Re: Bug#943970: debmirror: Debmirror fails to verify valid, signed InRelease files
Control: clone -1 -2
Control: reassign -2 apt
Control: retitle -2 apt: SplitClearSignedFile mishandles lines with trailing whitespace
On Fri, Nov 01, 2019 at 05:58:06PM -0400, John Bazik wrote:
> When debmirror splits InRelease files using split_clearsigned_file, it
> can produce text and signature files that gpgv reports as having a
> "BAD signature." Yet gpgv reports "Good signature" for the original
> InRelease file, by itself. What I found is that most files work but
> some do not. Attached is a standalone split command, using the code
> from debmirror. This is what I see when I test the debian-archive
> wheezy-backports InRelease file:
Very interesting. It's due to the "Version: " line, with a trailing
space, in the InRelease file for wheezy-backports.
RFC 4880 section 7.1 says:
Also, any trailing whitespace -- spaces (0x20) and tabs (0x09) -- at
the end of any line is removed when the cleartext signature is
generated.
Remarkable; but we have to cope with it. Apparently the clearsigning
process is not intended to be reversible.
As the comment notes, I translated the split_clearsigned_file function
from similar code in APT, and as far as I can see by code inspection it
has the same bug. APT maintainers: I think you need to remove any
trailing space or tab characters from buf before writing it to
ContentFile. There should be a message posted to #943970 shortly with a
link to my fix in debmirror.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: