Bunsen repo signing key fails to validate

[ghost]

See: http://crunchbang.org/forums/viewtopic.php?id=40362 @johnraff Any idea what's going on here?

[johnraff]

It's mysterious. I've rerun that section of the code, copied from GitHub, and the key downloads and passes the fingerprint test OK. Could it be some subtle thing about strings on a Spanish locale? The regular expression I used to pull the fingerprint from the output of `gpg --with-fingerprint' looks solid enough to me:

BUNSEN_APT_FINGERPRINT='3172 4784 0522 7490 BBB7  43E6 A067 3F72 FE62 D9C5'
wget http://pkg.bunsenlabs.org/BunsenLabs-RELEASE.asc
KEY_FINGERPRINT=$(gpg --with-fingerprint BunsenLabs-RELEASE.asc | sed -rn 's/^\s*Key fingerprint = (([0-9A-Z]{4}\s*)+).*$/\1/p')
[[ $KEY_FINGERPRINT = $BUNSEN_APT_FINGERPRINT ]] || echo 'fingerprints do not match'

However, it occurs to me, if we are having the key fingerprint hard-coded in the script then the test will be broken if the key changes online, no there's no advantage in downloading it. Maybe it would be OK to just put a copy of BunsenLabs-RELEASE.asc in the netinstall script tarball?

[ghost]

The result of the sed trimming had a single space while the the string the result was compared to had a doublespace. I rewrote everything to be more simple.

Unless you put the signing key into the tarball you might to confirm and merge #9. I would however prefer putting the key file into the repo too. The netinstall method is so clunky anyway that it doesn't matter for security reasons.

[johnraff]

I would however prefer putting the key file into the repo too.

OK let's do that. It is simpler.

---

I see that your way of eliminating all the spaces made the string comparison easier, but I still don't see why my code wasn't working. The netinstall script as-is works with no errors for me, and if you copy/paste the commands into a terminal the fingerprint test goes OK. sed -rn 's/^\s*Key fingerprint = (([0-9A-Z]{4}\s*)+).*$/\1/p' allows for arbitary amounts of space after each group of 4 digits, and saves the whole string as-is. The double space in the middle is preserved:

john@raffles4:~/test$ BUNSEN_APT_FINGERPRINT='3172 4784 0522 7490 BBB7  43E6 A067 3F72 FE62 D9C5'
john@raffles4:~/test$ wget http://pkg.bunsenlabs.org/BunsenLabs-RELEASE.asc
2015-08-27 12:38:28 (222 MB/s) - `BunsenLabs-RELEASE.asc' saved [3140/3140]
john@raffles4:~/test$ KEY_FINGERPRINT=$(gpg --with-fingerprint BunsenLabs-RELEASE.asc | sed -rn 's/^\s*Key fingerprint = (([0-9A-Z]{4}\s*)+).*$/\1/p')
john@raffles4:~/test$ echo "${KEY_FINGERPRINT}" 
3172 4784 0522 7490 BBB7  43E6 A067 3F72 FE62 D9C5
john@raffles4:~/test$ echo "${BUNSEN_APT_FINGERPRINT}"
3172 4784 0522 7490 BBB7  43E6 A067 3F72 FE62 D9C5
john@raffles4:~/test$ [[ $KEY_FINGERPRINT = $BUNSEN_APT_FINGERPRINT ]] && echo OK || echo bad
OK

So I still don't understand why those two users got that error. But, anyway, let's just add the key to the tarball. As you say, it really doesn't have any security implications.

[johnraff]

One thing occurs to me - maybe some people are getting space added at the end of KEY_FINGERPRINT? Why that would happen for some and not for others would still be a mystery though.

[johnraff]

Apt-key file added and scripts amended.

[ghost]

Thanks. Let's keep this open until we can be sure that there are no more issues cropping up. Might indeed be related to locales and an extra space in a .po file translation key used by gpg to print the message in question (I'm using en_GB on all machines), but I'd rather go not down that rabbit hole.

[johnraff]

It would in theory have been possible to eliminate any final space in the fingerprint string, but since the issue seems to be resolved anyway there's no need (beyond curiosity) go into it any more.

[johnraff]

No further issues.