[arch-general] Package are signed... but pacman doesn't like them...?
Good morning, some days ago I found a nice service called "Open Build Service", which allows all kind of packagers, including also Arch ones, to have different repos of their packages, having them built online. This is awesome for me, as some of them require heavy building time. I fought a bit against the service, in order to make the GPG public key to be uploaded to a key server, in order to allow users to add it properly to pacman-key. Now, I am facing a really strange issue: I've added the key to pacman keyring, using: sudo pacman-key -r 05E0A765C649DE23 sudo pacman-key --lsign-key 05E0A765C649DE23 Database syncing works properely and the signature is verified... But for packages it is not. Every time it gives an error as this: $pkgname-$pkgver $pkgsize $dw_speed 00:00 [--------------------] 100% (1/1) checking keys in keyring [--------------------] 100% error: $pkgname: unsupported signature format(0/1) checking package integrity (1/1) checking package integrity [--------------------] 100% error: GPGME error: No data I tried to download the public key and adding to my personal GPG keyring. Verifying the packages signatures works perfectly. To try this, I fetched the .sig file online and used the GPG --verify command. Any hints? Now, the needed data. My personal repo configuration for pacman [home_ItachiSan_archlinux_Arch_Extra] Server = http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/Arch_Ex... The public key mentioned above: http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x05E0A765C649DE23 or http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=home%3AItachiSan&fingerprint=on Sorry to be so verbose. :< Thanks in advance! -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://github.com/ItachiSan My code, again: https://gitlab.com/u/ItachiSan My Twitter: https://twitter.com/santini__gio My Facebook: https://www.facebook.com/giovanni.santini My Google+: https://plus.google.com/+GiovanniSantini/ My GPG: 2FADEBF5
I don't know does it make sence, but you create signature with "makepkg --sign" ? On Sun, Jul 3, 2016 at 10:09 AM, Giovanni 'ItachiSan' Santini via arch-general <arch-general@archlinux.org> wrote:
Good morning, some days ago I found a nice service called "Open Build Service", which allows all kind of packagers, including also Arch ones, to have different repos of their packages, having them built online. This is awesome for me, as some of them require heavy building time.
I fought a bit against the service, in order to make the GPG public key to be uploaded to a key server, in order to allow users to add it properly to pacman-key.
Now, I am facing a really strange issue: I've added the key to pacman keyring, using:
sudo pacman-key -r 05E0A765C649DE23 sudo pacman-key --lsign-key 05E0A765C649DE23
Database syncing works properely and the signature is verified... But for packages it is not. Every time it gives an error as this:
$pkgname-$pkgver $pkgsize $dw_speed 00:00 [--------------------] 100% (1/1) checking keys in keyring [--------------------] 100% error: $pkgname: unsupported signature format(0/1) checking package integrity (1/1) checking package integrity [--------------------] 100% error: GPGME error: No data
I tried to download the public key and adding to my personal GPG keyring. Verifying the packages signatures works perfectly. To try this, I fetched the .sig file online and used the GPG --verify command. Any hints?
Now, the needed data. My personal repo configuration for pacman
[home_ItachiSan_archlinux_Arch_Extra] Server = http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/Arch_Ex...
The public key mentioned above: http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x05E0A765C649DE23 or http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=home%3AItachiSan&fingerprint=on
Sorry to be so verbose. :< Thanks in advance!
-- Giovanni Santini My blog: http://giovannisantini.tk My code: https://github.com/ItachiSan My code, again: https://gitlab.com/u/ItachiSan My Twitter: https://twitter.com/santini__gio My Facebook: https://www.facebook.com/giovanni.santini My Google+: https://plus.google.com/+GiovanniSantini/ My GPG: 2FADEBF5
On 07/03/16 at 02:45pm, Ilya Boka via arch-general wrote:
I don't know does it make sence, but you create signature with "makepkg --sign" ?
Nope, He is using OpenSuse's Build Service, which creates a private key per repository. This key is used to sign the packages and surprisingly also the repo database. I could reproduce the problem but I have no clue why pacman says the signature is invalid.
On Sun, Jul 3, 2016 at 10:09 AM, Giovanni 'ItachiSan' Santini via arch-general <arch-general@archlinux.org> wrote:
Good morning, some days ago I found a nice service called "Open Build Service", which allows all kind of packagers, including also Arch ones, to have different repos of their packages, having them built online. This is awesome for me, as some of them require heavy building time.
I fought a bit against the service, in order to make the GPG public key to be uploaded to a key server, in order to allow users to add it properly to pacman-key.
Now, I am facing a really strange issue: I've added the key to pacman keyring, using:
sudo pacman-key -r 05E0A765C649DE23 sudo pacman-key --lsign-key 05E0A765C649DE23
Database syncing works properely and the signature is verified... But for packages it is not. Every time it gives an error as this:
$pkgname-$pkgver $pkgsize $dw_speed 00:00 [--------------------] 100% (1/1) checking keys in keyring [--------------------] 100% error: $pkgname: unsupported signature format(0/1) checking package integrity (1/1) checking package integrity [--------------------] 100% error: GPGME error: No data
I tried to download the public key and adding to my personal GPG keyring. Verifying the packages signatures works perfectly. To try this, I fetched the .sig file online and used the GPG --verify command. Any hints?
Now, the needed data. My personal repo configuration for pacman
[home_ItachiSan_archlinux_Arch_Extra] Server = http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/Arch_Ex...
The public key mentioned above: http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x05E0A765C649DE23 or http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=home%3AItachiSan&fingerprint=on
Sorry to be so verbose. :< Thanks in advance!
-- Giovanni Santini My blog: http://giovannisantini.tk My code: https://github.com/ItachiSan My code, again: https://gitlab.com/u/ItachiSan My Twitter: https://twitter.com/santini__gio My Facebook: https://www.facebook.com/giovanni.santini My Google+: https://plus.google.com/+GiovanniSantini/ My GPG: 2FADEBF5
-- Jelle van der Waa
Il 03/07/2016 18:03, Jelle van der Waa ha scritto:
On 07/03/16 at 02:45pm, Ilya Boka via arch-general wrote:
I don't know does it make sence, but you create signature with "makepkg --sign" ?
Nope,
He is using OpenSuse's Build Service, which creates a private key per repository. This key is used to sign the packages and surprisingly also the repo database.
I could reproduce the problem but I have no clue why pacman says the signature is invalid.
Exactly. Additionally, the strangest thing is that: - repository information are signed with the same key and their signature work - using "gpg --verify" over the package signature (to be clear, the file named "$pkgname-$pkgver.pkg.tar.xz.sig") works properly, after importing the key and locally signing it. I tried to remove, re-add and re-sign locally the key but no success, even changing the remoter keyserver for fetching the key. -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://github.com/ItachiSan My code, again: https://gitlab.com/u/ItachiSan My Twitter: https://twitter.com/santini__gio My Facebook: https://www.facebook.com/giovanni.santini My Google+: https://plus.google.com/+GiovanniSantini/ My GPG: 2FADEBF5
Giovanni 'ItachiSan' Santini via arch-general <arch-general@archlinux.org> on Sun, 2016/07/03 10:09:
Good morning, some days ago I found a nice service called "Open Build Service", which allows all kind of packagers, including also Arch ones, to have different repos of their packages, having them built online. This is awesome for me, as some of them require heavy building time.
I fought a bit against the service, in order to make the GPG public key to be uploaded to a key server, in order to allow users to add it properly to pacman-key.
Now, I am facing a really strange issue: I've added the key to pacman keyring, using:
sudo pacman-key -r 05E0A765C649DE23 sudo pacman-key --lsign-key 05E0A765C649DE23
Database syncing works properely and the signature is verified... But for packages it is not. Every time it gives an error as this:
$pkgname-$pkgver $pkgsize $dw_speed 00:00 [--------------------] 100% (1/1) checking keys in keyring [--------------------] 100% error: $pkgname: unsupported signature format(0/1) checking package integrity (1/1) checking package integrity [--------------------] 100% error: GPGME error: No data
I tried to download the public key and adding to my personal GPG keyring. Verifying the packages signatures works perfectly. To try this, I fetched the .sig file online and used the GPG --verify command. Any hints?
Now, the needed data. My personal repo configuration for pacman
[home_ItachiSan_archlinux_Arch_Extra] Server = http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/Arch_Ex...
The public key mentioned above: http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x05E0A765C649DE23 or http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=home%3AItachiSan&fingerprint=on
Sorry to be so verbose. :< Thanks in advance!
Looks like the build service produces invalid db files, home_ItachiSan_archlinux_Arch_Extra.db in your case. The db file is just a simple tar archive, compressed with gzip. Unzip it and you will find a directory for every package. Every directory contains the file 'desc' at least. Within the file you should find a line '%PGPSIG%', followed by a single line containing the signature. Looks like the build service breaks this line, which confuses pacman. To verify you can extract the db file, make your changes and create a new one. Do not forget to remove the db signature (or resign). BTW, It's pretty simple why the db signature is valid: It is used as-is. The package signatures in your repository are useless, though. The signatures are stored withing the db file, as seen above. -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Il 03/07/2016 23:50, Christian Hesse ha scritto:
Looks like the build service produces invalid db files, home_ItachiSan_archlinux_Arch_Extra.db in your case.
The db file is just a simple tar archive, compressed with gzip. Unzip it and you will find a directory for every package. Every directory contains the file 'desc' at least. Within the file you should find a line '%PGPSIG%', followed by a single line containing the signature. Looks like the build service breaks this line, which confuses pacman.
To verify you can extract the db file, make your changes and create a new one. Do not forget to remove the db signature (or resign).
BTW, It's pretty simple why the db signature is valid: It is used as-is. The package signatures in your repository are useless, though. The signatures are stored withing the db file, as seen above.
I just checked it, you're totally right. I will report this to the Open Build Service team. I hope they will get it fixed soon :-) Thanks a lot! Will report any update here. -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://github.com/ItachiSan My code, again: https://gitlab.com/u/ItachiSan My Twitter: https://twitter.com/santini__gio My Facebook: https://www.facebook.com/giovanni.santini My Google+: https://plus.google.com/+GiovanniSantini/ My GPG: 2FADEBF5
Il 03/07/2016 23:50, Christian Hesse ha scritto:
The db file is just a simple tar archive, compressed with gzip. Unzip it and you will find a directory for every package. Every directory contains the file 'desc' at least. Within the file you should find a line '%PGPSIG%', followed by a single line containing the signature. Looks like the build service breaks this line, which confuses pacman.
I've opened an issue and created a pull request, as I made some experiments with perl in order to have the script working; the issue (now closed) is here: https://github.com/openSUSE/open-build-service/issues/1907 Now, pacman recognises the key and accepts the package, but it still complains a little, saying that the signature format is unsupported: --- Terminal output starts here $ LANG=C sudo pacman -Sy dpkg :: Synchronizing package databases... ... sync stuff here ... resolving dependencies... looking for conflicting packages... Packages (1) dpkg-1.17.25-1 Total Download Size: 1.46 MiB Total Installed Size: 9.20 MiB :: Proceed with installation? [Y/n] :: Retrieving packages... dpkg-1.17.25-1-x86_64 1492.1 KiB $speed 00:00 [--------------] 100% (1/1) checking keys in keyring [--------------] 100% error: dpkg: unsupported signature format(0/1) checking package integrity [co o o o o o (1/1) checking package integrity [--------------] 100% (1/1) loading package files [--------------] 100% ... installation stuff here ... --- Terminal output ends here Why does pacman give that error? As it marks it as an error, but it install the package anyways...! -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://github.com/ItachiSan My code, again: https://gitlab.com/u/ItachiSan My Twitter: https://twitter.com/santini__gio My Facebook: https://www.facebook.com/giovanni.santini My Google+: https://plus.google.com/+GiovanniSantini/ My GPG: 2FADEBF5
Giovanni 'ItachiSan' Santini <itachi.sama.amaterasu@gmail.com> on Mon, 2016/07/04 11:58:
Il 03/07/2016 23:50, Christian Hesse ha scritto:
The db file is just a simple tar archive, compressed with gzip. Unzip it and you will find a directory for every package. Every directory contains the file 'desc' at least. Within the file you should find a line '%PGPSIG%', followed by a single line containing the signature. Looks like the build service breaks this line, which confuses pacman.
I've opened an issue and created a pull request, as I made some experiments with perl in order to have the script working; the issue (now closed) is here: https://github.com/openSUSE/open-build-service/issues/1907
Now, pacman recognises the key and accepts the package, but it still complains a little, saying that the signature format is unsupported:
--- Terminal output starts here $ LANG=C sudo pacman -Sy dpkg :: Synchronizing package databases... ... sync stuff here ... resolving dependencies... looking for conflicting packages...
Packages (1) dpkg-1.17.25-1
Total Download Size: 1.46 MiB Total Installed Size: 9.20 MiB
:: Proceed with installation? [Y/n] :: Retrieving packages... dpkg-1.17.25-1-x86_64 1492.1 KiB $speed 00:00 [--------------] 100% (1/1) checking keys in keyring [--------------] 100% error: dpkg: unsupported signature format(0/1) checking package integrity [co o o o o o (1/1) checking package integrity [--------------] 100% (1/1) loading package files [--------------] 100% ... installation stuff here ... --- Terminal output ends here
Why does pacman give that error? As it marks it as an error, but it install the package anyways...!
We have three places where this can come from... https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1008 https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1038 https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1045 Not sure what goes wrong here. Is source of the build service available? How do they sign the packages? -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Il 04/07/2016 18:35, Christian Hesse ha scritto:
We have three places where this can come from...
https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1008 https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1038 https://git.archlinux.org/pacman.git/tree/lib/libalpm/signing.c#n1045
Not sure what goes wrong here. Is source of the build service available? How do they sign the packages?
From what I've understood, the signer create a signature file (.sig) and
The build service source code is available here: https://github.com/openSUSE/open-build-service/ and I suppose that the signer is this one: https://github.com/openSUSE/open-build-service/blob/master/src/backend/bs_si... the signature from that file is included in the repo creation here: https://github.com/openSUSE/open-build-service/blob/master/src/backend/bs_mk... (up to line 94). -- Giovanni Santini My blog: http://giovannisantini.tk My code: https://github.com/ItachiSan My code, again: https://gitlab.com/u/ItachiSan My Twitter: https://twitter.com/santini__gio My Facebook: https://www.facebook.com/giovanni.santini My Google+: https://plus.google.com/+GiovanniSantini/ My GPG: 2FADEBF5
participants (4)
-
Christian Hesse
-
Giovanni 'ItachiSan' Santini
-
Ilya Boka
-
Jelle van der Waa