Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease

To: Anthony DeRobertis <anthony@derobert.net>, 921685@bugs.debian.org
Subject: Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease
From: David Kalnischkies <david@kalnischkies.de>
Date: Fri, 8 Feb 2019 11:00:21 +0100
Message-id: <[🔎] 20190208100021.GA17852@crossbow>
Reply-to: David Kalnischkies <david@kalnischkies.de>, 921685@bugs.debian.org
In-reply-to: <[🔎] 154957644138.12697.10594565579690248171.reportbug@Zia.metrics.net>
References: <[🔎] 154957644138.12697.10594565579690248171.reportbug@Zia.metrics.net> <[🔎] 154957644138.12697.10594565579690248171.reportbug@Zia.metrics.net>

Hi,

On Thu, Feb 07, 2019 at 04:54:01PM -0500, Anthony DeRobertis wrote:
> We have a local repository here which is generated with an (ancient!)
> version of mini-dinstall. This worked fine until rc2. The problem
> appears to be that it uses Release and Release.gpg instead of InRelease.

~rc1 adds verification of the contents of the "Release.gpg" file to
ensure the file can't be used to sneak additional data to the disk gpgv
ignores but could later be used in exploits – this was part of the
exploit for CVE-2019-3462.

>     Get:3 http://haruhi.metrics.net/deb buster/ Release.gpg [88 B]

That is some very small file given that ~60 B of the file are
boilerplate due to ascii armored headers and such… So, is that file
actually an ascii armored detached signature?  Could you attach it?

apt-secure(8) always documented "gpg -abs -o Release.gpg Release" as the
call to generate a Release.gpg file, but if you omit the "a" you still
get a Release.gpg file gpgv happily accepts – in a binary format.

The new verification code expects the documented ascii armored detached
signature here and as it can't find any valid part of it assumes bad
data was sent by something like a webportal from a hotel wifi – hence
the message about NODATA and net-auth.

That could be considered a regression, but I don't think we should add
support in the file-content verification for the binary format as that
is just additional code and risks with very minimal benefit attached.
I am inclined to declare this a user error due to not following
documentation. It is also resolveable with literally one additional
character on repository-creator side…

So if nobody has a strong opinion to the contrary I will look at using
a different (untranslated) message if a binary signature is encountered
at most to resolve this bugreport – assuming my conclusion holds that
this is indeed due to a binary signature and that they can reasonably be
detected.

Disclaimer: I wrote the code refusing the file, so I might be biased.

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease
  - From: Anthony DeRobertis <anthony@derobert.net>
- Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease
  - From: Anthony DeRobertis <anthony@derobert.net>

References:
- Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease
  - From: Anthony DeRobertis <anthony@derobert.net>

Prev by Date: Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease
Next by Date: Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease
Previous by thread: Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease
Next by thread: Bug#921685: 1.8.0~rc2 breaks using Release.gpg instead of InRelease
Index(es):
- Date
- Thread