Bug#928776: marked as done (unblock: monkeysphere/0.43-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 11 May 2019 09:34:00 +0000
with message-id <509b8731-16f6-68a4-a4a7-bb5c28cefec3@thykier.net>
and subject line Re: Bug#928776: unblock: monkeysphere/0.43-3
has caused the Debian Bug report #928776,
regarding unblock: monkeysphere/0.43-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928776: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928776
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unblock: monkeysphere/0.43-3
• From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
• Date: Fri, 10 May 2019 17:33:33 -0400
• Message-id: <[🔎] 871s16xadu.fsf@fifthhorseman.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Control: affects -1 src:monkeysphere

Please unblock package monkeysphere

monkeysphere 0.43-3 resolves a grave bug in monkeysphere, which causes
the monkeysphere-host import-key subcommand to fail in newly-installed
buster systems (#909700, merged with #928684).

The initial monkeysphere "solution" for #909700 in 0.42-1 actually just
worked around the test suite failure, and failed to fix the underlying
problem, which was a mistake.

#928684 pointed out that the standard use of monkeysphere-host
import-key on a new install of debian buster would fail.  These imported
patches from the upstream development branch solve the problem correctly
(and revert the test suite workaround, so that it is properly tested).

The debdiff is attached.

unblock monkeysphere/0.43-3

Thanks for your work on fine-tuning the debian Buster release!

            --dkg

diff --git monkeysphere_0.43-2/debian/changelog monkeysphere_0.43-3/debian/changelog
index 2948c8b..f57df6d 100644
--- monkeysphere_0.43-2/debian/changelog
+++ monkeysphere_0.43-3/debian/changelog
@@ -1,3 +1,10 @@
+monkeysphere (0.43-3) unstable; urgency=medium
+
+  * fix monkeysphere-host import-key (Closes: #909700)
+  * update GnuPG dependency
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 10 May 2019 16:55:04 -0400
+
 monkeysphere (0.43-2) unstable; urgency=medium
 
   * Autopkgtest should cover Ed25519 as well
diff --git monkeysphere_0.43-2/debian/control monkeysphere_0.43-3/debian/control
index 120cca6..6db41c0 100644
--- monkeysphere_0.43-2/debian/control
+++ monkeysphere_0.43-3/debian/control
@@ -11,7 +11,7 @@ Build-Depends:
  cpio,
  debhelper-compat (= 12),
  dpkg-dev (>= 1.17.14),
- gnupg (>= 2.1.11) <!nocheck>,
+ gnupg (>= 2.1.17) <!nocheck>,
  gnupg-agent <!nocheck>,
  libassuan-dev,
  libcrypt-openssl-rsa-perl <!nocheck>,
@@ -31,7 +31,7 @@ Package: monkeysphere
 Architecture: all
 Depends:
  adduser,
- gnupg (>= 2.1.11),
+ gnupg (>= 2.1.17),
  libcrypt-openssl-rsa-perl,
  libdigest-sha-perl,
  lockfile-progs | procmail,
diff --git monkeysphere_0.43-2/debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch monkeysphere_0.43-3/debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
new file mode 100644
index 0000000..a8ecd8d
--- /dev/null
+++ monkeysphere_0.43-3/debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
@@ -0,0 +1,32 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 10 May 2019 12:15:00 -0400
+Subject: tests/basic: ensure functionality with output of standard OpenSSH
+ keygen
+
+Our "fix" to https://bugs.debian.org/909700 in
+d8fc9f284fc9a128a174b16ad19e866f1c00bc27 just avoided testing the
+actual typical default output of ssh-keygen.
+
+While this was fair to do in tests/keytrans, where it is exercised on
+pem2openpgp (which is explicitly defined as only accepting PEM input),
+this is inappropriate for testing monkeysphere in general.
+
+So now, the test suite breaks again, but we need to provide a proper
+fix.
+---
+ tests/basic | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/basic b/tests/basic
+index d5c4692..72a79a6 100755
+--- a/tests/basic
++++ b/tests/basic
+@@ -275,7 +275,7 @@ fi
+ echo
+ echo "##################################################"
+ echo "### import host key..."
+-ssh-keygen -m PEM -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
++ssh-keygen -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
+ monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost.example
+ 
+ echo
diff --git monkeysphere_0.43-2/debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch monkeysphere_0.43-3/debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
new file mode 100644
index 0000000..201d410
--- /dev/null
+++ monkeysphere_0.43-3/debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
@@ -0,0 +1,62 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 10 May 2019 16:18:28 -0400
+Subject: Use gpg's reworked --quick-* interface for adding/revoking uids
+
+This interface stabilized in GnuPG 2.1.17, so we increase our
+versioned dependency.
+---
+ README                   |  2 +-
+ src/share/mh/add_name    |  5 +----
+ src/share/mh/revoke_name | 10 +---------
+ 3 files changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/README b/README
+index b47a9bf..33f5a0d 100644
+--- a/README
++++ b/README
+@@ -19,7 +19,7 @@ Dependencies
+ 
+ Monkeysphere depends on:
+ 
+- * GnuPG >= 2.1.11
++ * GnuPG >= 2.1.17
+  * Perl
+  * Perl's Crypt::OpenSSL::RSA module
+  * lockfile-progs or procmail's lockfile
+diff --git a/src/share/mh/add_name b/src/share/mh/add_name
+index f37d9df..6357284 100644
+--- a/src/share/mh/add_name
++++ b/src/share/mh/add_name
+@@ -50,10 +50,7 @@ else
+ fi
+ 
+ # execute edit-key script
+-if gpg_host --export-secret-keys "$keyID" | \
+-    PEM2OPENPGP_USAGE_FLAGS=authenticate \
+-    "$SYSSHAREDIR/keytrans" adduserid "$keyID" "$serviceName" \
+-    | gpg_host --import ; then
++if gpg_host --quick-add-uid "$keyID" "$serviceName" ; then
+ 
+     gpg_host --check-trustdb
+ 
+diff --git a/src/share/mh/revoke_name b/src/share/mh/revoke_name
+index d807ac1..4e8d666 100644
+--- a/src/share/mh/revoke_name
++++ b/src/share/mh/revoke_name
+@@ -46,15 +46,7 @@ else
+ fi
+ 
+ # actually revoke:
+-
+-# the gpg secring might not contain the host key we are trying to
+-# revoke (let alone any selfsig over that host key), but the plain
+-# --export won't contain the secret key.  "keytrans revokeuserid"
+-# needs access to both pieces, so we feed it both of them.
+-
+-if gpg_host --export-secret-keys "$keyID" \
+-    | "$SYSSHAREDIR/keytrans" revokeuserid "$keyID" "$serviceName" \
+-    | gpg_host --import ; then
++if gpg_host --quick-revoke-uid "$keyID" "$serviceName" ; then
+ 
+     gpg_host --check-trustdb
+ 
diff --git monkeysphere_0.43-2/debian/patches/0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch monkeysphere_0.43-3/debian/patches/0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch
new file mode 100644
index 0000000..ac353ba
--- /dev/null
+++ monkeysphere_0.43-3/debian/patches/0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch
@@ -0,0 +1,146 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 10 May 2019 16:30:11 -0400
+Subject: mh import-key: use ssh-add and gpg-agent for import (Closes:
+ #909700)
+
+This directly fixes the problem that monkeysphere-host was failing to
+import the style of SSH host key that was generated by default by
+ssh-keygen.
+
+As a side effect, we can now support all the host key algorithms that
+are supported by both gpg-agent (in its ssh-agent implementation) and
+ssh-add.
+
+The lockfile and the dancing around the gpg-agent run in
+$GNUPGHOME_HOST is a bit awkward.  It would be nicer to use an
+ephemeral GnuPG homedir as recommended in the "Unattended Usage"
+section of the gnupg info pages, but to do that we'd need to be able
+to extract the secret key, which is blocked by
+https://dev.gnupg.org/T4490
+---
+ man/man8/monkeysphere-host.8 |  7 ++--
+ src/share/mh/import_key      | 82 ++++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 79 insertions(+), 10 deletions(-)
+
+diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
+index 3e37057..6ae30ed 100644
+--- a/man/man8/monkeysphere-host.8
++++ b/man/man8/monkeysphere-host.8
+@@ -27,9 +27,10 @@ be omitted, and \fBmonkeysphere\-host\fP will operate on it.
+ \fBmonkeysphere\-host\fP takes various subcommands:
+ .TP
+ .B import\-key FILE SCHEME://HOSTNAME[:PORT]
+-Import a PEM\-encoded host secret key from file FILE.  If FILE is
+-`\-', then the key will be imported from stdin.  Only RSA keys are
+-supported at the moment.  SCHEME://HOSTNAME[:PORT] is used to specify
++Import an SSH host secret key from file FILE.  If FILE is
++`\-', then the key will be imported from stdin, and must be an
++RSA key in PEM\-encoded format.
++SCHEME://HOSTNAME[:PORT] is used to specify
+ the scheme (e.g. ssh or https), fully\-qualified hostname (and port)
+ used in the user ID of the new OpenPGP key (e.g. ssh://example.net or
+ https://www.example.net).  If PORT is not specified, then no port is
+diff --git a/src/share/mh/import_key b/src/share/mh/import_key
+index 0f362b8..ebe2cc3 100644
+--- a/src/share/mh/import_key
++++ b/src/share/mh/import_key
+@@ -18,7 +18,7 @@ local serviceName="$2"
+ 
+ # check that key file specified
+ if [ -z "$keyFile" ] ; then
+-    failure "Must specify PEM-encoded key file to import, or specify '-' for stdin."
++    failure "Must specify key file to import, or specify '-' for PEM-encoded RSA key on stdin."
+ fi
+ 
+ # fail if hostname not specified
+@@ -37,16 +37,84 @@ mkdir -p "${MHDATADIR}"
+ mkdir -p "${GNUPGHOME_HOST}"
+ chmod 700 "${GNUPGHOME_HOST}"
+ 
+-# import pem-encoded key to an OpenPGP private key
++key_type_from_file() {
++    # translates from OpenSSH's pubkey format string to GnuPG's
++    # Key-Type parameter:
++    local keyType
++    if keyType=$(ssh-keygen -y -f "$keyFile" | awk '{ print $1 }'); then
++        case "$keyType" in
++            ssh-dss)
++                echo DSA
++                ;;
++            ecdsa-sha2-nistp256)
++                echo ECDSA
++                ;;
++            ssh-ed25519)
++                echo EDDSA
++                ;;
++            ssh-rsa)
++                echo RSA
++                ;;
++            *)
++                log error "unknown key type '$keyType' from file '$keyFile'"
++                return 1
++                ;;
++        esac
++    else
++        log error "ssh-keygen could not interpret '$keyFile'"
++        return 1
++    fi
++    return 0
++}
++
++
+ if [ "$keyFile" = '-' ] ; then
+-    log verbose "importing key from stdin..."
++    # import PEM-encoded RSA stdin to an OpenPGP private key
++    log verbose "importing PEM-encoded RSA key from stdin..."
+     PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+ 	| gpg_host --import
+ else
+-    log verbose "importing key from file '$keyFile'..."
+-    PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+-	<"$keyFile" \
+-	| gpg_host --import
++    # import some sort of file that OpenSSH's keygen can handle
++    if keyType=$(key_type_from_file "$keyFile"); then
++        # we lock to avoid concurrent interactions with gpg-agent and
++        # the sshcontrol file would be dubious
++        lock create "$GNUPGHOME_HOST/importlock"
++        if test -e "$GNUPGHOME_HOST/sshcontrol" && grep -q '^[0-9A-F]' "$GNUPGHOME_HOST/sshcontrol"; then
++            backupSshControl=$(mktemp "$GNUPGHOME_HOST/sshcontrol.XXXXXXXX")
++            log error "$GNUPGHOME_HOST/sshcontrol already contained a key, backing up to $backupSshControl"
++            mv -f "$GNUPGHOME_HOST/sshcontrol" "$backupSshControl"
++        fi
++        
++        log verbose "importing $keyType key from file '$keyFile'..."
++        if ! { test -e "$GNUPGHOME_HOST/gpg-agent.conf" && grep -Fxq batch "$GNUPGHOME_HOST/gpg-agent.conf" ; }; then
++            echo batch >> "$GNUPGHOME_HOST/gpg-agent.conf"
++            GNUPGHOME="$GNUPGHOME_HOST" gpgconf --reload gpg-agent
++            GNUPGHOME="$GNUPGHOME_HOST" gpgconf --launch gpg-agent
++        fi
++        SSH_AUTH_SOCK=$(GNUPGHOME="$GNUPGHOME_HOST" gpgconf --list-dirs agent-ssh-socket) ssh-add "$keyFile"
++        if keyGrip=$(awk '/^[0-9A-F]/{print $1}' < "$GNUPGHOME_HOST/sshcontrol") &&
++           test -n "$keyGrip" && [ $(wc -l <<<"$keyGrip") -eq 1 ] ; then
++            gpg_host --batch --full-generate-key <<EOF
++Key-Type: $keyType
++Key-Grip: $keyGrip
++Key-Usage: auth
++Name-Real: $serviceName
++%no-protection
++%commit
++EOF
++        else
++            rm -f "$GNUPGHOME_HOST/sshcontrol"
++            lock remove "$GNUPGHOME_HOST/importlock"
++            failure "did not find a single keygrip in $GNUPGHOME_HOST/sshcontrol during import"
++        fi
++        rm -f "$GNUPGHOME_HOST/sshcontrol"
++        lock remove "$GNUPGHOME_HOST/importlock"
++    else
++        log error "falling back to pem2openpgp (which will probably still fail)..."
++        PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
++	                       <"$keyFile" \
++	    | gpg_host --import
++    fi
+ fi
+ 
+ # export to OpenPGP public key to file
diff --git monkeysphere_0.43-2/debian/patches/series monkeysphere_0.43-3/debian/patches/series
index 4b3e5c2..4a94dc6 100644
--- monkeysphere_0.43-2/debian/patches/series
+++ monkeysphere_0.43-3/debian/patches/series
@@ -1,3 +1,6 @@
 0001-Expose-sshd-logs-when-ssh-test-fails.patch
 0002-Ensure-that-make-test-ed25519-works-when-no-tty-is-p.patch
 0003-Dump-remaining-jobs-during-test-cleanup.patch
+0004-tests-basic-ensure-functionality-with-output-of-stan.patch
+0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
+0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 928776-done@bugs.debian.org
• Subject: Re: Bug#928776: unblock: monkeysphere/0.43-3
• From: Niels Thykier <niels@thykier.net>
• Date: Sat, 11 May 2019 09:34:00 +0000
• Message-id: <509b8731-16f6-68a4-a4a7-bb5c28cefec3@thykier.net>
• In-reply-to: <[🔎] 871s16xadu.fsf@fifthhorseman.net>
• References: <[🔎] 871s16xadu.fsf@fifthhorseman.net>

Daniel Kahn Gillmor:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Control: affects -1 src:monkeysphere
> 
> Please unblock package monkeysphere
> 
> monkeysphere 0.43-3 resolves a grave bug in monkeysphere, which causes
> the monkeysphere-host import-key subcommand to fail in newly-installed
> buster systems (#909700, merged with #928684).
> 
> The initial monkeysphere "solution" for #909700 in 0.42-1 actually just
> worked around the test suite failure, and failed to fix the underlying
> problem, which was a mistake.
> 
> #928684 pointed out that the standard use of monkeysphere-host
> import-key on a new install of debian buster would fail.  These imported
> patches from the upstream development branch solve the problem correctly
> (and revert the test suite workaround, so that it is properly tested).
> 
> The debdiff is attached.
> 
> unblock monkeysphere/0.43-3
> 
> Thanks for your work on fine-tuning the debian Buster release!
> 
>             --dkg
> 

Unblocked, thanks.
~Niels

--- End Message ---