[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rpmorg-maint
Subject:    [Rpm-maint] rpm-sequoia 1.4.0
From:       "Neal H. Walfield" <neal () walfield ! org>
Date:       2023-04-13 22:59:13
Message-ID: 87pm87ie2m.wl-neal () walfield ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Hi everyone,

I'm pleased to announce v1.4.0 of the RPM Sequoia crate.

I have published rpm-sequoia on crates.io:

  https://crates.io/crates/rpm-sequoia

You can also fetch version 1.4.0 using the v1.4.0 tag:

  https://github.com/rpm-software-management/rpm-sequoia/releases/tag/v1.4.0

which I signed:

  $ git verify-tag v1.4.0
  gpg: Signature made Thu Apr 13 23:10:27 2023 +02:00
  gpg:                using RSA key C03FA6411B03AE12576461187223B56678E02528
  gpg: Good signature from "Neal H. Walfield <neal@walfield.org>" [ultimate]
  gpg:                     "Neal H. Walfield <neal@gnupg.org>"
  gpg:                     "Neal H. Walfield <neal@pep-project.org>"
  gpg:                     "Neal H. Walfield <neal@pep.foundation>"
  gpg:                     "Neal H. Walfield <neal@sequoia-pgp.org>"

The most notable change in this release is better error reporting.
Based on feedback from users of rpm on Fedora 38 beta, we learned that
many certificates, and many packages use outdated cryptography, or are
generated from broken OpenPGP implementations.  As sequoia-openpgp is
more strict in what it accepts than rpm's deprecated internal OpenPGP
implementation, installing these packages now results in an error.

Although rpm-sequoia often knows in detail why a certificate or
signature is invalid, rpm did not have a way to return this
information.  As such, rpm could only print out that the package could
not be installed, like this:

```
$ rpm -i google-chrome-stable-109.0.5414.119-1.x86_64.rpm
warning: google-chrome-stable-109.0.5414.119-1.x86_64.rpm: Header V4 DSA/SHA1 \
Signature, key ID 7fac5991: NOTTRUSTED  package \
google-chrome-stable-109.0.5414.119-1.x86_64 does not verify: Header V4 DSA/SHA1 \
Signature, key ID 7fac5991: NOTTRUSTED ```

This release introduces two new functions, which are identical to
existing functions in their functionality, but also return rich error
messages, which will hopefully help users more easily diagnose the
underlying problem.  For instance, using a patched version of rpm,
which uses these new interfaces, here's what happens when trying to
install a package whose signature can't be verified:

```
$ rpm -i google-chrome-stable-109.0.5414.119-1.x86_64.rpm
error: Verifying a signature using certificate \
4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (Google, Inc. Linux Package Signing Key \
<linux-packages-keymaster@google.com>):  1. Signature 02b3 created at Mon Jan 23 \
                21:23:32 2023 invalid: signature relies on legacy cryptography
      because: Policy rejected non-revocation signature (Binary) requiring collision \
resistance  because: SHA1 is not considered secure since 1970-01-01T00:00:00Z
  2. Certificate A040830F7FAC5991 invalid: policy violation
      because: No binding signature at time 2023-01-23T21:23:32Z
      because: Policy rejected non-revocation signature (PositiveCertification) \
requiring second pre-image resistance  because: SHA1 is not considered secure since \
                1970-01-01T00:00:00Z
warning: google-chrome-stable-109.0.5414.119-1.x86_64.rpm: Header V4 DSA/SHA1 \
                Signature, key ID 7fac5991: NOTTRUSTED
error: Failed dependencies:
	rpmlib(PayloadIsXz) <= 5.2-1 is needed by \
google-chrome-stable-109.0.5414.119-1.x86_64 $ rpm -i anydesk-6.1.1-1.el7.x86_64.rpm
error: Verifying a signature using certificate \
D56311E5FF3B6F39D5A16ABE18DF3741CDFFDE29 (philandro Software GmbH \
<info@philandro.com>):  1. Signature 9b8f created at Tue Apr 13 11:08:37 2021 \
                invalid: signature relies on legacy cryptography
      because: Policy rejected non-revocation signature (Binary) requiring collision \
resistance  because: SHA1 is not considered secure since 1970-01-01T00:00:00Z
  2. Certificate 18DF3741CDFFDE29 invalid: policy violation
      because: No binding signature at time 2021-04-13T11:08:37Z
error: anydesk-6.1.1-1.el7.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID cdffde29: \
                BAD
error: anydesk-6.1.1-1.el7.x86_64.rpm cannot be installed
```

And here's what rpm emits when trying to install a package with an
incorrectly generated signature:

```
$ rpm -i intel-oneapi-common-licensing-2023.1.0-2023.1.0-43473.noarch.rpm
error: intel-oneapi-common-licensing-2023.1.0-2023.1.0-43473.noarch.rpm: Header RSA \
signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP \
packet:  Failed to parse Signature Packet
      because: Signature appears to be created by a non-conformant OpenPGP \
                implementation, see \
                <https://github.com/rpm-software-management/rpm/issues/2351>.
      because: Malformed MPI: leading bit is not set: expected bit 8 to be set in     \
                101 (5))
error: intel-oneapi-common-licensing-2023.1.0-2023.1.0-43473.noarch.rpm cannot be \
installed ```

Neal on behalf of the whole Sequoia PGP team


[Attachment #5 (application/pgp-signature)]

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic