Debian Bug report logs -
#753985
gpgv-udeb: fails to validate Release files (missing sha256 support)
Reported by: Cyril Brulebois <kibi@debian.org>
Date: Sun, 6 Jul 2014 19:51:01 UTC
Severity: grave
Tags: patch
Found in version gnupg/1.4.18-1
Fixed in version gnupg/1.4.18-2
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, kibi@debian.org, stu@actusa.net, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#753985; Package gpgv-udeb.
(Sun, 06 Jul 2014 19:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>:
New Bug report received and forwarded. Copy sent to kibi@debian.org, stu@actusa.net, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Sun, 06 Jul 2014 19:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: gpgv-udeb
Version: 1.4.18-1
Severity: grave
Tags: patch
Justification: renders package unusable
Hi folks,
I'm really sorry for:
- having failed to reply to your request in time[1];
- having failed to deliver any testing, which led to lost user time[2]
and is going to cost another gnupg upload.
1. https://lists.debian.org/debian-boot/2014/01/msg00129.html
2. https://lists.debian.org/debian-boot/2014/07/msg00007.html
I've finally spent some time on this, and checked the following things:
a) A trivial removal of the --enable-minimal flag would need to go
together with disabling bzip2 support; resulting udebs would be
uninstallable due to a libbz2 dependency. d-i would then be bigger
but functional again.
b) Thankfully we don't need to consider the backup plan mentioned in a)
since all we need is enabling sha256 support. Currently, Release
files include MD5+SHA1+SHA256. You'll find a tested patch attached.
(This means a whole installation using a netboot-gtk image.)
I also noticed "make check" isn't run for the udeb build; I don't think
it would hurt to do so (the testsuite is smart enough to notice support
for some bits wasn't enabled, see output below my signature), that's why
I'm including an extra patch adding that.
Sorry again…
Mraw,
KiBi.
Testsuite output for the udeb check:
| make[2]: Entering directory '/home/kibi/hack/gnupg.git/build-udeb/checks'
| gpg (GnuPG) 1.4.18
| Copyright (C) 2014 Free Software Foundation, Inc.
| License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
| This is free software: you are free to change and redistribute it.
| There is NO WARRANTY, to the extent permitted by law.
|
| Home: .
| Supported algorithms:
| Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
| Cipher: 3DES
| Hash: MD5, SHA1, RIPEMD160, SHA256, SHA224
| Compression: Uncompressed, ZIP, ZLIB
| PASS: version.test
| Hash algorithm SHA-384 is not installed (not an error)
| Hash algorithm SHA-512 is not installed (not an error)
| PASS: mds.test
| PASS: decrypt.test
| PASS: decrypt-dsa.test
| MD5 SHA1 RIPEMD160 SHA256 SHA224 | PASS: sigs.test
| PASS: sigs-dsa.test
| 3DES | PASS: encrypt.test
| 3DES | PASS: encrypt-dsa.test
| PASS: seat.test
| PASS: clearsig.test
| PASS: encryptp.test
| PASS: detach.test
| PASS: armsigs.test
| PASS: armencrypt.test
| PASS: armencryptp.test
| PASS: signencrypt.test
| PASS: signencrypt-dsa.test
| PASS: armsignencrypt.test
| PASS: armdetach.test
| PASS: armdetachm.test
| PASS: detachm.test
| PASS: genkey1024.test
| 3DES | PASS: conventional.test
| 3DES | PASS: conventional-mdc.test
| PASS: multisig.test
| PASS: verify.test
| PASS: armor.test
| ===================
| All 27 tests passed
| ===================
| make[2]: Leaving directory '/home/kibi/hack/gnupg.git/build-udeb/checks'
[0001-Fix-gpgv-udeb-by-adding-enable-sha256-which-is-neede.patch (text/x-diff, attachment)]
[0002-Run-the-check-target-in-the-udeb-build-directory.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#753985; Package gpgv-udeb.
(Mon, 07 Jul 2014 09:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Didier 'OdyX' Raboud" <odyx@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Mon, 07 Jul 2014 09:39:04 GMT) (full text, mbox, link).
Message #10 received at 753985@bugs.debian.org (full text, mbox, reply):
Control: affects -1 +win32-loader
Folks,
Le dimanche, 6 juillet 2014 21.47:29, vous avez écrit :
> I'm really sorry for:
> - having failed to reply to your request in time[1];
> - having failed to deliver any testing, which led to lost user
> time[2] and is going to cost another gnupg upload.
Same here, btw.
This bug hits gpgv-win32 (which is functional per se, but not sufficient
for checking the Release files) and therefore win32-loader.
> b) Thankfully we don't need to consider the backup plan mentioned in
> a) since all we need is enabling sha256 support. Currently, Release
> files include MD5+SHA1+SHA256. You'll find a tested patch attached.
> (This means a whole installation using a netboot-gtk image.)
I can confirm that Cyril's patch fixes gpgv.exe usage within win32-
loader.
Cheers,
OdyX
Added indication that 753985 affects win32-loader
Request was from "Didier 'OdyX' Raboud" <odyx@debian.org>
to 753985-submit@bugs.debian.org.
(Mon, 07 Jul 2014 09:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#753985; Package gpgv-udeb.
(Mon, 07 Jul 2014 18:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Mon, 07 Jul 2014 18:48:04 GMT) (full text, mbox, link).
Message #17 received at 753985@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Op maandag 7 juli 2014 11:36:49 schreef Didier 'OdyX' Raboud:
> > b) Thankfully we don't need to consider the backup plan mentioned in
> >
> > a) since all we need is enabling sha256 support. Currently, Release
> > files include MD5+SHA1+SHA256. You'll find a tested patch attached.
> > (This means a whole installation using a netboot-gtk image.)
>
> I can confirm that Cyril's patch fixes gpgv.exe usage within win32-
> loader.
Merci beaucoup a vous deux pour votre aide excellente dans ce cas! J'ai a
l'heure téĺéchargé un nouveau version du gnupg.
Cordialement,
Thijs
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Mon, 07 Jul 2014 18:51:05 GMT) (full text, mbox, link).
Notification sent
to Cyril Brulebois <kibi@debian.org>:
Bug acknowledged by developer.
(Mon, 07 Jul 2014 18:51:06 GMT) (full text, mbox, link).
Message #22 received at 753985-close@bugs.debian.org (full text, mbox, reply):
Source: gnupg
Source-Version: 1.4.18-2
We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 753985@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated gnupg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 07 Jul 2014 19:55:02 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.18-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
gnupg - GNU privacy guard - a free PGP replacement
gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
gpgv - GNU privacy guard - signature verification tool
gpgv-udeb - minimal signature verification tool (udeb)
gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 753985
Changes:
gnupg (1.4.18-2) unstable; urgency=medium
.
[ Cyril Brulebois ]
* Fix gpgv-udeb by adding --enable-sha256, which is needed to validate
Release files. (Closes: 753985).
* Run the check target in the udeb build directory.
Checksums-Sha1:
3a1909e706207f086f44d0f8f2d64f4b3d060e46 2001 gnupg_1.4.18-2.dsc
b22f935cc374c1ff04de3ea92b9538e52e3bf34a 25004 gnupg_1.4.18-2.debian.tar.xz
8c1f4275f91157cbd8bc8a3d1c25fd1d1a53438d 550630 gpgv-win32_1.4.18-2_all.deb
4b1eab3c6dfa456b61b00f501fc5afa06e66a824 1138600 gnupg_1.4.18-2_amd64.deb
b493d2383d830c9adac64652991c00645b566d19 62200 gnupg-curl_1.4.18-2_amd64.deb
0b15041ef3b9ef1942627e22eb38c71677f512cf 204560 gpgv_1.4.18-2_amd64.deb
9fdd02758386af346ba763e0f19465ee04eb7b20 244054 gnupg-udeb_1.4.18-2_amd64.udeb
5516d3a428b96007edaa6438638945b4052c59e2 128042 gpgv-udeb_1.4.18-2_amd64.udeb
Checksums-Sha256:
297d335f556ef6c4f278db112255752c39370749dfb138a659cfa6a83ccd61b7 2001 gnupg_1.4.18-2.dsc
d8ed21773db1d734e7e71c1762e565437f8d0a4c271fd8ae90a4f1188e51fa0a 25004 gnupg_1.4.18-2.debian.tar.xz
b92e7adefa7896ea7ea01d8899c53aef184b9a0b2a102ce618c4bf64d025d88a 550630 gpgv-win32_1.4.18-2_all.deb
70826db507f07d2788413feae5bbd6849d28b8d2a43bd14e9d2749ce1f8056aa 1138600 gnupg_1.4.18-2_amd64.deb
bdb01af050cfdab43e1a9cf95191dd5bf129874d0c6c3f16ae02f81cf436637f 62200 gnupg-curl_1.4.18-2_amd64.deb
53796f90a52241b2ccc295ccfe1989666d9dea528ab3fcc85b922dd921a4633a 204560 gpgv_1.4.18-2_amd64.deb
271f7b97050bdce772f1d30536d8302a6f1e029ec455d76bb0d98b1f5c9a665f 244054 gnupg-udeb_1.4.18-2_amd64.udeb
0bb796a8f278a45f57977f0374202940027c8d18851a74c8f337dadd530cb8dc 128042 gpgv-udeb_1.4.18-2_amd64.udeb
Files:
a8979245b8543ab97b84dc5c3fa0e828 550630 utils extra gpgv-win32_1.4.18-2_all.deb
a87969848a1bf48b4fc96ced8bab1b70 1138600 utils important gnupg_1.4.18-2_amd64.deb
fde1957223670035060bc386edb54f6b 62200 utils optional gnupg-curl_1.4.18-2_amd64.deb
242454384d7128d5182fbe32783ca2e6 204560 utils important gpgv_1.4.18-2_amd64.deb
076123ea9e9a6417b846c78bcbab1a92 244054 debian-installer extra gnupg-udeb_1.4.18-2_amd64.udeb
0455d77cdb912cad2cc411d0c08eafef 128042 debian-installer extra gpgv-udeb_1.4.18-2_amd64.udeb
275debf9383dbe376a60f1f34809a7e3 2001 utils important gnupg_1.4.18-2.dsc
126b8261cb8ba526cfad3eab1e66e808 25004 utils important gnupg_1.4.18-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJTuulyAAoJEFb2GnlAHawEaa4H/0U6v5RSg6eyLACZpzwQB0Of
Bf15D9824mMpW8XrAXb5pdoTkixqNIgE+t7AMqz+wP9zhYLYME1/QBrLA4+KWarx
2bc+yXi1DsFX2lZ/QJb8Rh0ikINKuSpRf7sFvZqMu094gHl11ZcXaXmOLJKBy6It
Q9pxC0aRuxhavShSm4nvMYl8QpS5xDxRTwPP1bPIfXfp66GtaNcrUMdA1n4V6Awa
fdTliIjn1R29ukGhQWSgoATutjL8zBDucVK/Wi+5KeqYaRQK9zggubklOdb7KJrE
79ES0k9C1jtlzkkO3je4MBgnfrSJwGNTYxDmOjESuLBx9xcxzpkkw9vS3skpDso=
=zHqR
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 05 Aug 2014 07:37:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jan 5 06:44:16 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.