Generated GPG Keys are no longer useable with rpm - Githubissues

ProtonMail / go-crypto

Fork of go/x/crypto, providing an up-to-date OpenPGP implementation

https://pkg.go.dev/github.com/ProtonMail/go-crypto

BSD 3-Clause "New" or "Revised" License

330 stars 100 forks source link

Generated GPG Keys are no longer useable with rpm #134

Closed bb-Ricardo closed 1 year ago

bb-Ricardo commented 1 year ago

Hi,

Due to a change in rpm "https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222#diff-b4eac15fda646a3b73f5cd251f33387979eadc71ba52f769bd64b10bd877365cR496" it is no longer possible to use GPG keys generated by this library to sign rpm packages or metadata.

https://github.com/ProtonMail/go-crypto/blob/364a5788960db142e05c61fb7acd56b2a7e1d493/openpgp/packet/signature.go#L845 This sets the critical bit to true and will cause rpm to refuse the key.

Would it be possible to add a key generate option to manipulate the subpackages critical bits?

twiss commented 1 year ago

Hello,

Are you sure it's the Issuer Key ID subpacket that's causing the issue? From the linked PR it seems it's supported, and it would be quite strange if it wasn't. To figure out which one is causing the issue, you could try locally modifying go-crypto to make subpackets non-critical until rpm accepts the key (but make sure to revert those changes / not use the key, as those changes may have security implications).

Depending on which subpacket is causing the issue, they might be willing to implement support for it, perhaps. In general, we don't want to add options to control whether specific subpackets are critical or not; those are very low-level and security-sensitive details that the application normally shouldn't control.

bb-Ricardo commented 1 year ago

Hi,

I just tested it with forked repos and a key generation and can confirm the finding.

Line changed: https://github.com/bb-Ricardo/go-crypto/commit/ea522e3384c04a78611752845c84e697fd197608

then generated a key using https://github.com/ProtonMail/go-crypto

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GopenPGP 2.4.10
Comment: https://gopenpgp.org

xsFNBGOXVycBEAC1WtGnRGw5/X6g3O46sC6gF4CDgdsX6/ny9phr5ptZLZP4pX5q
FAgK+YQ+0x+jBSEqaCzHw03IO2Qa3nGKK6d9/ZXER1EpKXkdcVW2cHEyns2cLUNN
429faRHqJ2F2tQqDhY++xSMQXfw8IhpeXyjLsa2Yq447A/yFAoSykqSoMk8/awrP
Gt9jvb4zyVjkyaQ+3xd1pomp753U9Hcfi5eG9QyG15Oge+VjhatS3cE1GOu9y6ZU
6KTV4cYbtfsExGM7JBKxLJy1V2EW+iAtYXLII5MN3OX5IZe0Vggaj+aRdMQXnAqu
53YbsYt8cKhh38mHiQvFi54wAm9XS8plFy2ob6ddtsJdAhCkVFwq74OjrVENAQJX
EHyTlKczOqj/m3UlJknobiVpvERV2AQaNtfwPKYcUitxWLqaweBhMwGLzbDbY5zt
XEI1OGKBWSl7ZH+/RQqgR+5ZqMDPLHZbOFvIYSZ8zD8PxPcziMPKTZyslL1Z0ss2
d4NW079DaPNKCkmc+aIfMe/1HUgdwODPaAKn4HPCOR2zbsq5TYakalE5wpCDeSVr
H2rnURSD5ip/FzEjp/DOL+Jr93HB+VmER+I+VIYGV85IuVq0zjYl2dto7qV5UhPQ
SFBPm/PLEri3YA9mxImNKvwe6tXYa8lCs9TIpHwQQtu+xxWA5Ng737lYqwARAQAB
zStNYXggTXVzdGVybWFubiA8bWF4Lm11c3Rlcm1hbm5AZXhhbXBsZS5jb20+wsGK
BBMBCAA+BQJjl1cnCZAMC7chjGjXZBYhBA4/d3eIbqai6nweugwLtyGMaNdkAhsD
Ah4BAhkBAwsJBwIVCAMWAAICIgEAAAxVEACIOWy5aZZYkFIcpFp3aipzFxmNre5o
sa3ehWZfAT09OL39yc/VI9mbS59e133X+9SKvgbAd8dTKLm8uEE4Z5sY4aesMtv9
Y2g2CV+MPnXf3jt3ZgXnYYg3WVDXK/AZrBCWB0Ch9/ixaP2W1T9qVObmbxSoUBgw
AjuysjhzI1MO1De5607J5pMB26D5sqRsy0pSr/LUPYQiflYUe9OVt3BCOsckx7zp
KBzxni6/lR8IGVwtjadvvExOZCn4JTOolsgI803rI1FH953UqWCR6Obl5GLubjHg
fQ55o0oCWH43hfGq2KGtEM0w7D6S5kYgGabDYodA1SxQE9oKvFV+v8jrkcEna1K7
4pEBqvdRVMKT+rex4od3YDy4PZw+5Io6zOT1zQfpHHqeRc0viiGTl63AtggFJFkh
FNOmP3sqkQi9TGZme1n4hRZMD+JW9CNFRV57rnAWMt5UgJnNIESPBtiq0yCKvXo/
6lA54bilngLiZ2I+5mdqL6rZZxg+mQJ4KTDcPhCxR8HHRekg+LOcd8HklgcrjI9k
6qioAczt76BnxFHmDqoJXV2CSl9N2UMjLhHanai6znsg+mVOZhSGrFH64cz8Nbj8
K/DbC/iA5HaEKbddwoddOk4wejAh0xocDxKxAx5ah/wRGOY8yIaZvhxMtwy9pQSe
eQ4o+RAo/hEcxs7BTQRjl1cnARAAooZHUfzW29rr/+6nE3YqxRtjOXo3uz77KW6w
TDEe0skXQBjXEKxmQi29K8U8Nivn43ECQBYPCBFFDuX45Z4D/ghM7wd1eCl8K1gR
f/wfSeCrhpsLvFKa+APUUo4MYhY56+iYao2pE77bPjqy37/4j54tj30hgbl7VGKC
x1rOeaqpVyONXf63ZK5S+26smth25HP2563nBisIme+xT95AXRI52PRNQLZ0MWfG
f4Vi1wPwlLsUraqXPk4OacO0Vl01bAegHsl/EnJEbRNKO2+OZ5B7xneRohJjY1F9
6NgHwdxcKOUX4/obnv4TOvhqG0OBxuloQqs24nOcPq+yq5kab9odZ+1aTLSUZrf3
Hn8WBqexZ2nsSX2csKAbE/bjrj5iLcrmPq9YRXmSpoIbs3CEbnFLsnYicnbk57xc
jxWALe8zhorBLbMJhpI4AuP38PMW14LyM/F7YJM6MIXH8RJh4hoeBIz0hZvGpPTj
sFQqXQDzKg+5u7a3uT2/LPWXbvah6fXPSlyyLOQWydxtuHzQi8j5vWPX0pPY7ygN
RRBbllpkX9sUcKe88i48fC/EU5vulqy4+4mdlKxXai+beR4X2uozn7Ss+6Fwvyga
GXCtojEO/lY+NkgEPPzeCkEle/BAnYWimo1FLY73hyOLT1iRpbAYL2DIYdBE9R1Q
i5MplWsAEQEAAcLBdgQYAQgAKgUCY5dXJwmQDAu3IYxo12QWIQQOP3d3iG6moup8
HroMC7chjGjXZAIbDAAALaoQAKPVzGVjTSJCasUt64MDbFA+hAxKNvFrr1joJJI4
lZodHJQDtj6f6Uj/MBR4ndJ0tMdCk15uhsjMIdiFr6/BK5su/ztsbd6hGQKiUwDE
/+ZAfWELEjwdtC+E18ldOlQmonS4F3/GXM86orrncd/zSr2Rz3QJbicdyL6l1qro
lAiIrdaNg1dTglZHW1yuqhbkTstslYtCWxIIckZ49qGR4/bXQEMPFXNcmlYvnlpZ
UZCKZMvRyMq0jY7MYzxKKudMa+uanuK+7s/Y5UoiyeGbwbqgu7Qs51g6gDOQ12IS
NHPS8eA3QKX5BEA5BerNprDyVUdM89oBcvhG96CYx0TX7R3ULhRp2XtQmdmbIEE8
tYZNPR4yI3ZiHwHDBd2GrcpkCgfu8YmW0ugyDGRSdPw3h5abdl/Y9N7caC0EQyYv
kEu/WkElCkAC0MTqlWSTJ2JtTtyfpG+bcCZAeY9/s4lN7P+7eUqyd4hZrIGBIX1X
2x1DPVl1LptpDDwR52g0Gn+acArBEjdHvEgq7xdNCSTlqTSQlfDGZQ+n1wGDq75X
CczfrmLb6RlJgH4XpNcvXmtURFdaZSZCDVo2ITAzuYBtdLdza10M4Ea78HElZmyL
nzueK96rxNl0SPGG4prc2jKcT5BbVDQICL7+nqTdIQ+TZOqxnjIt+SS+J+oYVzvE
gDud
=vsqa
-----END PGP PUBLIC KEY BLOCK-----

then generated a second one using: https://github.com/bb-Ricardo/go-crypto

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GopenPGP 2.4.10
Comment: https://gopenpgp.org

xsFNBGOXW2QBEAC+bbBkyPbTtz7LS+j6LHzuTEDwM5JuqN9so898/38Tb852YJra
TIwv/lzf/qXFg+hFCYh+DIAqSL1DmMO2y2vN3OD70TXO0DRLFNmU2EKWQo6+f2mf
9rUl2vLCqTUSQiiW3bwo0Xmk+1fpAB1sJZu8Qsz2TuVX+lNk7yd000Yg464PWcFw
/MP+aYp9/ohrNwYap+FXZxhB1x0K2z4uCG/OBN5PQlE4w2v+IrN6+spya8IIvmod
EnSd2YP8Su/o0+1L4TewbHflg/2Ht/Nn6XtlQakgFDhkPStgnpckgkmvCF3Q6GjG
Ss/HZVGZj1CIrebyetkxNWWhu7hrFfGcRuQ/HIAggMjDqKh4AMUVOLve2QOA8t2a
N/n/XsZMxjGiR51xLQxbYXfyNKGoDMGefwH69ZLhuC7xq2VL6vS0kP3OkNEnLaZU
ARqPoiH/Ot2zvEt82qBzTWLlUzcA8oAx9z/9BuqPhBi0+zu83FKbCFviOMF+OSPG
P3qQ1bsTTpudwmFKDwf8BJ8alVyA3reiQsjObI9qG2LeACL9Z+lv5ugqIV5qO2B8
MX6gP3QqcHLYKNS+ORoIf2S+4eSOV/c/Mv3owSmuIEGohur/izYk+q/eQmL4IQaF
yClVP2iPMfKhFxtz/eh7ZOorgOHKxCGHBsQm46DaGF0OKG/QAlTdhp9cVQARAQAB
zStNYXggTXVzdGVybWFubiA8bWF4Lm11c3Rlcm1hbm5AZXhhbXBsZS5jb20+wsGK
BBMBCAA+BQJjl1tkCRA13YwaodslURYhBAn+rVIhR2Vh+g4doTXdjBqh2yVRAhsD
Ah4BAhkBAwsJBwIVCAMWAAICIgEAABFhD/0SbZstVzauucCehKJmbBUH1B4xWUbn
z9tuOvKjMbd3utaqKgKcBkF+CnZP5z8GrobfdIPifd+UzHGEXzYpfLrw64ZdMKKW
yyYBUA62AvIeXOp9iDj+uYfxxzdSyuN8nwF7UV4o52tt5xcM6ybDa8TyQdR8YC3o
XyNiE1owlpwT66EpC1r7X4cibQwWpe7Ld7FOmphlxtluX2pwFzIMqh8O5x94haZR
4dcaHc7jAXrj3o7yBxRZo+ZI7V9N6OiRW/M70JHuBsjNlEu/fqJYxAIkZYMXNqYK
xbQ9l0unW1yD7AaKqeO+lhigCrQFIwD8VzlyGYyOqXoqYWp7RRciXXWyAFsLoBZ8
2Sj6vf86kNqwtOKnS5gRuzgpdUCU7HuWrY2lNnuLOD7Ud7ny4bKDloZmSred8esA
K7x7dULQ3aEMkjjzQlGvuRh2PDoBRRSLHNh3DeO5fhmwiZ+4J64D9hpQNx9tei/6
bxCeD/DPUv8n/1UNbeh9WTzPK9jIpoZhDEvHcJHTO+wpYNVejkG6KKGkQqaTQw0N
I/OFN+C/Irpa4Dzw9rIip3kvJKc5V7GJfucx33JoAn4PzceYhaJKHwg604XUyjKb
W7QTQA7Ph99JimQR/p4iqP1G6XPUjl/2I8hHNSuLKal/0ExzOycs8bLQ92mMtDDN
gRbXbuT/2u0AsM7BTQRjl1tkARAA7anIkFAYmDWAeH6p7utJC9hLa++jbyhLqZkC
l9EoutUlNdnTsWuzuLctvoSKXspZjZ0xUvGLb39ld6czBrSbiVQbKsR+k1fW7+oh
fRD8S+U/2mwJ62NIZJuIwm5IvJ90P6yw4XkCP92GMBs37ISwvlqbHd8VXmgu4YIS
TgLqfrSIdSNyQ4wo6PGoZ1BhAJ3mLVZ5KRYwUNPuZQHKDpfan8t9mT9048+AwzzT
hCZ1sB9cgPeDJQE8WqyQzn+d+XQus2kRmHS5TNF559gt34dwQ0VSIlPqKSz4+37W
OZpzzwH+D3GsDxp2vNOlWr+1IiGnyy0UuI8QavAHpypo/W09zbeUEC6/bgtO99Fv
S3RtxaEePtM3PndSaHrqd43pYuGDwcXzRx4kh5NkGEfJJtz3AO1/7w8+mP3WKVUB
NpVAB80pJzJINr3R27mnSMfPTgTN4Tl4DidLRqn9qVEnfkiwce3YhKC1ejPDoMje
6udNiCxoBUdzoIofxAp9pLXb3BUt8XqZ8oRXxnk4QkA/bnMrAEWPyZ3boG9pZ6LL
BZPHfdrkp987JYgyNa82OP2sj2tG8Noezo8yA+qYBnaz7jz3RNLM7sTHopgd/3A7
TOTFfhx88+c7E3bsV0HMrKC+fEFbtK3S0SUirlbEdxL02AWg7RGPnkpzOYoO2i+N
ViDzvvsAEQEAAcLBdgQYAQgAKgUCY5dbZAkQNd2MGqHbJVEWIQQJ/q1SIUdlYfoO
HaE13YwaodslUQIbDAAAXEcP+gIfSgbawWyoXti2MR/HNwEjYnx9GPejsXY8s+b3
iD+SgiuEDXOCIGPLU51nstNm88knaKjfDrpE+UllJbwUEo5wJkxAv22llSC6X1vq
a5IPHxYL3ZUazlfJ/uGHYD380kWF3t3/AqYx2LqgcBuxchxLizvRmHJoet19SN9u
0pLeGoH6gP11KiUbP7apg8GM8Sw7NB/gsrtogbnYRAKWrg9Y1F+XCJVXeTHVxOPe
QLAlNhuGXggIph3tmX7afZRVBo8okR9BSn7vz9oe1fFBhyl9PpPeRw/h5pKfRQL6
R7yvCrjRPOwc24/B4mQw70bXOOSRyUHvOhBa+jKUV98ReWSI5GeZ2xA+U2IOkEu6
6nMN+bacLSzcjDTKubt4WqasfPLpGjiphBMkpH/XFvNh1wrKHPmQ3KE4h7FUYwFY
d8k07xXB/TCxXHeLRGPYXqgk5h+UWVIpAY8qoG3crEvjq3KOPSVlvSK5glHl24Wm
EGtRYqpIGNotAPhwsSifLBd5LLqMYw+Qlwy/cTHxLhn1v6jMX7BTkLIoZMA5tvrC
tPsmwpzbvi03f+S4loeimsUadBAysNixGI6bg57XaMmKGJhPn8ZWAMNnjMcgwOJC
wWy1d7xbdLjBDjuhkc0XUwOTKfwR0ZwKvWT9mHMncC2JZt5L5u3kyMUDOKdmjk0S
6Ig9
=ivI9
-----END PGP PUBLIC KEY BLOCK-----

then started a docker container with opens use/leap

docker run -it  opensuse/leap:15.4 /bin/bash

pasted both keys to key1 and key2

2b318b439d41:/ # rpm --import key1
error: key1: key 1 import failed.
2b318b439d41:/ # rpm --import key2
warning: Rebuilding outdated index databases
warning: Generating 18 missing index(es), please wait...
2b318b439d41:/ #

and just dumping the key content and searching for critical shows this.

2b318b439d41:/ # gpg -vv key1 2>&1| grep critical
    critical hashed subpkt 16 len 8 (issuer key ID 0C0BB7218C68D764)
    critical hashed subpkt 16 len 8 (issuer key ID 0C0BB7218C68D764)
2b318b439d41:/ # gpg -vv key2 2>&1| grep critical
2b318b439d41:/ #

twiss commented 1 year ago

OK, that's strange. Could you report this on their side? Since the subpacket is supported, it shouldn't be rejected even if marked as critical, so I assume the linked patch probably isn't working as intended.

bb-Ricardo commented 1 year ago

Thank you again. Found that the issue was introduced in SuSE Linux between 15.1 and 15.2