[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Broken ArchLinux packages signatures #2801

Open
ItachiSan opened this issue Mar 10, 2017 · 11 comments
Open

Broken ArchLinux packages signatures #2801

ItachiSan opened this issue Mar 10, 2017 · 11 comments
Labels
Backend Things regarding the OBS backend Bug

Comments

@ItachiSan
Copy link

Issue/Feature description

ArchLinux is a distro with the KISS principle and this works in all its components.
This works also on the packaging system; makepkg allows people to create packages really easily.
Packages can also be signed by setting the proper GPG key ID in the makepkg configuration file.
OBS offers ArchLinux packages support; however, signature for them is broken.
The signature produced by OBS gives errors when read from pacman, considered as 'unsigned'.
More details are available in my first e-mail sent to the OBS mailing list, see here.
makepkg expects a signature similar to the one generated by the command:
gpg --detach-sign --use-agent -u ${GPGKEY} --no-armor "$filename" &>/dev/null
so I suppose that OBS is using a different approach for package signatures.
After no reply in the mailing list (here), I decided to open an issue here.
I can provide as much data as possible, though I am not an official Arch developer working on
pacman nor makepkg.

Expected result

The signatures produced by OBS are properly loaded from pacman.

How to Reproduce

Given such a repo

[home_ItachiSan_archlinux]
SigLevel = DatabaseRequired PackageOptional
Server = http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/standard/$arch

I tried to install a package

$ pacman -S telegram-desktop
[sudo] password for me: 
warning: telegram-desktop-0.10.20-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) telegram-desktop-0.10.20-1

Total Installed Size:  35.32 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                             [-----------------------------------------------------] 100%
error: telegram-desktop: unsupported signature format(0/1) checking package integrity                                                           [c o  o(1/1) checking package integrity                                                           [-----------------------------------------------------] 100%
(1/1) loading package files                                                                [-----------------------------------------------------] 100%
(1/1) checking for file conflicts                                                          [-----------------------------------------------------] 100%
(1/1) checking available disk space                                                        [-----------------------------------------------------] 100%
:: Processing package changes...
(1/1) reinstalling telegram-desktop                                                        [-----------------------------------------------------] 100%
:: Running post-transaction hooks...
(1/2) Updating icon theme caches...
(2/2) Updating the desktop file MIME type cache...

The error lies within the unsupported signature format.

Further information
@hennevogel hennevogel added Backend Things regarding the OBS backend Reference Server 🖥️ Things related to build.opensuse.org labels Mar 24, 2017
@elman22
Copy link
elman22 commented Nov 23, 2017

I get the same error with QOwnNotes. Installed as described on http://www.qownnotes.org/installation "Install on Arch Linux"

Packages (1) qownnotes-17.11.3-1

Total Installed Size:  7,63 MiB
Net Upgrade Size:      0,00 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                                           [########################################] 100%
error: qownnotes: unsupported signature format(0/1) checking package integrity                                         [(1/1) checking package integrity                                         [########################################] 100%
(1/1) loading package files                                              [########################################] 100%
(1/1) checking for file conflicts                                        [########################################] 100%
(1/1) checking available disk space                                      [########################################] 100%
:: Processing package changes...
(1/1) reinstalling qownnotes                                             [########################################] 100%
:: Running post-transaction hooks...
(1/3) Updating icon theme caches...
(2/3) Arming ConditionNeedsUpdate...
(3/3) Updating the desktop file MIME type cache...

@hennevogel hennevogel added Bug and removed Reference Server 🖥️ Things related to build.opensuse.org labels Nov 29, 2017
@ItachiSan
Copy link
Author

Any progress on this?

@nicki-krizek
Copy link

I've also stumbled upon this issue. Interestingly enough, the incorrect signature doesn't happen in all my repositories, but when it does, it tends to be reproducible for the given repo.

I've also encountered various other issues with packages for Arch, such as incorrect pkg size in metadata or broken checksum, which break the package installation even when signature checking is turned off in pacman.conf.

@ItachiSan
Copy link
Author

@tomaskrizek how do you reproduce the issue? Which repos are affected and which not?

@hv15
Copy link
hv15 commented Feb 13, 2020

@ItachiSan heres one repo I know of that has this problem: https://download.opensuse.org/repositories/home:/justkidding:/arch/standard/x86_64/

@networkException networkException mentioned this issue Sep 22, 2021
Open
@debnath-d
Copy link

@ItachiSan I'm facing this issue with ungoogled-chromium: https://download.opensuse.org/repositories/home:/ungoogled_chromium/Arch/

@felmey
Copy link
felmey commented Jan 10, 2022
edited

@ItachiSan I'm facing this issue with ungoogled-chromium: https://download.opensuse.org/repositories/home:/ungoogled_chromium/Arch/

Same for me as well.

error: ungoogled-chromium: unsupported signature format

@njhanley
Copy link

The issue appears to be that OBS creates v3 signatures12 but pacman requires v43. I've confirmed this is the case for the OBS build of ungoogled_chromium.

$ wget https://download.opensuse.org/repositories/home:/ungoogled_chromium/Arch/x86_64/ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst{,.sig}
...
$ sudo pacman -U ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst
loading packages...
error: ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst: unsupported signature format
error: 'ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst': invalid or corrupted package (PGP signature)
$ gpg --list-packets ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst.sig | grep version
	version 3, created 1641750733, md5len 5, sigclass 0x00

Curiously, GnuPG 2.1 (released 2014-10-03) dropped all support for v34. I'm not sure why --force-v3-sigs is being honored as it should be a no-op, unless OBS uses an ancient release.

Footnotes

  1. https://github.com/openSUSE/obs-sign/issues/32#issuecomment-977181414

  2. https://github.com/openSUSE/obs-sign/blob/5c320501dc048bbcf56480dfc5780fb43dd20de5/signd#L866

  3. https://gitlab.archlinux.org/pacman/pacman/-/blob/master/lib/libalpm/signing.c#L1170

  4. https://gnupg.org/faq/whats-new-in-2.1.html#nopgp2

@adrianschroeter
Copy link
Member
adrianschroeter commented Jan 11, 2022 via email

@njhanley
Copy link

it should still be able to verify it though.

I'm not sure what "it" you're referring to.

Regardless, #12065 appears to work on my development instance. Thanks!

FYI pacman has supported v4 signatures ever since GPG verification was added1; they became required in 20122. PGP 2 is ancient, after all.

Footnotes

  1. https://gitlab.archlinux.org/pacman/pacman/-/commit/39c75c70001eac9362d70141372f3e26c254680b

  2. https://gitlab.archlinux.org/pacman/pacman/-/commit/05745089ac7009e5de84d676dd0823acd8c4d1fc#d8bd8da6cfdb400a43988dfde532d4ee158df5bb_953_1010

@antermin
Copy link

Since #12065 has been merged, I tried this:

[home_ungoogled_chromium_Arch]
SigLevel = DatabaseRequired PackageOptional
Server = https://downloadcontent.opensuse.org/repositories/home:/ungoogled_chromium/Arch/$arch

This appears to be okay.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Backend Things regarding the OBS backend Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@hennevogel @adrianschroeter @ItachiSan @hv15 @elman22 @nicki-krizek @njhanley @debnath-d @felmey @antermin