-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redhat's file signatures fail to verify (because they use OpenPGP signatures with the old signature package V3) #358
Comments
@tschmidtb51 we shall investigate, I assume. @bernhard-herzog can you add your code, to getare more verbose error message from the failed signature |
I checked out main and upgraded the 3rdparty libs with |
Further digging with a debugger reveals that the signature check fails because the signature (I used The code there even produces an error with that information, but detail is then lost in the |
It still doesn't work for me. The code in question that rejects packet |
Argh! I used the checker and not the downloader. I can confirm that updating the libs does not help. |
@s-l-teichmann does signature validation work with the checker, though? ;) |
Seems to be ProtonMail/go-crypto#164 which is biting a few people already. gpg -vv --verify rhsa-2005_586.json.ascgpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: GnuPG v1
# off=0 ctb=89 tag=2 hlen=3 plen=533
:signature packet: algo 1, keyid DCE3823597F5EAC4
version 3, created 1678391835, md5len 5, sigclass 0x00
digest algo 8, begin of digest 5a d6
data: [4095 bits]
gpg: assuming signed data in 'rhsa-2005_586.json'
gpg: Signature made Do 09 Mär 2023 20:57:15 CET
gpg: using RSA key DCE3823597F5EAC4
[..] |
Note that https://www.rfc-editor.org/rfc/rfc4880#section-5.2 reads
(Note that Implementation in the quote refers to implementing OpenPGP itself, not our implementation of the downloader.) The SHOULD means that Redhat would need to have |
@bernhard-herzog can you put in better diagnostic reporting and then assign it to @tschmidtb51 ? |
Obviously not. But the failure is noted in the report and not on STDERR where i had looked for the message. |
Yes. Go ahead. |
PR #363 added a flag |
There is a soft fork of go-crypto at https://github.com/pgpkeys-eu/go-crypto that restores V3 support. Add the following to go.mod to try it out:
|
@andrewgdotcom thanks for the hint. (We are not sure yet, if it wouldn't be better to mandate v4 or higher signatures in the CSAF standard directly. At least V4 SHOULD already be used unless we know the reasoning of Redhat.) |
RedHat didn't have any reasoning, they just forgot about it: |
That is packaging, I mean fresh CSAF publications (see beginning of this issue). :) |
I've just send an email to Redhat, asking if they could change the signature. Got the contact address from https://www.redhat.com/en/blog/csaf-vex-documents-now-generally-available , the CSAF providermetadata file and https://access.redhat.com/security/team/contact/ . |
There is a new issue https://issues.redhat.com/browse/SECDATA-300 which will lead to new signatures on the files. However, so far it does not say something about the signature packet format, which is the problem here. We shall stop working on the issue, until we see what Redhat does here. (We have |
I'll asked Redhat about it. |
Redhat has responded and gave me a new issue, they will address: |
Redhat has made some improvements, so there are now files which have an OpenPGP signature format version 4, which is fine. However not all files have been resigned yet. A file that works: Some that do not: https://access.redhat.com/security/data/csaf/v2/advisories/2002/rhsa-2002_251.json https://access.redhat.com/security/data/csaf/v2/advisories/2002/rhsa-2002_259.json https://access.redhat.com/security/data/csaf/v2/advisories/2002/rhsa-2002_270.json |
https://issues.redhat.com/browse/SECDATA-304 has been closed, but curl -O https://access.redhat.com/security/data/csaf/v2/advisories/2002/rhsa-2002_290.json
curl -O https://access.redhat.com/security/data/csaf/v2/advisories/2002/rhsa-2002_290.json.asc
gpg -vv --verify rhsa-2002_290.json.asc
So it is still broken (which can be seen from the |
Using csaf_distribution-v2.1.0-gnulinux-amd64: when downloading from redhat.com
the signatures do not verify.
Manual checking shows that GnuPG believes in the signature, e.g.:
The text was updated successfully, but these errors were encountered: