Debian Bug report logs - #612462
gnupg: Please provide a win32 port of gpgv

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Didier Raboud <odyx@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnupg: Please provide a win32 port of gpgv

Date: Tue, 08 Feb 2011 17:06:37 +0100

[Message part 1 (text/plain, inline)]

Package: gnupg
Version: 1.4.10-4
Severity: wishlist
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, 

a current flaw of the standalone version of win32-loader (source and binary
package in Debian) is that it downloads the d-i kernel and initrds through
Internet without any form of checking that those are authenticated binaries
from the Debian project (see #442180 for details).

In order to solve this, the Windows executable needs to check the signature on
the downloaded Release{,.gpg} file and then check the md5sums of various
files. The md5sum checksum verification is already implemented (although not
uploaded yet) with a md5sum implementation internal to NSIS. There are still
missing pieces on FTP-Master side (see #611087, which will get solved in their
upcoming meeting, I heard), but I would also need a gpgv.exe that could run on
the target Windows host, to check the downloaded Release{,.gpg} files.

Hence this wishlist bug. A tested patch is attached.

I limited the patch to a gpgv win32 port, but gpg.exe also gets built. You
might want to rename the package "gpg-win32" and put all executables built
inside, but I don't need that.

(I also "needed" to fix an imprecision in the code: 

 ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
- -CONFARGS += --host=$(DEB_HOST_GNU_TYPE)
+HOSTARG += --host=$(DEB_HOST_GNU_TYPE)
 endif

)

Thanks in advance for considering, cheers,

OdyX

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (750, 'unstable'), (700, 'testing-proposed-updates'), (700, 'testing'), (101, 'testing-proposed-updates'), (101, 'experimental'), (101, 'unstable'), (101, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg                    1.15.8.10        Debian package management system
ii  gpgv                    1.4.10-4         GNU privacy guard - signature veri
ii  install-info            4.13a.dfsg.1-6   Manage installed documentation in 
ii  libbz2-1.0              1.0.5-6          high-quality block-sorting file co
ii  libc6                   2.11.2-11        Embedded GNU C Library: Shared lib
ii  libreadline6            6.1-3            GNU readline and history libraries
ii  libusb-0.1-4            2:0.1.12-17      userspace USB programming library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages gnupg recommends:
ii  gnupg-curl                    1.4.10-4   GNU privacy guard - a free PGP rep
ii  libldap-2.4-2                 2.4.23-7   OpenLDAP libraries

Versions of packages gnupg suggests:
pn  gnupg-doc                    <none>      (no description available)
ii  imagemagick                  8:6.6.0.4-3 image manipulation programs
ii  libpcsclite1                 1.5.5-4     Middleware to access a smart card 

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iJwEAQECAAYFAk1RagoACgkQKA1Vt+jBwDhDpwP8DL4XJE1FeUTCeLcWc76lVAqn
tNf8u7diL4QvyOIt1D39+KuKwIM/jinwyc+7rvh5Drfv7ZpjVtQq/UQxFlAHOsVr
7Z17WeyoO5e+glueeGRJkFiXH5t86LXQE8+7znCBtwPub8kT6CifZe5tBoFKpp9J
OwO9/MPN0uDjPzo7sOk=
=XIm3
-----END PGP SIGNATURE-----

[gpgv-win32.patch (text/x-diff, attachment)]

Message #12 received at 612462@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Didier Raboud <odyx@debian.org>

Cc: 612462@bugs.debian.org

Subject: Re: [Pkg-gnupg-maint] Bug#612462: gnupg: Please provide a win32 port of gpgv

Date: Tue, 8 Feb 2011 20:36:37 +0100

[Message part 1 (text/plain, inline)]

Hi Didier,

On Tuesday 08 February 2011 17:06:37 Didier Raboud wrote:
> a current flaw of the standalone version of win32-loader (source and binary
> package in Debian) is that it downloads the d-i kernel and initrds through
> Internet without any form of checking that those are authenticated binaries
> from the Debian project (see #442180 for details).
> 
> In order to solve this, the Windows executable needs to check the signature
> on the downloaded Release{,.gpg} file and then check the md5sums of
> various files. The md5sum checksum verification is already implemented
> (although not uploaded yet) with a md5sum implementation internal to NSIS.
> There are still missing pieces on FTP-Master side (see #611087, which will
> get solved in their upcoming meeting, I heard), but I would also need a
> gpgv.exe that could run on the target Windows host, to check the
> downloaded Release{,.gpg} files.

I'm not aversive to this plan but I do not completely understand it. You need 
gpgv.exe on the Windows platform, but you cannot install debs there, right? So 
what would the role of this deb be exactly?

Also I cannot test it. Would you assume responsibility for dealing with 
potential bug reports for this?


Cheers,
Thijs

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 612462@bugs.debian.org (full text, mbox, reply):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 612462@bugs.debian.org

Subject: Re: [Pkg-gnupg-maint] Bug#612462: gnupg: Please provide a win32 port of gpgv

Date: Wed, 9 Feb 2011 11:35:15 +0100

[Message part 1 (text/plain, inline)]

Le Tuesday 8 February 2011 20:36:37 Thijs Kinkhorst, vous avez écrit :
> On Tuesday 08 February 2011 17:06:37 Didier Raboud wrote:
> > a current flaw of the standalone version of win32-loader (source and
> > binary package in Debian) is that it downloads the d-i kernel and
> > initrds through Internet without any form of checking that those are
> > authenticated binaries from the Debian project (see #442180 for
> > details).
> > 
> > In order to solve this, the Windows executable needs to check the
> > signature on the downloaded Release{,.gpg} file and then check the
> > md5sums of various files. The md5sum checksum verification is already
> > implemented (although not uploaded yet) with a md5sum implementation
> > internal to NSIS. There are still missing pieces on FTP-Master side (see
> > #611087, which will get solved in their upcoming meeting, I heard), but
> > I would also need a gpgv.exe that could run on the target Windows host,
> > to check the downloaded Release{,.gpg} files.
> 
> I'm not aversive to this plan but I do not completely understand it. You
> need gpgv.exe on the Windows platform, but you cannot install debs there,
> right? So what would the role of this deb be exactly?

Hi Thijs,

thanks for your rapid answer.

This new binary package would serve the same purpose (and is designed likewise) 
as cpio-win32 or gzip-win32: they are Build-Depends of win32-loader.

During the win32-loader build, they get "embedded" in the win32-loader.exe 
Windows executable. When launched, this executable collects some informations 
from the running Windows host and then uses cpio.exe and gzip.exe to repack a 
new initrd with embedded preseeding.

(The executables are embedded in the win32-loader.exe using the
  File /oname=$INSTDIR\cpio.exe /usr/share/win32/cpio.exe
  File /oname=$INSTDIR\gzip.exe /usr/share/win32/gzip.exe
commands (in s_install.nsi in current win32-loader git). First argument being 
the path in Windows, second being the (build-)source of said executables.)

Hence I would like to bundle gpgv.exe similarly, in order to unpack it in the
C:\win32-loader path ($INSTDIR above), to be able to check Release file 
signatures, on the Windows host.

Is that clearer ? I can develop furthermore if needed.

> Also I cannot test it. Would you assume responsibility for dealing with
> potential bug reports for this?

If your Debian can run wine, gpgv.exe runs correctly under wine (although with 
glitches around path handling in the --keyring option; which are 
workaround'able).

But yes, I can handle this, and I'll make sure to be subscribed to gnupg's 
bugreports if my patch gets accepted.

Cheers,

OdyX

-- 
Didier Raboud, proud Debian Developer.
CH-1020 Renens
odyx@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 612462@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: "Didier 'OdyX' Raboud" <odyx@debian.org>

Cc: 612462@bugs.debian.org

Subject: Re: [Pkg-gnupg-maint] Bug#612462: gnupg: Please provide a win32 port of gpgv

Date: Tue, 15 Feb 2011 22:11:03 +0100

[Message part 1 (text/plain, inline)]

On Wednesday 09 February 2011 11:35:15 Didier 'OdyX' Raboud wrote:
> If your Debian can run wine, gpgv.exe runs correctly under wine (although
> with  glitches around path handling in the --keyring option; which are
> workaround'able).
> 
> But yes, I can handle this, and I'll make sure to be subscribed to gnupg's 
> bugreports if my patch gets accepted.

Good. I've applied your patch now. Could it be that the debian/gpgv-
win32.install file was missing? After I added it, the package seems to build 
fine.

Perhaps you can confirm that indeed this is the way you need it:
http://loeki.tv/~thijs/gpgv-win32_1.4.11-3_all.deb
just to double-check before I send it all off to the ftpmasters.


Cheers,
Thijs

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 612462@bugs.debian.org (full text, mbox, reply):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 612462@bugs.debian.org

Subject: Re: [Pkg-gnupg-maint] Bug#612462: gnupg: Please provide a win32 port of gpgv

Date: Wed, 16 Feb 2011 11:07:31 +0100

[Message part 1 (text/plain, inline)]

Le Tuesday 15 February 2011 22:11:03 Thijs Kinkhorst, vous avez écrit :
> Good. I've applied your patch now. Could it be that the debian/gpgv-
> win32.install file was missing? After I added it, the package seems to
> build fine.

Nice, thanks. Yeah, the install file was missing.

> Perhaps you can confirm that indeed this is the way you need it:
> http://loeki.tv/~thijs/gpgv-win32_1.4.11-3_all.deb
> just to double-check before I send it all off to the ftpmasters.

… and I should have made sure it was included:

> build-win32/g10/gpgv.exe usr/share/win32

IMHO, you should put gpgv.exe under usr/share/win32 . There is no policy for 
such stuff, but gzip-win32 and cpio-win32 both put their *.exe there, so having 
gpgv.exe there gives more consistency.

Regards,
OdyX

-- 
Didier Raboud, proud Debian Developer.
CH-1020 Renens
odyx@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 612462@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: "Didier 'OdyX' Raboud" <odyx@debian.org>

Cc: 612462@bugs.debian.org

Subject: Re: [Pkg-gnupg-maint] Bug#612462: gnupg: Please provide a win32 port of gpgv

Date: Wed, 16 Feb 2011 11:28:58 +0100

[Message part 1 (text/plain, inline)]

On Wednesday 16 February 2011 11:07:31 Didier 'OdyX' Raboud wrote:
> > build-win32/g10/gpgv.exe usr/share/win32
> 
> IMHO, you should put gpgv.exe under usr/share/win32 . There is no policy
> for  such stuff, but gzip-win32 and cpio-win32 both put their *.exe there,
> so having gpgv.exe there gives more consistency.

OK, those precedents make a good case for placing it there, indeed.

Just to confirm, besides the path, would it be what you need?


Thanks,
Thijs

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 612462@bugs.debian.org (full text, mbox, reply):

From: "Didier 'OdyX' Raboud" <odyx@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 612462@bugs.debian.org

Subject: Re: [Pkg-gnupg-maint] Bug#612462: gnupg: Please provide a win32 port of gpgv

Date: Wed, 16 Feb 2011 13:09:23 +0100

[Message part 1 (text/plain, inline)]

Le Wednesday 16 February 2011 11:28:58 Thijs Kinkhorst, vous avez écrit :
> On Wednesday 16 February 2011 11:07:31 Didier 'OdyX' Raboud wrote:
> > > build-win32/g10/gpgv.exe usr/share/win32
> > 
> > IMHO, you should put gpgv.exe under usr/share/win32 . There is no policy
> > for  such stuff, but gzip-win32 and cpio-win32 both put their *.exe
> > there, so having gpgv.exe there gives more consistency.
> 
> OK, those precedents make a good case for placing it there, indeed.
> 
> Just to confirm, besides the path, would it be what you need?

I just tested within win32-loader and it "Just Works™". So yes, having that in 
the archive would be just nice.

-- 
Didier Raboud, proud Debian Developer.
CH-1020 Renens
odyx@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 612462-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 612462-close@bugs.debian.org

Subject: Bug#612462: fixed in gnupg 1.4.11-3

Date: Fri, 18 Feb 2011 22:47:36 +0000

Source: gnupg
Source-Version: 1.4.11-3

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive:

gnupg-curl_1.4.11-3_i386.deb
  to main/g/gnupg/gnupg-curl_1.4.11-3_i386.deb
gnupg-udeb_1.4.11-3_i386.udeb
  to main/g/gnupg/gnupg-udeb_1.4.11-3_i386.udeb
gnupg_1.4.11-3.diff.gz
  to main/g/gnupg/gnupg_1.4.11-3.diff.gz
gnupg_1.4.11-3.dsc
  to main/g/gnupg/gnupg_1.4.11-3.dsc
gnupg_1.4.11-3_i386.deb
  to main/g/gnupg/gnupg_1.4.11-3_i386.deb
gpgv-udeb_1.4.11-3_i386.udeb
  to main/g/gnupg/gpgv-udeb_1.4.11-3_i386.udeb
gpgv-win32_1.4.11-3_all.deb
  to main/g/gnupg/gpgv-win32_1.4.11-3_all.deb
gpgv_1.4.11-3_i386.deb
  to main/g/gnupg/gpgv_1.4.11-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 612462@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 15 Feb 2011 19:49:51 +0100
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all i386
Version: 1.4.11-3
Distribution: unstable
Urgency: low
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 598471 612462
Changes: 
 gnupg (1.4.11-3) unstable; urgency=low
 .
   * Install gpg setuid root again on kFreeBSD. We dropped this
     bit earlier because it's not necessary anymore on Linux, but
     the kFreeBSD kernel still requires it for secure memory.
     Thanks Robert Millan for the patch. (Closes: 598471)
   * Add a gpgv-win32 package, to be used by win32-loader. Patch
     from Didier Raboud (Closes: #612462).
Checksums-Sha1: 
 8bd5c3a3af3aec8cc165d474b7543f52a97e6b8c 1742 gnupg_1.4.11-3.dsc
 d886e31aae6cd46d1c69a51cbc63c06566320090 26544 gnupg_1.4.11-3.diff.gz
 190233cb08f637c2d03cc79c7304a41830cc6613 528518 gpgv-win32_1.4.11-3_all.deb
 699eaf6ff3e39ddeec80d202fde6e1ec36b3f89a 2063402 gnupg_1.4.11-3_i386.deb
 2bd31c417038da2b269f639380a2f5e41f6ae209 72572 gnupg-curl_1.4.11-3_i386.deb
 8a9d7e53aa4646f38d65adc03e0bbb49ed2f7f56 202560 gpgv_1.4.11-3_i386.deb
 694b99aef21de02572f95a94c2d0f5afcc9507b8 378786 gnupg-udeb_1.4.11-3_i386.udeb
 6f12f1b998566ff5ccecf886885a50e54f322d57 132170 gpgv-udeb_1.4.11-3_i386.udeb
Checksums-Sha256: 
 9c9074302b76b94d24d100d35c43c54c3cd1c24d037bb40c387750b722b6a380 1742 gnupg_1.4.11-3.dsc
 666c144c2186003651d069aec9000861720a1e0701c4cb597ed9b75db7dcd3e0 26544 gnupg_1.4.11-3.diff.gz
 bf8e6c8c4d589436d3d188ab25b6ee299cd94993d105a68da2141ad9cd8104ad 528518 gpgv-win32_1.4.11-3_all.deb
 2bdfb1a8ad2cba4cbb0cc59e738a20b77109a7cc1bb279797403cce3262f9649 2063402 gnupg_1.4.11-3_i386.deb
 6e62819716b55864a13ab6c9a2b65b5d24e638da70faaf51168bf6c1de7ac19b 72572 gnupg-curl_1.4.11-3_i386.deb
 a212def6e95afdceee6c2dac6062922a78785f3147d28527ddc310fcc96c44ef 202560 gpgv_1.4.11-3_i386.deb
 3beb381b18635f3ff518daf1d944e227c0807845a9cf7f093a23b5c397987412 378786 gnupg-udeb_1.4.11-3_i386.udeb
 95b883b34bf8f65c1f31cfe63047c2b0ce6c8388d1b467f448b2778dd4d1173f 132170 gpgv-udeb_1.4.11-3_i386.udeb
Files: 
 8dac1357760c0732942a6ae9f827f5f5 1742 utils important gnupg_1.4.11-3.dsc
 951eacb06d7cfc81119e1a9cd8681f7b 26544 utils important gnupg_1.4.11-3.diff.gz
 ec89ceca3cff10579953d2e1ea3024f1 528518 utils extra gpgv-win32_1.4.11-3_all.deb
 0b641deef62250bcfc4d0a912ad37f06 2063402 utils important gnupg_1.4.11-3_i386.deb
 241ecbc3ae5e5d555804adcd3abdf0c1 72572 utils optional gnupg-curl_1.4.11-3_i386.deb
 b17f200298bfd6a77023d6ba3f2493ed 202560 utils important gpgv_1.4.11-3_i386.deb
 bc077af6947abab81e19b9458ca864cc 378786 debian-installer extra gnupg-udeb_1.4.11-3_i386.udeb
 3530666676e1b8d5bb7f2b98d308c111 132170 debian-installer extra gpgv-udeb_1.4.11-3_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJNW7UEAAoJEOxfUAG2iX57h7UH/2R8q3co22xUKeMkhKVIG0mV
fwH9Fe0LveLfavNOq2pTT5GXp/pxhwYeD3mMuIwE6SfsoK4wuBaijA8O+6WH75gs
6l1+qH5b+5o82pkw5SBq2xBlOvjCRw2PSAJ7X4rIm30h4dK/U2H9Q4onJwB//CJF
VE3D/AQDRBcVS0z/nBgpYYCTMwPxRex/bHJMVDvKVhBJ1hJOklYmX+TnabEsPCAs
5bLA+5smibvNJgvKm7Bfa9Z12o/zo8jHDVPryuPkotloFmJaOmuylzZHFDac+kpw
fwjcQcZcrn7Vhl3YFG2a3tWSmGbSND0N70PatTV+gkBg+5LZdhOuWUDZv1fB2M8=
=jHHn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.