Only verify the first GPG signature #569
Conversation
To prepare for more general parsing of GPG key and signature files, implement a new function, parse_gpg_packets(), and start using it where appropriate. Signed-off-by: Patrick McCarty <[email protected]>
The only package in Clear Linux OS that (occasionally) has its source archive signed by multiple keys is `gnupg`, so to unblock updates for it, only verify the first signature from the .sig file. When only one signature is present in the sig file (the common case), pass the entire sig file to `gpg --verify ...`, keeping the existing behavior. Signed-off-by: Patrick McCarty <[email protected]>
Signed-off-by: Patrick McCarty <[email protected]>
|
If this approach looks okay, I will look at adding an additional test for verification of the first GPG signature when multiple signatures are encountered. |
|
Hmm, I'm seeing test errors for the travis CI in my fork... Interesting that those errors do not happen on Clear. |
|
The reason for test failure on Ubuntu is that "packet separator" lines (beginning with |
|
Well hopefully the separator you are using isn't something they change to often. |
There are only two GPG packet types that autospec needs to know about
for now ("signature" and "user ID"), so update `parse_gpg_packets` to
only add those packets for tracking.
Also, update unit tests to account for packets that are now skipped,
thus reducing the size of the packets list.
Signed-off-by: Patrick McCarty <[email protected]>
Older versions of gnupg do not print the "packet separator" lines in `gpg --list-packets` output, so the length information is not parsed by autospec and thus verification must be skipped for now. Signed-off-by: Patrick McCarty <[email protected]>
phmccarty
force-pushed
the
gpg-single-sig
branch
from
b40e251 to
52057dc
Compare
In this function, returning `None` indicates success, so instead, a GPGCliStatus instance should be returned for the new error cases. Signed-off-by: Patrick McCarty <[email protected]>
Signed-off-by: Patrick McCarty <[email protected]>
phmccarty
force-pushed
the
gpg-single-sig
branch
from
52057dc to
ce700c3
Compare
|
This series is ready for review again. I added two new tests for the multi-signature scenarios and fixed some error propagation issues in the |
The only package in Clear Linux OS that (occasionally) has its source archive signed by multiple keys is
gnupg, so to unblock updates for it, only verify the first signature from the .sig file.When only one signature is present in the sig file (the common case), pass the entire sig file to
gpg --verify ..., keeping the existing behavior.For the implementation, I refactored
parse_keyinto a more genericparse_gpg_packetsfunction, and also updated tests.Note that supporting verification of multiple signatures is much more involved, so I opened an enhancement request yesterday for that (#567).