`.rpm` package header not signed.

[RokeJulianLockhart]

Expected behaviour

The https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-openSUSE-15-x86_64.rpm.sig should automatically verify.

Observed behaviour

Although the package installs correctly, signature verification fails:

1. sudo zypper install 'https://launchpadlibrarian.net/587065938/veracrypt-1.25.9-openSUSE-15-x86_64.rpm'

2. ```log Script started, output log file is 'typescript'. [sudo] password for root: Retrieving repository 'KDE:Unstable:Applications' metadata .............................................[done] Building repository 'KDE:Unstable:Applications' cache ..................................................[done] Retrieving repository 'home:ecsos' metadata ............................................................[done] Building repository 'home:ecsos' cache .................................................................[done] Loading repository data... Reading installed packages... Resolving package dependencies... The following NEW package is going to be installed: veracrypt 1 new package to install. Overall download size: 5.0 MiB. Already cached: 0 B. After the operation, additional 23.1 MiB will be used. Continue? [y/n/v/...? shows all options] (y): y Retrieving: veracrypt-1.25.9-1.x86_64 (Plain RPM files cache) (1/1), 5.0 MiB veracrypt-1.25.9-openSUSE-15-x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 821acd02680d16de: NOKEY V4 RSA/SHA256 Signature, key ID 821acd02680d16de: NOKEY warning: /var/tmp/zypp.KiuwWc/zypper/_tmpRPMcache_/%CLI%/veracrypt-1.25.9-openSUSE-15-x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 680d16de: NOKEY Looking for gpg key ID 680D16DE in cache /var/cache/zypp/pubkeys. Repository Plain RPM files cache does not define additional 'gpgkey=' URLs. veracrypt-1.25.9-1.x86_64 (Plain RPM files cache): Signature verification failed [4-Signatures public key is not available] Abort, retry, ignore? [a/r/i] (a): i Checking for file conflicts: .....................................................................................................................................................[done] warning: /var/cache/zypper/RPMS/veracrypt-1.25.9-openSUSE-15-x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 680d16de: NOKEY (1/1) Installing: veracrypt-1.25.9-1.x86_64 ......................................................................................................................................[done] Script done. PS /home/rokejulianlockhart> ```

This is problematic because it prevents plasma-discover installing the package, per https://discuss.kde.org/t/progress-console-in-discover/14195/7?u=rokejulianlockhart.

Steps to reproduce

1. sudo zypper install 'https://launchpadlibrarian.net/587065938/veracrypt-1.25.9-openSUSE-15-x86_64.rpm'

2. y

Your Environment

Operating System: openSUSE Tumbleweed 20230605 KDE Plasma Version: 5.27.5 KDE Frameworks Version: 5.107.0 Qt Version: 5.15.9 Kernel Version: 6.3.4-1-default (64-bit) Graphics Platform: Wayland Processors: 12 × AMD Ryzen 5 3600 6-Core Processor Memory: 31.2 GiB of RAM Graphics Processor: AMD Radeon RX 5700

VeraCrypt version

```log PS /home/rokejulianlockhart> zypper info veracrypt Loading repository data... Reading installed packages... Information for package veracrypt: ---------------------------------- Repository : @System Name : veracrypt Version : 1.25.9-1 Arch : x86_64 Vendor : IDRIX Installed Size : 23.1 MiB Installed : Yes Status : up-to-date Source package : veracrypt-1.25.9-1.src Summary : Disk encryption with strong security based on TrueCrypt. Description : This package contains binaries for VeraCrypt, a disk encryption with strong security based on TrueCrypt. PS /home/rokejulianlockhart> ```

Operating system and version

```log PS /home/rokejulianlockhart> uname -a Linux RQN6C6 6.3.4-1-default #1 SMP PREEMPT_DYNAMIC Mon May 29 06:22:29 UTC 2023 (2c66b1f) x86_64 x86_64 x86_64 GNU/Linux PS /home/rokejulianlockhart> ```

System type

64-bit

[idrassi]

Did you import VeraCrypt GPG public key? Without this, your system cannot trust the GPG signature embedded into the rpm package. The simplest way to do this is to run the command: sudo rpm --import https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc

and check that the fingerprint displayed matches the fingerprint of the official key (ID=0x680D16DE, Fingerprint=5069A233D55A0EEB174A5FC3821ACD02680D16DE)

[RokeJulianLockhart]

@idrassi, shouldn't/can't that key be embedded into the package? I've installed many packages before now from external URIs, and they didn't warn me of this problem.

Did they just not have a signature counterpart?

[idrassi]

VeraCrypt uses the standard rpm signing procedure which is the same of all rpm packages. Let me give some key points:

• Purpose of GPG Signing: When we sign our RPM packages using GPG keys, it's to ensure both the authenticity and integrity of the package. You can trust that the package truly originates from us and it hasn't been altered or tampered with in any way since we published it.
• The Trust Store: Your system maintains a list of trusted GPG keys, which is usually stored in directories like /etc/pki/rpm-gpg/ or /var/cache/zypp/pubkeys. If a package comes from a repository already trusted by your system, its GPG key will match one in your trust store. This indicates the package is authentic and it's safe to install.
• Importing External Keys: However, for packages that come from sources that your system doesn't already trust (such as our VeraCrypt package), the GPG key isn't in your system's trust store. This is why you are asked to import our GPG key manually. Doing so tells your system that our packages are trustworthy. As I explained aboce, to do this for VeraCrypt, you can run the command: sudo rpm --import https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
• Why Not Embed Keys in Packages?: Including the public key within the package could undermine the purpose of signing. If we did this, a malicious actor could tamper with the package, alter its contents, and provide a new key. This is why keys are separately imported from a trusted, secure source.
• Why Some Packages Don't Give a Warning: Packages from larger, well-established repositories may not trigger these warnings, as their GPG keys are likely already in your system's trust store. When you configure such a repository, its key is often automatically added to your trust store. However, it's important to be vigilant and not assume all packages from well-known repositories are safe; occasionally, they can host malicious packages if they are not properly curated.
• The Importance of Manual Verification: When importing keys manually, it's crucial to verify the key's fingerprint matches the official one. For VeraCrypt, you can cross-check our official key's fingerprint here: ID=0x680D16DE, Fingerprint=5069A233D55A0EEB174A5FC3821ACD02680D16DE. This step is vital for maintaining security.

I hope this gives you some clarity about the situation.

[RokeJulianLockhart]

Thanks, @idrassi. That's sensical.

Because of

Why Not Embed Keys in Packages?: Including the public key within the package could undermine the purpose of signing. If we did this, a malicious actor could tamper with the package, alter its contents, and provide a new key. This is why keys are separately imported from a trusted, secure source.

for the OpenSUSE section of https://www.veracrypt.fr/en/Downloads.html, could you consider adding

sudo rpm --import -y https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
sudo zypper install -y https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-openSUSE-15-x86_64.rpm
sudo zypper install -y https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-console-1.25.9-openSUSE-15-x86_64.rpm

for the less technical? I expect it would make installation much less scary.

I do ultimately think embedding the key in the package is a better solution though, since anyone technical will verify the signature, and a bad actor can still MITM to add the signature, thereby meaning that only the real package shows the unsigned error text.

This also ultimately does prevent any graphical marketplace installer installing the package currently.

[idrassi]

Thank you for your proposal. I have updated the downloads page https://www.veracrypt.fr/en/Downloads.html, as follows: