Broken ArchLinux packages signatures

[ItachiSan]

Issue/Feature description

ArchLinux is a distro with the KISS principle and this works in all its components. This works also on the packaging system; makepkg allows people to create packages really easily. Packages can also be signed by setting the proper GPG key ID in the makepkg configuration file. OBS offers ArchLinux packages support; however, signature for them is broken. The signature produced by OBS gives errors when read from pacman, considered as 'unsigned'. More details are available in my first e-mail sent to the OBS mailing list, see here. makepkg expects a signature similar to the one generated by the command: gpg --detach-sign --use-agent -u ${GPGKEY} --no-armor "$filename" &>/dev/null so I suppose that OBS is using a different approach for package signatures. After no reply in the mailing list (here), I decided to open an issue here. I can provide as much data as possible, though I am not an official Arch developer working on pacman nor makepkg.

Expected result

The signatures produced by OBS are properly loaded from pacman.

How to Reproduce

Given such a repo

[home_ItachiSan_archlinux]
SigLevel = DatabaseRequired PackageOptional
Server = http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/standard/$arch

I tried to install a package

$ pacman -S telegram-desktop
[sudo] password for me: 
warning: telegram-desktop-0.10.20-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) telegram-desktop-0.10.20-1

Total Installed Size:  35.32 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                             [-----------------------------------------------------] 100%
error: telegram-desktop: unsupported signature format(0/1) checking package integrity                                                           [c o  o(1/1) checking package integrity                                                           [-----------------------------------------------------] 100%
(1/1) loading package files                                                                [-----------------------------------------------------] 100%
(1/1) checking for file conflicts                                                          [-----------------------------------------------------] 100%
(1/1) checking available disk space                                                        [-----------------------------------------------------] 100%
:: Processing package changes...
(1/1) reinstalling telegram-desktop                                                        [-----------------------------------------------------] 100%
:: Running post-transaction hooks...
(1/2) Updating icon theme caches...
(2/2) Updating the desktop file MIME type cache...

The error lies within the unsupported signature format.

Further information

• A link to an OBS instance showing the issue: the official instance.
• Previously created issue: openSUSE/obs-build#319

[elman22]

I get the same error with QOwnNotes. Installed as described on http://www.qownnotes.org/installation "Install on Arch Linux"

Packages (1) qownnotes-17.11.3-1

Total Installed Size:  7,63 MiB
Net Upgrade Size:      0,00 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                                           [########################################] 100%
error: qownnotes: unsupported signature format(0/1) checking package integrity                                         [(1/1) checking package integrity                                         [########################################] 100%
(1/1) loading package files                                              [########################################] 100%
(1/1) checking for file conflicts                                        [########################################] 100%
(1/1) checking available disk space                                      [########################################] 100%
:: Processing package changes...
(1/1) reinstalling qownnotes                                             [########################################] 100%
:: Running post-transaction hooks...
(1/3) Updating icon theme caches...
(2/3) Arming ConditionNeedsUpdate...
(3/3) Updating the desktop file MIME type cache...

[ItachiSan]

Any progress on this?

[nicki-krizek]

I've also stumbled upon this issue. Interestingly enough, the incorrect signature doesn't happen in all my repositories, but when it does, it tends to be reproducible for the given repo.

I've also encountered various other issues with packages for Arch, such as incorrect pkg size in metadata or broken checksum, which break the package installation even when signature checking is turned off in pacman.conf.

[ItachiSan]

@tomaskrizek how do you reproduce the issue? Which repos are affected and which not?

[hv15]

@ItachiSan heres one repo I know of that has this problem: https://download.opensuse.org/repositories/home:/justkidding:/arch/standard/x86_64/

[debnath-d]

@ItachiSan I'm facing this issue with ungoogled-chromium: https://download.opensuse.org/repositories/home:/ungoogled_chromium/Arch/

[felmey]

@ItachiSan I'm facing this issue with ungoogled-chromium: https://download.opensuse.org/repositories/home:/ungoogled_chromium/Arch/

Same for me as well.

error: ungoogled-chromium: unsupported signature format

[njhanley]

The issue appears to be that OBS creates v3 signatures^1 but pacman requires v4^3. I've confirmed this is the case for the OBS build of ungoogled_chromium.

$ wget https://download.opensuse.org/repositories/home:/ungoogled_chromium/Arch/x86_64/ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst{,.sig}
...
$ sudo pacman -U ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst
loading packages...
error: ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst: unsupported signature format
error: 'ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst': invalid or corrupted package (PGP signature)
$ gpg --list-packets ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst.sig | grep version
    version 3, created 1641750733, md5len 5, sigclass 0x00

Curiously, GnuPG 2.1 (released 2014-10-03) dropped all support for v3^4. I'm not sure why --force-v3-sigs is being honored as it should be a no-op, unless OBS uses an ancient release.

[adrianschroeter]

On Dienstag, 11. Januar 2022, 07:14:26 CET Nick Hanley wrote:

The issue appears to be that OBS creates v3 signatures[^1][^2] but pacman requires v4[^3]. I've confirmed this is the case for the OBS build of ungoogled_chromium.

$ wget https://download.opensuse.org/repositories/home:/ungoogled_chromium/Arch/x86_64/ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst{,.sig}
...
$ sudo pacman -U ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst
loading packages...
error: ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst: unsupported signature format
error: 'ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst': invalid or corrupted package (PGP signature)
$ gpg --list-packets ungoogled-chromium-97.0.4692.71-2-x86_64.pkg.tar.zst.sig | grep version
  version 3, created 1641750733, md5len 5, sigclass 0x00

Curiously, GnuPG 2.1 (released 2014-10-03) dropped all support for v3[^4]. I'm not sure why --force-v3-sigs is being honored as it should be a no-op, unless OBS uses an ancient release.

it should still be able to verify it though.

However, https://github.com/openSUSE/open-build-service/pull/12065

--

Adrian Schroeter @.***> Build Infrastructure Project Manager

SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Ivo Totev

[njhanley]

it should still be able to verify it though.

I'm not sure what "it" you're referring to.

Regardless, #12065 appears to work on my development instance. Thanks!

FYI pacman has supported v4 signatures ever since GPG verification was added^1; they became required in 2012^2. PGP 2 is ancient, after all.

[antermin]

Since #12065 has been merged, I tried this:

[home_ungoogled_chromium_Arch]
SigLevel = DatabaseRequired PackageOptional
Server = https://downloadcontent.opensuse.org/repositories/home:/ungoogled_chromium/Arch/$arch

This appears to be okay.