GPG verification in SPECs

Konstantin Ryabitsev icon at fedoraproject.org
Fri Oct 11 13:55:30 UTC 2013 

On Fri, Oct 11, 2013 at 7:02 AM, Björn Persson
<bjorn at xn--rombobjrn-67a.se> wrote:
> Konstantin Ryabitsev wrote:
>>gpg --verify (and gpgv) will return 0 even if the key is revoked or
>>expired, so you can't really rely on exit code alone. The following is
>>the right approach:
>>
>>gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
>>%{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
>
> Will that check start to fail when the key expires? Do we want packages
> to start failing to build just because a certain date has passed?
>
> Or does the check fail only if the key had already expired when the
> signature was made?

Looks like gpg verify doesn't take that into consideration. E.g.,
here's a signature check for a tarball signed a year ago with a key
that expired 6 months later:

# gpgv --homedir=/tmp --keyring=/var/lib/kup/pgp/mcgrof.gpg
--status-fd=1 /pub/pub/linux/kernel/projects
/backports/2012/12/19/compat-drivers-2012-12-19-u.tar.sign
compat-drivers-2012-12-19-u.tar
gpgv: Signature made Thu 20 Dec 2012 04:11:59 AM UTC using RSA key ID 0A286BA2
[GNUPG:] KEYEXPIRED 1375474838
[GNUPG:] SIGEXPIRED
[GNUPG:] KEYEXPIRED 1375474838
[GNUPG:] SIGEXPIRED
[GNUPG:] SIG_ID CnG8MpelL0KA+rXPtnnpr8hYBKQ 2012-12-20 1355976719
[GNUPG:] KEYEXPIRED 1375474838
[GNUPG:] SIGEXPIRED
[GNUPG:] EXPKEYSIG 05C1321D0A286BA2 Luis R. Rodriguez <mcgrof at do-not-panic.com>
gpgv: Good signature from "Luis R. Rodriguez <mcgrof at do-not-panic.com>"
gpgv:                 aka "Luis R. Rodriguez <mcgrof at gmail.com>"
gpgv:                 aka "Luis R. Rodriguez <mcgrof at frijolero.org>"
gpgv:                 aka "Luis R. Rodriguez <mcgrof at qca.qualcomm.com>"
gpgv:                 aka "Luis R. Rodriguez <mcgrof at winlab.rutgers.edu>"
gpgv:                 aka "[invalid image]"
[GNUPG:] VALIDSIG 11D2BF2E7B1F71AE7C3ED8D605C1321D0A286BA2 2012-12-20
1355976719 0 4 0 1 2 00 11D2BF2E7B1F71AE7C3ED8D605C1321D0A286BA2

Gpg doesn't mark it with "GOODSIG", even though KEYEXPIRED timestamp
(Aug, 2013) is much larger than the one in SIG_ID (Dec, 2012) --
meaning that at the time of signing the key was valid. So, yes, if gpg
verify is used to check signatures, a package will start failing once
the key used to sign the package is expired. Which is not necessarily
a bad thing -- an FTBFS bug would be a perfectly fine way of notifying
someone that they need to review the pubkey used to verify their
packages.

(This, of course, can be worked around by checking for KEYEXPIRED and
then doing some basic math, but of course, that would dramatically
complicate the handy one-liner.)

Regards,
-- 
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec

More information about the devel mailing list