Bug#852849: jessie-pu: package keyringer/0.3.7-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#852849: jessie-pu: package keyringer/0.3.7-1
From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
Date: Fri, 27 Jan 2017 21:26:35 +0100
Message-id: <[🔎] 148554879576.5231.375104494913113780.reportbug@harbard.iaik.tugraz.at>
Reply-to: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>, 852849@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear release team,

Please consider the attached patch for upload to jessie.

It is a backport of my patch for bug #847963: keyringer fails to handle
OpenPGP keys which have subkeys that do not expire.

I believe this bug qualifies for a patch in stable, given its impact:
it makes keyrings that contain such a key unuseable, since keyringer
errors-out on any operation, including reading secrets from the keyring.


I also included a backport of my patch for #847964, fixing a more minor
issue which only occurs when GnuPG lists keys multiple times (for
instance when using the `keyring /usr/share/keyrings/debian-keyring.gpg`
directive).


Best,

  nicoo

- -- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEiWEbFKE2h/s1SpJPnU+IAQz+GeMFAliLrPgZHG5pY29sYXNA
YnJhdWQtc2FudG9uaS5ldQAKCRCdT4gBDP4Z45EJEADcn9Ce5evljk2piSNWfAlq
OsNyofbioUnynSxImGD/yPmwvdrT/vX0Pyu/vGP6hyu32HWs6NMic0WNnLB3d9AX
Bj7fUsnp1PbYd8AbQC1a3IWAu/pqX8FVZpgRQTQLp8RzzlTlifRxn5PcnhkJXcpJ
aXhRTnoP8POhCqsucucXyAchVyt3cN1MfsI6aPXrh3U80RfnvpOZpUWUOg+s4k8d
8V3xUuw50ajXYccEUm5lcPFO3cwEZjXBgQPb6H78ECzYibe6XY4Hn5hUwQdw9owd
bipPnWEEjWEzNiEBMf0sSyfqXfsMI/zBlaR0IX9wmPaIHPA3QdC9AS7iA/G/MvOx
L4qhosgJeVys0nTyKxwrdRkcE9peDr/M2OKhfeWy/nPqSUoBaggmKhxn0SWJOD5k
iHFSE4m2sSr7yxxmAlZDb0sKJXYdyhgn35OL8wuav/ONKpRpJ+YA1Ge22YfXDBjy
/gLs7xkxv9cUgHXDTwbrHpjnq6Btcfs93zsh/nF5tcFlR5sxm/9dL4dDgTFn/D0j
C7AcLj4g+GJJO0z3+lfQLbDiTw7nEngWleNDklbjDGYXFdM2P/+7Rhqgt287muOw
0rEd7ehwlfWjanHso7x07BDV4MCbllnGlAsVLoJJKflCxhuPD0FtarHl/GAzutPK
3DMmq/3rTXMafm9M8EUCtw==
=aoEH
-----END PGP SIGNATURE-----

diff --git c/debian/changelog w/debian/changelog
index cba6437..89fc5d4 100644
--- c/debian/changelog
+++ w/debian/changelog
@@ -1,3 +1,11 @@
+keyringer (0.3.7-1+deb8u1) jessie-proposed-updates; urgency=medium
+
+  * debian/patches backported from version 0.5.0
+    * Handle subkeys without expiration date (Closes: #847963)
+    * Handle public keys listed multiple times (Closes: #847964)
+
+ -- Nicolas Braud-Santoni <nicolas@braud-santoni.eu>  Fri, 27 Jan 2017 21:10:30 +0100
+
 keyringer (0.3.7-1) unstable; urgency=low
 
   * Added .gitignore
diff --git c/debian/patches/0001-Handle-subkeys-without-expiration-date.patch w/debian/patches/0001-Handle-subkeys-without-expiration-date.patch
new file mode 100644
index 0000000..5f62421
--- /dev/null
+++ w/debian/patches/0001-Handle-subkeys-without-expiration-date.patch
@@ -0,0 +1,61 @@
+From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
+Date: Fri, 27 Jan 2017 20:59:43 +0100
+Subject: Handle subkeys without expiration date
+
+Closes #847963
+
+Backported from version 0.5.0,
+commit c12b5c6c7eccb8e0922ff034bb3690774e12998c
+---
+ ChangeLog               |  5 +++++
+ lib/keyringer/functions | 14 +++++++++++---
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 683c853..6b92025 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,8 @@
++2017-01-27 - 0.3.7+deb8u1 - Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
++
++	Make keyringer_check_expiration not fail on subkeys which do
++	not have an expiration date (Debian BTS #847963)
++
+ 2014-08-21 - 0.3.7 - Silvio Rhatto <rhatto@riseup.net>
+ 
+ 	Init: just set git user/mail if needed
+diff --git a/lib/keyringer/functions b/lib/keyringer/functions
+index 42c047d..074f68e 100755
+--- a/lib/keyringer/functions
++++ b/lib/keyringer/functions
+@@ -715,19 +715,27 @@ function keyringer_check_expiration {
+   fi
+ 
+   # Check the subkeys
+-  expiry=""
+-  for expiry in `gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub | cut -d : -f 7`; do
++  local subkey=""
++  for subkey in $(gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^sub); do
++    local expiry=$(cut -d : -f 7 <<< "$subkey")
++
++    if [[ -z "$expiry" ]]; then
++      not_expired=1
++      break
++    fi
++
+     if [[ "$seconds" -lt "$expiry" ]]; then
+       not_expired="1"
+ 
+       if [[ "$ahead" -gt "$expiry" ]] && [ "$BASENAME" == "check" ]; then
+         echo "Warning: subkey from $recipient will expire soon, on `date --date="@$expiry"`"
+       fi
++      break
+     fi
+   done
+ 
+   # All subkeys are expired
+-  if [ ! -z "$expiry" ] && [ "$not_expired" != "1" ]; then
++  if [ ! -z "$subkey" ] && [ "$not_expired" != "1" ]; then
+     echo "Fatal: key $recipient has no keys suitable for encryption: all subkeys expired."
+     exit 1
+   fi
diff --git c/debian/patches/0002-Handle-public-keys-listed-multiple-times.patch w/debian/patches/0002-Handle-public-keys-listed-multiple-times.patch
new file mode 100644
index 0000000..2574f30
--- /dev/null
+++ w/debian/patches/0002-Handle-public-keys-listed-multiple-times.patch
@@ -0,0 +1,39 @@
+From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
+Date: Fri, 27 Jan 2017 20:59:50 +0100
+Subject: Handle public keys listed multiple times
+
+Closes #847964
+
+Backported from version 0.5.0,
+commit 21ca00d0d8d6e206cb377dc1febe8f66694142d7
+---
+ ChangeLog               | 3 +++
+ lib/keyringer/functions | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 6b92025..9ec9d7a 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,8 @@
+ 2017-01-27 - 0.3.7+deb8u1 - Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
+ 
++	Fix keyringer_check_expiration failure if a public key is
++	listed multiple times (Debian #847964)
++
+ 	Make keyringer_check_expiration not fail on subkeys which do
+ 	not have an expiration date (Debian BTS #847963)
+ 
+diff --git a/lib/keyringer/functions b/lib/keyringer/functions
+index 074f68e..a5ba7eb 100755
+--- a/lib/keyringer/functions
++++ b/lib/keyringer/functions
+@@ -696,7 +696,7 @@ function keyringer_check_expiration {
+   seconds="`date +%s`"
+ 
+   # Check the main key
+-  expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | cut -d : -f 7`"
++  expiry="`gpg --with-colons --fixed-list-mode --list-keys "$recipient" | grep ^pub | head -n1 | cut -d : -f 7`"
+ 
+   # TODO: Time to expire can be configured via repository options.
+   ahead="$((86400 * 30 + $seconds))"
diff --git c/debian/patches/series w/debian/patches/series
new file mode 100644
index 0000000..9a8cb87
--- /dev/null
+++ w/debian/patches/series
@@ -0,0 +1,2 @@
+0001-Handle-subkeys-without-expiration-date.patch
+0002-Handle-public-keys-listed-multiple-times.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#852849: jessie-pu: package keyringer/0.3.7-1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#852849: jessie-pu: package keyringer/0.3.7-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#852825: unblock: zapping/0.10~cvs6-11
Next by Date: Bug#852855: Unblock tigervnc/1:1.3.9-9
Previous by thread: Bug#852825: marked as done (unblock: zapping/0.10~cvs6-11)
Next by thread: Processed: Re: Bug#852849: jessie-pu: package keyringer/0.3.7-1
Index(es):
- Date
- Thread