature
             6 =3D Regular Expression
 </pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin-top:=
 0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)">            7 =3D=
  Revocable
             8 =3D Reserved
             9 =3D Key Expiration Time
            10 =3D Placeholder for backward compatibility
            11 =3D Preferred Symmetric Algorithms
            12 =3D Revocation Key
            13 =3D Reserved
            14 =3D Reserved
            15 =3D Reserved
            16 =3D Issuer
            17 =3D Reserved
            18 =3D Reserved
            19 =3D Reserved
            20 =3D Notation Data
            21 =3D Preferred Hash Algorithms
            22 =3D Preferred Compression Algorithms
            23 =3D Key Server Preferences
            24 =3D Preferred Key Server
            25 =3D Primary User ID
            26 =3D Policy URI
            27 =3D Key Flags
            28 =3D Signer&#39;s User ID
            29 =3D Reason for Revocation
            30 =3D Features
            31 =3D Signature Target
            32 =3D Embedded Signature
    100 To 110 =3D Private or experimental</pre><pre class=3D"gmail-newpage"=
  style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before=
 :page;color:rgb(0,0,0)"><br></pre><pre class=3D"gmail-newpage" style=3D"fon=
 t-size:13.3333px;margin-top:0px;margin-bottom:0px;break-before:page;color:r=
 gb(0,0,0)"><font face=3D"arial, helvetica, sans-serif">so I suspect somethi=
 ng has added to the original spec - which package, and how was it signed?</=
 font></pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px;margin=
 -top:0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"><font face=
 =3D"arial, helvetica, sans-serif"><br></font></pre><pre class=3D"gmail-newp=
 age" style=3D"font-size:13.3333px;margin-top:0px;margin-bottom:0px;break-be=
 fore:page;color:rgb(0,0,0)"><font face=3D"arial, helvetica, sans-serif">Reg=
 ards,</font></pre><pre class=3D"gmail-newpage" style=3D"font-size:13.3333px=
 ;margin-top:0px;margin-bottom:0px;break-before:page;color:rgb(0,0,0)"><font=
  face=3D"arial, helvetica, sans-serif">Alistair</font></pre></div></div></d=
 iv><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On =
 Fri, 8 Mar 2019 at 22:28, &lt;<a href=3D"mailto:tiago@seco.ws">tiago@seco.w=
 s</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin=
 :0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
 >&gt;Number:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A054048<br>
 &gt;Category:=C2=A0 =C2=A0 =C2=A0 =C2=A0pkg<br>
 &gt;Synopsis:=C2=A0 =C2=A0 =C2=A0 =C2=A0pkg_admin unable to verify signatur=
 e<br>
 &gt;Confidential:=C2=A0 =C2=A0no<br>
 &gt;Severity:=C2=A0 =C2=A0 =C2=A0 =C2=A0serious<br>
 &gt;Priority:=C2=A0 =C2=A0 =C2=A0 =C2=A0medium<br>
 &gt;Responsible:=C2=A0 =C2=A0 pkg-manager<br>
 &gt;State:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 open<br>
 &gt;Class:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sw-bug<br>
 &gt;Submitter-Id:=C2=A0 =C2=A0net<br>
 &gt;Arrival-Date:=C2=A0 =C2=A0Fri Mar 08 19:25:00 +0000 2019<br>
 &gt;Originator:=C2=A0 =C2=A0 =C2=A0Tiago Seco<br>
 &gt;Release:=C2=A0 =C2=A0 =C2=A0 =C2=A0 NetBSD 8.0 (GENERIC)<br>
 &gt;Organization:<br>
 &gt;Environment:<br>
 NetBSD localhost 8.0 NetBSD 8.0 (GENERIC) #0: Tue Jul 17 14:59:51 UTC 2018=
 =C2=A0 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC a=
 md64<br>
 &gt;Description:<br>
 pkg_admin fetch-pkg-vulnerabilities -s fails when verifying the signature w=
 ith the following:<br>
 <br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 Ignoring unusual/reserved signature subpacket 33<br>
 pkg_admin: unable to verify signature: Signature key id 706b677372632d73 no=
 t found<br>
 <br>
 --<br>
 <br>
 gpg settings and keys:<br>
 localhost# gpg -k<br>
 /root/.gnupg/pubring.gpg<br>
 ------------------------<br>
 pub=C2=A0 =C2=A04096R/9F80359C 2018-04-19 [expires: 2019-05-14]<br>
 uid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pkgsrc Se=
 curity Team &lt;<a href=3D"mailto:pkgsrc-security@pkgsrc.org" target=3D"_bl=
 ank">pkgsrc-security@pkgsrc.org</a>&gt;<br>
 uid=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 pkgsrc Se=
 curity Team &lt;pkgsrc-security@NetBSD.org&gt;<br>
 sub=C2=A0 =C2=A04096R/FE41A229 2018-04-19 [expires: 2019-05-14]<br>
 <br>
 <br>
 localhost#=C2=A0 pkg_admin=C2=A0 config-var GPG<br>
 /usr/pkg/bin/gpg<br>
 &gt;How-To-Repeat:<br>
 curl -sS <a href=3D"https://pkgsrc.org/pkgsrc-security_pgp_key.asc" rel=3D"=
 noreferrer" target=3D"_blank">https://pkgsrc.org/pkgsrc-security_pgp_key.as=
 c</a> | gpg --import<br>
 pkg_admin fetch-pkg-vulnerabilities -s<br>
 &gt;Fix:<br>
 <br>
 </blockquote></div>

 --000000000000b0c5a00583c34945--

From: tiago@seco.ws
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/54048
Date: Mon, 11 Mar 2019 15:11:59 -0400

 >  so I suspect something has added to the original spec
 That may have been the case,  but if so I do not know when / where.

 > - which package, and how was it signed?
 I am not sure I understand the question. As far as I can tell the signature
 verification fails when checking the vulnerability list file, not when
 installing a package per-se.

 Following is the list of packages I assume might be related to this issue:

 pkg_install-20180425 Package management and administration tools for pkgsrc
 pkgin-0.11.6nb1     Apt / yum like tool for managing pkgsrc binary packages
 libgpg-error-1.33   Definitions of common error values for all GnuPG components
 gnupg-1.4.23nb2     GNU Privacy Guard, public-Key encryption and digital signatures

 # echo $PKG_PATH
 http://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.0_STABLE/All/

 # which pkg_admin
 /usr/pkg/sbin/pkg_admin

 Apologies if this is not what you asked.


 For completeness sake, the output of
 ktruss -id pkg_admin fetch-pkg-vulnerabilities -s 2>&1 can be found here:

 https://termbin.com/0osw

 /ts

From: reed@reedmedia.net
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/54048
Date: Sat, 28 Dec 2019 10:49:10 -0600 (CST)

 Today I saw on netbsd irc about someone hitting this same issue.
 So I tried it on NetBSD 8.0:

 pkg_admin fetch-pkg-vulnerabilities -s

 which resulted in:

 pkg_admin: unable to verify signature: Signature key id 706b677372632d73 not found 
 Ignoring unusual/reserved signature subpacket 104
 Ignoring unusual/reserved signature subpacket 105
 Ignoring unusual/reserved signature subpacket 104
 Ignoring unusual/reserved signature subpacket 105
 Ignoring unusual/reserved signature subpacket 18
 Ignoring unusual/reserved signature subpacket 18
 Ignoring unusual/reserved signature subpacket 18
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 Ignoring unusual/reserved signature subpacket 33
 recog_userid: not 13
 recog_primary_key: not userid
 short pubring recognition???
 Ignoring unusual/reserved signature subpacket 33

From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: pkg/54048
Date: Fri, 2 Oct 2020 12:00:37 +0200

 I tried sending this before, but I didn't see it in GNATS now, so here
 it goes again.


 Subpacket types 33-38 are defined in the draft for the next RFC
 available here:

 https://datatracker.ietf.org/doc/draft-ietf-openpgp-rfc4880bis/?include_text=1

  | 33 | Issuer Fingerprint             |
  | 34 | Preferred AEAD Algorithms      |
  | 35 | Intended Recipient Fingerprint |
  | 37 | Attested Certifications        |
  | 38 | Key Block                      |

 For 33 in particular:

 5.2.3.28.  Issuer Fingerprint

    (1 octet key version number, N octets of fingerprint)

    The OpenPGP Key fingerprint of the key issuing the signature.  This
    subpacket SHOULD be included in all signatures.  If the version of
    the issuing key is 4 and an Issuer subpacket is also included in the
    signature, the key ID of the Issuer subpacket MUST match the low 64
    bits of the fingerprint.

    Note that the length N of the fingerprint for a version 4 key is 20
    octets; for a version 5 key N is 32.


  Thomas

 (18 is reserved and 100-110 are private/experimental)

From: Jonathan Perkin <jperkin@joyent.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
	tiago@seco.ws
Subject: Re: pkg/54048
Date: Mon, 19 Oct 2020 15:52:49 +0100

 The pkgsrc-security key has been updated, which will no longer cause
 failures, but you will still see warnings due to the key being signed
 by newer GnuPG keys (as far as we're aware).

 For now I'm using this quick hack in my SmartOS/illumos and macOS
 package sets to just ignore the warning:

   https://github.com/joyent/pkgsrc/commit/1a171bc4c27a22eceb284af2e221fbef66282a4c

 and "pkg_admin check-pkg-vulnerabilities -s" works again.

 The NetBSD netpgp has been correctly patched to handle the subpacket,
 and I'm hoping netpgpverify will also have a proper fix in due course.

 -- 
 Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.