Ubuntu
dpkg-sig package

Fails to verify GPG signature of a package

Bug #1156988 reported by Krzysztof Wilczynski
50
This bug affects 9 people
Affects Status Importance Assigned to Milestone
dpkg-sig (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The dpkg-sig script is unable to verify a signature of a Debian package when GNU ar is used to assemble the package. This also renders dpkg-sig not capable of adding new signature when one already exists.

The problem lies in the difference of how GNU ar will terminate a file name to indicate where it ends - it will add a trailing slash "/" (forward slash) on the contrary to BSD ar which does not follow such practice[1].

For example:

* File content:

krzysztof@b1:~$ ar vt zookeeper-cli_1.4.1-1_all.deb
rw-rw-r-- 0/0 4 Mar 18 21:16 2013 debian-binary
rw-rw-r-- 0/0 636 Mar 18 21:16 2013 control.tar.gz
rw-rw-r-- 0/0 9108275 Mar 18 21:16 2013 data.tar.gz

krzysztof@b1:~$ egrep -a 'debian-binary' zookeeper-cli_1.4.1-1_all.deb | tr -dc '[:alnum:][:space:][:punct:]'
debian-binary/ 1363641418 0 0 100664 4 `

A trailing slash is visible in the example above.

* Signing:

krzysztof@v1:~$ dpkg-sig -k 83F709E3 --sign builder zookeeper-cli_1.4.1-1_all.deb
Processing zookeeper-cli_1.4.1-1_all.deb...
Signed deb zookeeper-cli_1.4.1-1_all.deb

* Verifying:

krzysztof@b1:~$ dpkg-sig -k 83F709E3 --verify zookeeper-cli_1.4.1-1_all.deb
Processing zookeeper-cli_1.4.1-1_all.deb...
BADSIG _gpgbuilder

* Actual signature (as per the content of added _gpgbuilder file):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Version: 4
Signer: Ooyala, Inc.
Date: Tue Mar 19 04:58:02 2013
Role: builder
Files:
  3cf918272ffa5de195752d73f3da3e5e 7959c969e092f2a5a8604e2287807ac5b1b384ad 4 debian-binary/
  3a15c94b05829d12483b84fab6c499bd 6b25fa2067a801fefb64e499a258e0489c837127 636 control.tar.gz/
  f97656d8cbd740867628d219363ac06c 51b960d4f77d980e44594337b88508e1e6890ef0 9108275 data.tar.gz/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJRR/BaAAoJEBqJzH+D9wnjrVoP/21Qk6OZlxYBUs2A5TUG6lXo
E0RXJAsLF+uQNNh3BlOBZFUAG8CuRWz4z/FmqroP6DQci/2QOsklTssrkEw5Vd6i
ierusxre/rKhJ6KJ8BFbeq08GKoOUhffbjlIR/mztACkyYznS+JgfMcTmn17oGq6
UzkniGgGI/LL3b/excVxBgqETlb2nSp5i3xPoa2f6FiRYVn45c3AZ531tR3mwaap
UN3CsP5l/RRzR1B++QT13T74EWkWkOeWZPws9sTJICVVqkyADYE8kinRI+I1avaQ
AKh7HbSszAklzMxo96SD/eO4whA1PBon1pcMC0VMGmqDnlvkoDYt+DpKuAEyTG98
t0z3dEzeLDuyxJL62/QUXorSC6fRtc4xlScF/Rw1AkBDhr9G9sBJ25RJmOtX+miS
DYo6qLgQVkWX2tNS80Istrnz+rGRv+T+xiKKNrvTJp3RdfPYnK8pXG8XJmG92nAL
bStwZxn4f2twfhJn2qdjuw1G+BDloGotpnK8IHPKd9ojHCdC3eE5d8TOIMuuz2d1
5XORkYCrtiJKxHlzLa75y1622dztPot0aIWkxiA7ju80w2LDqU9R+FlEUpF7fEcd
Dq4jl2eKGSutrbPbT3mRpJ4F1hMmAm+vh0ywJK7l/JzbjlY6nfIdYlBNM0zF2yFC
0/LEeVqodFWPKg//X1RS
=5/mm
-----END PGP SIGNATURE-----

Please note the trailing slash in the lines where checksums were added.

As per the "deb" file format guide a trailing slash is valid and Debian package may contain it[2].

This can be reproduced on both Lucid and Precise, and current Debian - pretty much every version of the "dpkg-sig" package is affected. It his particular case it was the following:

krzysztof@b1:~$ apt-cache show dpkg-sig
Package: dpkg-sig
Priority: optional
Section: universe/devel
Installed-Size: 236
Maintainer: Ubuntu MOTU Developers <email address hidden>
Original-Maintainer: Marc 'HE' Brockschmidt <email address hidden>
Architecture: all
Version: 0.13.1
Depends: perl, gnupg, libdigest-md5-perl, libconfig-file-perl
Suggests: ssh, libterm-readkey-perl
Filename: pool/universe/d/dpkg-sig/dpkg-sig_0.13.1_all.deb
Size: 37714
MD5sum: 72677be8cfd4f8d8cc3d2722ddcf5ee2
SHA1: a23950a4b29f36cd4c2b3a88f618926ca772852d
SHA256: 10911f3ae268d2e5bffc7d4ed5e043a5c0c8bf1151918ed4cab15c0d4c0db310
Description-en: create and verify signatures on .deb-files
 dpkg-sig is a low-level tool for creation and verification of
 signature on Debian binary packages (.deb-files).
 .
 The created signed packages are strict compatible with dpkg and the
 apt-utils.
 .
 Website is http://dpkg-sig.turmzimmer.net/
Description-md5: af8f9217fe0119840369e775a3c5bc7c
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu

Installed on the following release:

krzysztof@b1:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
Release: 12.04
Codename: precise

There is an existing bug open against it with Debian:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356509

I am attaching a small (and probably incorrect) patch that was used by me to fix the issue with GPG verification and creation. I use automated package building facility (comprised of both FPM and dpkg-buildpackage et al) and was relying on the "dpkg-sig" script when it goes to adding and verifying files.

1. http://en.wikipedia.org/wiki/Ar_%28Unix%29#BSD_variant
2. http://manpages.ubuntu.com/manpages/lucid/man5/deb.5.html

Revision history for this message
Krzysztof Wilczynski (kwilczynski) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Possible solution to the dpkg-sig issue." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dpkg-sig (Ubuntu):
status: New → Confirmed
Revision history for this message
Mike Nolte (obiwanmikenolte) wrote :

I had the same problem, also with a package created using FPM. The 2-line patch that Krysztof added to strip the trailing slashes worked around the issue.

Revision history for this message
Krzysztof Wilczynski (kwilczynski) wrote :

I am attaching fix against version 0.13.1+nmu1 - it will also take care about a bug mentioned in these two:

- https://bugs.launchpad.net/ubuntu/+source/dpkg-sig/+bug/1342938
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703437

Revision history for this message
Krzysztof Wilczynski (kwilczynski) wrote :

Also, the following:

https://launchpad.net/ubuntu/+source/dpkg-sig/0.13.1+nmu2

Does not fix the issue with the trailing slash.

Revision history for this message
Krzysztof Wilczynski (kwilczynski) wrote :

For posterity: https://gist.github.com/30a0138041b68bda9b73

Revision history for this message
Nick Griffiths (nicobrevin) wrote :

Just a note that the https://launchpadlibrarian.net/190142754/dpkg-sig_0.13.1+nmu1.diff patch fixed the issue for me - I am also using fpm to build packages and was hoping to use dpkg-sig.

Revision history for this message
gerbier (eric-gerbier) wrote :

I have the same problem on ubuntu 23.04, because the default dpkg compression is zst, and the perl code only handles gz xz bz2 lzma compression : lines 646-647

645 return "FORCE_BAD" unless ($seen_files{'debian-binary'} &&
 646 ($seen_files{'control.tar'} || $seen_files{'control.tar.gz'} || $seen_files{'control.tar.xz'}) &&
 647 ($seen_files{'data.tar'} || $seen_files{'data.tar.gz'} || $seen_files{'data.tar.xz'} || $seen_files{'data.tar.bz2'} | | $seen_files{'data.tar.lzma'}));

The attached patch add the support of zst files

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.