Fails to verify GPG signature of a package
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dpkg-sig (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The dpkg-sig script is unable to verify a signature of a Debian package when GNU ar is used to assemble the package. This also renders dpkg-sig not capable of adding new signature when one already exists.
The problem lies in the difference of how GNU ar will terminate a file name to indicate where it ends - it will add a trailing slash "/" (forward slash) on the contrary to BSD ar which does not follow such practice[1].
For example:
* File content:
krzysztof@b1:~$ ar vt zookeeper-
rw-rw-r-- 0/0 4 Mar 18 21:16 2013 debian-binary
rw-rw-r-- 0/0 636 Mar 18 21:16 2013 control.tar.gz
rw-rw-r-- 0/0 9108275 Mar 18 21:16 2013 data.tar.gz
krzysztof@b1:~$ egrep -a 'debian-binary' zookeeper-
debian-binary/ 1363641418 0 0 100664 4 `
A trailing slash is visible in the example above.
* Signing:
krzysztof@v1:~$ dpkg-sig -k 83F709E3 --sign builder zookeeper-
Processing zookeeper-
Signed deb zookeeper-
* Verifying:
krzysztof@b1:~$ dpkg-sig -k 83F709E3 --verify zookeeper-
Processing zookeeper-
BADSIG _gpgbuilder
* Actual signature (as per the content of added _gpgbuilder file):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Version: 4
Signer: Ooyala, Inc.
Date: Tue Mar 19 04:58:02 2013
Role: builder
Files:
3cf918272ffa5
3a15c94b05829
f97656d8cbd74
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJ
E0RXJAsLF+
ierusxre/
UzkniGgGI/
UN3CsP5l/
AKh7HbSszAklzMx
t0z3dEzeLDuyxJL
DYo6qLgQVkWX2tN
bStwZxn4f2twfhJ
5XORkYCrtiJKxHl
Dq4jl2eKGSutrbP
0/LEeVqodFWPKg/
=5/mm
-----END PGP SIGNATURE-----
Please note the trailing slash in the lines where checksums were added.
As per the "deb" file format guide a trailing slash is valid and Debian package may contain it[2].
This can be reproduced on both Lucid and Precise, and current Debian - pretty much every version of the "dpkg-sig" package is affected. It his particular case it was the following:
krzysztof@b1:~$ apt-cache show dpkg-sig
Package: dpkg-sig
Priority: optional
Section: universe/devel
Installed-Size: 236
Maintainer: Ubuntu MOTU Developers <email address hidden>
Original-
Architecture: all
Version: 0.13.1
Depends: perl, gnupg, libdigest-md5-perl, libconfig-file-perl
Suggests: ssh, libterm-
Filename: pool/universe/
Size: 37714
MD5sum: 72677be8cfd4f8d
SHA1: a23950a4b29f36c
SHA256: 10911f3ae268d2e
Description-en: create and verify signatures on .deb-files
dpkg-sig is a low-level tool for creation and verification of
signature on Debian binary packages (.deb-files).
.
The created signed packages are strict compatible with dpkg and the
apt-utils.
.
Website is http://
Description-md5: af8f9217fe01198
Bugs: https:/
Origin: Ubuntu
Installed on the following release:
krzysztof@b1:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
Release: 12.04
Codename: precise
There is an existing bug open against it with Debian:
http://
I am attaching a small (and probably incorrect) patch that was used by me to fix the issue with GPG verification and creation. I use automated package building facility (comprised of both FPM and dpkg-buildpackage et al) and was relying on the "dpkg-sig" script when it goes to adding and verifying files.
1. http://
2. http://
The attachment "Possible solution to the dpkg-sig issue." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]