Debian Bug report logs - #906545
gnupg 2.1 (in stretch) fails to fetch some ECC keys

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Roger Shimizu <rogershimizu@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnupg 2.1 (in stretch) fails to fetch some ECC keys

Date: Sat, 18 Aug 2018 17:27:34 +0800

Package: gnupg
Version: 2.1.18-8~deb9u2
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

I'm trying to use my stretch box to caff sign the keys from DebConf18.
But I find that almost all ECC keys failed, except Niibe-san's one.

I digged a bit and find the reason is that caff fails to fetch those
ECC keys.

In order to avoid importing keys to the keyring, the following sample
use the caff's gnupghome directory.

Bad case:
$ GNUPGHOME=~/.caff/gnupghome gpg -v --recv-keys 0x86B2250DBAC0ABC0
gpg: data source: https://176.9.147.41:443
gpg: armor header: Version: SKS 1.1.6
gpg: armor header: Comment: Hostname: keyserver.ntzwrk.org
gpg: pub  ed25519/0x86B2250DBAC0ABC0 2016-08-23  Shen-Ta Hsieh (謝昇達)
<sthsieh@synology.com>
gpg: key 0x86B2250DBAC0ABC0: no subkey for subkey binding signature
gpg: key 0x86B2250DBAC0ABC0: no subkey for key binding
gpg: key 0x86B2250DBAC0ABC0: no subkey for subkey binding signature
gpg: key 0x86B2250DBAC0ABC0: no subkey for key binding
gpg: key 0x86B2250DBAC0ABC0: no user ID for key signature packet of
class 13
gpg: key 0x86B2250DBAC0ABC0: no user ID for signature
gpg: Total number processed: 1

Good case:
$ GNUPGHOME=~/.caff/gnupghome gpg -v --recv-keys 0xE267B052364F028D
gpg: data source: https://176.9.147.41:443
gpg: armor header: Version: SKS 1.1.6
gpg: armor header: Comment: Hostname: keyserver.ntzwrk.org
gpg: pub  ed25519/0xE267B052364F028D 2015-08-12  NIIBE Yutaka
<gniibe@fsij.org>
gpg: key 0xE267B052364F028D: invalid subkey binding
gpg: key 0xE267B052364F028D: "NIIBE Yutaka <gniibe@fsij.org>"
gpg: Total number processed: 1

And I confirm above issue cannot be reproduced under gnugp 2.2
(sid version).
So maybe this can be fixed for the stretch/stable version?
Thanks!

Cheers,
Roger

- -- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.16.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  gnupg-agent    2.1.18-8~deb9u2
ii  libassuan0     2.4.3-2
ii  libbz2-1.0     1.0.6-8.1
ii  libc6          2.24-11+deb9u3
ii  libgcrypt20    1.7.6-2+deb9u3
ii  libgpg-error0  1.26-2
ii  libksba8       1.3.5-2
ii  libreadline7   7.0-3
ii  libsqlite3-0   3.16.2-5+deb9u1
ii  zlib1g         1:1.2.8.dfsg-5

Versions of packages gnupg recommends:
ii  dirmngr     2.1.18-8~deb9u2
pn  gnupg-l10n  <none>

Versions of packages gnupg suggests:
pn  parcimonie  <none>
pn  xloadimage  <none>

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECjKtvoA5m+cWOFnspHhrDacDNKgFAlt35mYACgkQpHhrDacD
NKitAQ//dkW9MndEKdLq5RaVfxGcUsowzw6fOP6vsVs49TAe8JC2aTl1Q/ogNoQM
2nUACsq6TZVcH2Z0Cm8RCTDk6MqWPEc0jEDglG+1RXXhh4KvDeXsycGAa+tBKmd4
Y4SIg6pil7XSrsVQp065xYnec98CVRiFLQzxlr86s/GksKsT7bMwaOT7BxrK4ItW
/OY7tOc3AI1E05tXrw1OcU2mdLMMhC8N9938dFVQtev7eYaYD+lfzjYA6YZ90kEx
9f1rb4UMyEcPIe/HReoU+3a7rWdbRot83ANogGjs0oxyOis+5/OagMRVWrHd25JJ
TVTrkcRpYAeiVnraPm1DWZaY1p3pVTK9k3xlzocI+jFCD/NxJCCiuX2D4emiD37+
2mRep34NaeWWsBySawLwLAbxXGyZBX2z8U5ZTgEnYRyrNkLnDLVKgWl5bmeIgtdw
gXvRJibMRRHR5IUB4hE0ragsa4a4HTPobHkCJYL77AIA+rHkKIxu5KMfxqbnHNL8
KDccw0jgk7BzMS3RL9hEnf1BdJKEYJqklG1BK9vr1HgpmWpute2L0eCe0zVLCeDS
ysnFAsUTq75xc3Mqh7QUCAwlM6mZq45qD31sU4epJN6PyBLp193AMr3galyc4KGx
wAF0yTiJwtGqr1X+7lWwYs7ZHeQA2ZBLpcN+yY6EJER+8r/ybJ0=
=HgPq
-----END PGP SIGNATURE-----

Message #10 received at 906545@bugs.debian.org (full text, mbox, reply):

From: NIIBE Yutaka <gniibe@fsij.org>

To: Roger Shimizu <rogershimizu@gmail.com>

Cc: 906545@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#906545: gnupg 2.1 (in stretch) fails to fetch some ECC keys

Date: Mon, 20 Aug 2018 18:04:48 +0900

Hello,

Thanks for your report.

Roger Shimizu <rogershimizu@gmail.com> wrote:
> Package: gnupg
> Version: 2.1.18-8~deb9u2
> Severity: normal
[...]
> And I confirm above issue cannot be reproduced under gnugp 2.2
> (sid version).
> So maybe this can be fixed for the stretch/stable version?

In the upstream, it was fixed by the commit:

    commit 9b12b45aa5e67d4d422bf75a3879df1d52dbe67f
    Author: Justus Winter <justus@g10code.com>
    Date:   Tue Jun 13 15:35:01 2017 +0200

        gpg: Check and fix keys on import.
        
        * doc/gpg.texi: Document the new import option.
        * g10/gpg.c (main): Make the new option default to yes.
        * g10/import.c (parse_import_options): Parse the new option.
        (import_one): Act on the new option.
        * g10/options.h (IMPORT_REPAIR_KEYS): New macro.
        
        GnuPG-bug-id: 2236
        Signed-off-by: Justus Winter <justus@g10code.com>

and in the release of 2.1.22.
-- 

Message #15 received at 906545@bugs.debian.org (full text, mbox, reply):

From: Roger Shimizu <rogershimizu@gmail.com>

To: NIIBE Yutaka <gniibe@fsij.org>

Cc: 906545@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#906545: gnupg 2.1 (in stretch) fails to fetch some ECC keys

Date: Wed, 22 Aug 2018 00:26:23 +0900

Dear Niibe-san,

Thanks for your checking!

On Mon, Aug 20, 2018 at 6:04 PM, NIIBE Yutaka <gniibe@fsij.org> wrote:
>
> In the upstream, it was fixed by the commit:
>
>     commit 9b12b45aa5e67d4d422bf75a3879df1d52dbe67f
>     Author: Justus Winter <justus@g10code.com>
>     Date:   Tue Jun 13 15:35:01 2017 +0200
>
>         gpg: Check and fix keys on import.
>
>         * doc/gpg.texi: Document the new import option.
>         * g10/gpg.c (main): Make the new option default to yes.
>         * g10/import.c (parse_import_options): Parse the new option.
>         (import_one): Act on the new option.
>         * g10/options.h (IMPORT_REPAIR_KEYS): New macro.
>
>         GnuPG-bug-id: 2236
>         Signed-off-by: Justus Winter <justus@g10code.com>

Above commit seems to depend on 404fa8211b6188a0abe83ef43a4b44d528c0b035
I cherry-picked both commits, and pushed to salsa, branch rosh/Bug906545:
- https://salsa.debian.org/debian/gnupg2/tree/rosh/Bug906545

But the build failed, enclosed is the error log:

gcc -DHAVE_CONFIG_H -I. -I../../g10 -I..  -I../../common
-DLOCALEDIR=\"/usr/share/locale\" -DGNUPG_BINDIR="\"/usr/bin\"" -
DGNUPG_LIBEXECDIR="\"/usr/lib/x86_64-linux-gnu\""
-DGNUPG_LIBDIR="\"/usr/lib/x86_64-linux-gnu/gnupg\""
-DGNUPG_DATADIR="\"/usr/share/gnupg\""
-DGNUPG_SYSCONFDIR="\"/etc/gnupg\"" -DGNUPG_LOCALSTATEDIR="\"/var\""
    -Wdate-time -D_FORTIFY_SOURCE=2     -Wall -Wno-pointer-sign
-Wpointer-arith  -g -O2 -fdebug-prefix-map=/data/rosh/working/gnupg2=.
-fstack-protector-strong -Wformat -Werror=format-security -c -o
keyedit.o ../../g10/keyedit.c
../../g10/keyedit.c: In function ‘fix_keyblock’:
../../g10/keyedit.c:1176:30: error: ‘ctrl’ undeclared (first use in
this function)
   if (key_check_all_keysigs (ctrl, *keyblockp, 0, 1))
                              ^~~~
../../g10/keyedit.c:1176:30: note: each undeclared identifier is
reported only once for each function it appears in
Makefile:889: recipe for target 'keyedit.o' failed

I'd like to leave this to pkg maintainer, whether to backport those
patches, or release a latest 2.1.x for stretch.

Cheers,
-- 
Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1

Message #20 received at 906545@bugs.debian.org (full text, mbox, reply):

From: NIIBE Yutaka <gniibe@fsij.org>

To: Roger Shimizu <rogershimizu@gmail.com>

Cc: 906545@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#906545: gnupg 2.1 (in stretch) fails to fetch some ECC keys

Date: Thu, 23 Aug 2018 08:38:55 +0900

Roger Shimizu <rogershimizu@gmail.com> wrote:
> I'd like to leave this to pkg maintainer, whether to backport those
> patches, or release a latest 2.1.x for stretch.

For Debian, I think that packaging 2.2.x for stable-bpo would be easier
than cherry picking patches.
-- 

Message #25 received at 906545@bugs.debian.org (full text, mbox, reply):

From: Roger Shimizu <rogershimizu@gmail.com>

To: NIIBE Yutaka <gniibe@fsij.org>

Cc: 906545@bugs.debian.org

Subject: Re: [pkg-gnupg-maint] Bug#906545: gnupg 2.1 (in stretch) fails to fetch some ECC keys

Date: Fri, 24 Aug 2018 00:32:26 +0900

 and n Thu, Aug 23, 2018 at 8:38 AM, NIIBE Yutaka <gniibe@fsij.org> wrote:
> Roger Shimizu <rogershimizu@gmail.com> wrote:
>> I'd like to leave this to pkg maintainer, whether to backport those
>> patches, or release a latest 2.1.x for stretch.
>
> For Debian, I think that packaging 2.2.x for stable-bpo would be easier
> than cherry picking patches.

I agree with you.
So I uploaded src:libassuan and src:gnupg2 to stretch-backports, with DELAYED/5.

Since both packages need to pass NEW queue, it actually requires more
than 5 days.
So if anyone objects this upload, there's still plenty of time to cancel.

Cheers,
-- 
Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1

Message #30 received at 906545@bugs.debian.org (full text, mbox, reply):

From: Roger Shimizu <rogershimizu@gmail.com>

To: 906545@bugs.debian.org

Cc: NIIBE Yutaka <gniibe@fsij.org>

Subject: Re: [pkg-gnupg-maint] Bug#906545: gnupg 2.1 (in stretch) fails to fetch some ECC keys

Date: Sun, 26 Aug 2018 00:09:55 +0900

On Fri, Aug 24, 2018 at 12:32 AM, Roger Shimizu <rogershimizu@gmail.com> wrote:
> So I uploaded src:libassuan and src:gnupg2 to stretch-backports, with DELAYED/5.

I canceled the previous two uploads, and did two new uploads:
- src:libassuan
  I mistook to backport the debian/master, which contains two commits
not released yet.
  So I the new upload fixed that.

- src:gnupg2
  There's a new version in unstable now. Since it's passed
autopkgtest, it will hit testing in 2 days.
  So I updated the backports version based on latest.

The two upload are proceed with DELAYED/5, which is almost the same as
original plan.
Thanks for your understanding!

Cheers,
--
Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1

Message #35 received at 906545-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 906545-close@bugs.debian.org

Subject: Bug#906545: fixed in gnupg2 2.1.18-8~deb9u3

Date: Fri, 02 Nov 2018 22:02:08 +0000

Source: gnupg2
Source-Version: 2.1.18-8~deb9u3

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 906545@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Oct 2018 15:43:38 -0500
Source: gnupg2
Binary: gnupg-agent scdaemon gpgsm gnupg gnupg2 gpgv gpgv2 dirmngr gpgv-udeb gpgv-static gpgv-win32 gnupg-l10n
Architecture: source
Version: 2.1.18-8~deb9u3
Distribution: stretch
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
 dirmngr    - GNU privacy guard - network certificate management service
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-agent - GNU privacy guard - cryptographic agent
 gnupg-l10n - GNU privacy guard - localization files
 gnupg2     - GNU privacy guard - a free PGP replacement (dummy transitional pa
 gpgsm      - GNU privacy guard - S/MIME version
 gpgv       - GNU privacy guard - signature verification tool
 gpgv-static - minimal signature verification tool (static build)
 gpgv-udeb  - minimal signature verification tool (udeb)
 gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
 gpgv2      - GNU privacy guard - signature verification tool (dummy transition
 scdaemon   - GNU privacy guard - smart card support
Closes: 862682 878952 906545
Changes:
 gnupg2 (2.1.18-8~deb9u3) stretch; urgency=medium
 .
   * block trivial access to scdaemon memory (Closes: #878952)
   * Update crypto defaults for 2018 (new keys are RSA 3072, prefer AES256)
   * d/control: move Vcs*: to salsa
   * dirmngr: implement querying nameservers over IPv6 (Closes: #862682)
   * use DEP-14 branch naming
   * refresh patches
   * backport --no-symkey-cache
   * backport improved import and export filtering
   * backport display of revocation certificates
   * backport stripping unusable subkey material during export-minimal
   * backport fix to make --dry-run work when listing secret keys
   * backport fix showing secret keys when listing keys
   * backport fix to clean keys before importing (Closes: #906545)
Checksums-Sha1:
 9349ce6a6042f28e4a2f43d5c067d00c153d94b2 2537 gnupg2_2.1.18-8~deb9u3.dsc
 d978051d77fd5662d7871302032d52c4e93090e4 117913 gnupg2_2.1.18-8~deb9u3.debian.tar.bz2
 cab1d1310a2a623100c73995bf22850d607a8ad8 16460 gnupg2_2.1.18-8~deb9u3_amd64.buildinfo
Checksums-Sha256:
 d4665c6bef3eab1a65a94492358529ba62d3976f8b955e3502da057a94d6f126 2537 gnupg2_2.1.18-8~deb9u3.dsc
 d2525b74bf703b5aefc66b9d029f330ec316e0aa35b54710b132e3754144ac67 117913 gnupg2_2.1.18-8~deb9u3.debian.tar.bz2
 37a1ced8a677b38a924cceae2a397caa7584117aa810c7c512a84bc3cb0f0c77 16460 gnupg2_2.1.18-8~deb9u3_amd64.buildinfo
Files:
 8a221a7db97255d5cf0e1039fcbb9b76 2537 utils optional gnupg2_2.1.18-8~deb9u3.dsc
 2ad5655de4465eb4f561416f35d9d22b 117913 utils optional gnupg2_2.1.18-8~deb9u3.debian.tar.bz2
 1052f072b1418bf0a4037078f6b08508 16460 utils optional gnupg2_2.1.18-8~deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTTaP514aqS9uSbmdJsHx7ezFD6UwUCW9Z1vwAKCRBsHx7ezFD6
U6xcAP9+/KiRlHoWQaegRiesleaRLAEKJo4QSv7VPClatHW3uAD+KS2VjT/j0pkB
wWau8iOW+BdTKdxkzNDgXQtpNQ7YkAE=
=nkaZ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.