Hi, On Thu, Feb 07, 2019 at 04:54:01PM -0500, Anthony DeRobertis wrote: > We have a local repository here which is generated with an (ancient!) > version of mini-dinstall. This worked fine until rc2. The problem > appears to be that it uses Release and Release.gpg instead of InRelease. ~rc1 adds verification of the contents of the "Release.gpg" file to ensure the file can't be used to sneak additional data to the disk gpgv ignores but could later be used in exploits – this was part of the exploit for CVE-2019-3462. > Get:3 http://haruhi.metrics.net/deb buster/ Release.gpg [88 B] That is some very small file given that ~60 B of the file are boilerplate due to ascii armored headers and such… So, is that file actually an ascii armored detached signature? Could you attach it? apt-secure(8) always documented "gpg -abs -o Release.gpg Release" as the call to generate a Release.gpg file, but if you omit the "a" you still get a Release.gpg file gpgv happily accepts – in a binary format. The new verification code expects the documented ascii armored detached signature here and as it can't find any valid part of it assumes bad data was sent by something like a webportal from a hotel wifi – hence the message about NODATA and net-auth. That could be considered a regression, but I don't think we should add support in the file-content verification for the binary format as that is just additional code and risks with very minimal benefit attached. I am inclined to declare this a user error due to not following documentation. It is also resolveable with literally one additional character on repository-creator side… So if nobody has a strong opinion to the contrary I will look at using a different (untranslated) message if a binary signature is encountered at most to resolve this bugreport – assuming my conclusion holds that this is indeed due to a binary signature and that they can reasonably be detected. Disclaimer: I wrote the code refusing the file, so I might be biased. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature