Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
>>> import gnupg
>>> g = gnupg.GPG()
>>> fh = open('/tmp/t.sig', 'rb')
>>> v = g.verify_file(fh, '/tmp/t')
>>> v.trust_level
5
$ gpg --verify t.sig t
gpg: Signature made Tue 02 Jul 2024 05:47:19 PM EDT
gpg: using RSA key 748231EBCBD808A14F5E85D28C004C2F93481F6B
gpg: Good signature from "Brent Timothy Saner <brent.saner@gmail.com>" [ultimate]
gpg: aka "Brent S. (http://www.square-r00t.net) <bts@square-r00t.net>" [ultimate]
gpg: aka "keybase.io/squarer00t <squarer00t@keybase.io>" [ultimate]
gpg: aka "[jpeg image of size 23396]" [ultimate]
gpg: aka "r00t^2 (https://sysadministrivia.com) <r00t@sysadministrivia.com>" [ultimate]
$ cat t.sig | gpg --list-packets
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid 8C004C2F93481F6B
version 4, created 1719956839, md5len 0, sigclass 0x00
digest algo 10, begin of digest dd c6
hashed subpkt 33 len 21 (issuer fpr v4 748231EBCBD808A14F5E85D28C004C2F93481F6B)
hashed subpkt 2 len 4 (sig created 2024-07-02)
subpkt 16 len 8 (issuer key ID 8C004C2F93481F6B)
data: [4093 bits]
Because of this, any signature created with an ultimately trusted key will always fail catastrophically:
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/state.py", line 2428, in call
ret = self.states[cdata["full"]](
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in __call__
ret = self.loader.run(run_func, *args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run
return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as
return _func_or_method(*args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1317, in wrapper
return f(*args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/archive.py", line 1101, in extracted
source_sum = __salt__["file.get_source_sum"](
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in __call__
ret = self.loader.run(run_func, *args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run
return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as
return _func_or_method(*args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/file.py", line 888, in get_source_sum
_check_sig(
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/file.py", line 1051, in _check_sig
res = verify(
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in __call__
ret = self.loader.run(run_func, *args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run
return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as
return _func_or_method(*args, **kwargs)
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/gpg.py", line 1399, in verify
signatures = [
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/gpg.py", line 1405, in <listcomp>
VERIFY_TRUST_LEVELS[str(sig["trust_level"])]
File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/immutabletypes.py", line 30, in __getitem__
return freeze(self.__obj[key])
KeyError: '5'
Started: 21:39:22.093953
Duration: 60.658 ms
Changes:
Setup
(N/A; library error)
Please be as specific as possible and give set-up details.
[X] on-prem machine
[X] VM (Virtualbox, KVM, etc. please specify)
[ ] VM running on a cloud service, please be explicit and add details
[ ] container (Kubernetes, Docker, containerd, etc. please specify)
[ ] or a combination, please be explicit
[ ] jails if it is FreeBSD
[ ] classic packaging
[X] onedir packaging
[X] used bootstrap to install
Steps to Reproduce the behavior
(See description)
Expected behaviorUNKNOWN verification trust level must be defined in VERIFY_TRUST_LEVELS as 0 and all existing levels' integers must be increased by 1.
Screenshots
(N/A)
Versions Report
salt --versions-report
```yaml
Salt Version:
Salt: 3007.1
Python Version:
Python: 3.10.14 (main, Apr 3 2024, 21:30:09) [GCC 11.2.0]
Dependency Versions:
cffi: 1.16.0
cherrypy: 18.8.0
dateutil: 2.8.2
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.4
libgit2: Not Installed
looseversion: 1.3.0
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.7
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 23.1
pycparser: 2.21
pycrypto: Not Installed
pycryptodome: 3.19.1
pygit2: Not Installed
python-gnupg: 0.5.2
PyYAML: 6.0.1
PyZMQ: 25.1.2
relenv: 0.16.0
smmap: Not Installed
timelib: 0.3.0
Tornado: 6.3.3
ZMQ: 4.3.4
Salt Package Information:
Package Type: onedir
System Versions:
dist: almalinux 9.4 Seafoam Ocelot
locale: utf-8
machine: x86_64
release: 5.14.0-427.20.1.el9_4.x86_64
system: Linux
version: AlmaLinux 9.4 Seafoam Ocelot
```
Description The file
/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/gpg.pycontains the following:But it is missing
UNKNOWNand thus every single trust level is shifted lower by one from its true value.For reference, in GPG, sig verifications return a
gpgme_validity_tin the C API, which of course is what python-gnupg passes directly from the CLI tool, which defines5asULTIMATE, not4:Because of this, any signature created with an ultimately trusted key will always fail catastrophically:
Setup (N/A; library error)
Please be as specific as possible and give set-up details.
Steps to Reproduce the behavior (See description)
Expected behavior
UNKNOWNverification trust level must be defined inVERIFY_TRUST_LEVELSas0and all existing levels' integers must be increased by1.Screenshots (N/A)
Versions Report
salt --versions-report
```yaml Salt Version: Salt: 3007.1 Python Version: Python: 3.10.14 (main, Apr 3 2024, 21:30:09) [GCC 11.2.0] Dependency Versions: cffi: 1.16.0 cherrypy: 18.8.0 dateutil: 2.8.2 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.4 libgit2: Not Installed looseversion: 1.3.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.7 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 23.1 pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.19.1 pygit2: Not Installed python-gnupg: 0.5.2 PyYAML: 6.0.1 PyZMQ: 25.1.2 relenv: 0.16.0 smmap: Not Installed timelib: 0.3.0 Tornado: 6.3.3 ZMQ: 4.3.4 Salt Package Information: Package Type: onedir System Versions: dist: almalinux 9.4 Seafoam Ocelot locale: utf-8 machine: x86_64 release: 5.14.0-427.20.1.el9_4.x86_64 system: Linux version: AlmaLinux 9.4 Seafoam Ocelot ```Additional context (N/A)