[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsig-verify test data contains signatures w/o debian-binary included in the signed data!

On Wed, May 5, 2021 at 9:33 PM Guillem Jover <guillem@debian.org> wrote:
On Wed, 2021-05-05 at 12:51:18 -0500, Charles Duffy wrote:
> This came up in the context of having borrowed the test data from
> debsig-verify to use in a Go reimplementation at
> https://github.com/paultag/go-debian/blob/master/deb/sigcheck.go to ensure
> compatibility; it turns out that using this test data ensured that the
> result would _not_ be compatible with the modern format!

Hmm, it seems though that implementation is not compliant, as it
hardcodes several types, and does not use the defined policies.

I'm sorry -- by using the word "reimplementation" I may have implied a goal to be feature-complete or configuration-compatible or otherwise to eventually serve as a replacement for the original project, and this is not the case.

Whereas upstream debsig-verify has policy-based configuration, my goal in writing the extension for Paul's Go library referenced above was purely to implement the actual signature checking itself against a keyring provided by the library user, leaving policies used to decide which keys should be in the keyring used when validating a given package out-of-scope and to be implemented by users of that library. Implementing parsing of the policy format used by debsig-verify doesn't strike me as an utterly inappropriate addition to go-debian (though of course Paul has final authority on that) -- but it is something where, were I implementing it myself, I'd want it to be a separate module, not tightly coupled to the code that does the actual validation of each package, with each component usable on its own; this would make it easy to implement additional or alternate policy engines independent of alternate package-level signature formats.

Within the limited scope that the current Go implementation aims for, I'm very interested in knowing where it could be improved, if you'd be willing to go into more detail.

In any case I'm not sure how useful is to reimplement this now, as
the debsigs infra needs to be revamped to be able to integrate it
properly into dpkg and DAK, mainly how the signatures are stored in
the .deb. I've also started pondering about switching the policy
from XML to JSON, and started some code on that direction.

I look forward to extending the Go library to cover new format versions as appropriate in the future. 

Reply to: