Why does debsig-verify fail to verify when the _gpgorigin detached signature matches the combined debian-binary control.tar.gz data.tar.gz file?
Is it because of this WARNING: This key is not certified with a trusted signature!?
On debian:7 docker container package signing worked well and on debian:9.8 it fails with
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: subprocess getKeyID returned error exit status 2
Signing Process
# Unpack
ar x unsigned.deb
# Generate combine file
cat debian-binary control.tar.gz data.tar.gz > combined
# Create detached signature for combined
gpg -abs -o _gpgorigin combined
# Repack
ar rc signed.deb _gpgorigin debian-binary control.tar.gz data.tar.gz
Verify detached signature (seems successful)
gpg --output doc --decrypt _gpgorigin
Detached signature.
Please enter name of data file: combined
gpg: Signature made Thu Apr 25 22:43:37 2019 UTC
gpg: using RSA key AAAABBBBCCCCDDDD996FCC98FFFFFFFFFFFFFFFF
gpg: Good signature from "mygroup Testing <testing#mygroup.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: AAAA BBBB CCCC DDDD 996F CC98 FFFF FFFF FFFF FFFF
Verify signed package (fails)
debsig-verify -v -d signed.deb
debsig: Starting verification for: signed.deb
debsig: getSigKeyID: got FFFFFFFFFFFFFFFF for origin key
debsig: Using policy directory: /etc/debsig/policies/FFFFFFFFFFFFFFFF
debsig: Parsing policy file: /etc/debsig/policies/FFFFFFFFFFFFFFFF/mygroup-test.pol
debsig: parsePolicyFile: parsing '/etc/debsig/policies/FFFFFFFFFFFFFFFF/mygroup-test.pol'
debsig: parsePolicyFile: completed
debsig: Checking Selection group(s).
debsig: Processing 'origin' key...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: subprocess getKeyID returned error exit status 2
Key Listing for policie's keyring
gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/FFFFFFFFFFFFFFFF/pubring.gpg --list-sigs
/usr/share/debsig/keyrings/FFFFFFFFFFFFFFFF/pubring.gpg
-------------------------------------------------------
pub rsa2048 2017-06-19 [SC]
AAAABBBBCCCCDDDD996FCC98FFFFFFFFFFFFFFFF
uid [ unknown] MyGroup Testing <testing#mygroup.net>
sig 3 FFFFFFFFFFFFFFFF 2017-06-19 MyGroup Testing <testing#mygroup.net>
sub rsa2048 2017-06-19 [E]
sig FFFFFFFFFFFFFFFF 2017-06-19 MyGroup Testing <testing#mygroup.net>
I've just had a similar problem, and found a number of things that I was doing wrong, that aren't obvious from the documentation/examples:
make sure that the policy file has the XML namespace using https (not http as the few examples use) i.e. <Policy xmlns="https://www.debian.org/debsig/1.0/">
the 'keyring' file isn't a keyring, it's just a (public) key.
the 'keyring' file must NOT be ASCII-armoured.
With the above changes, package verification succeeded (Ubuntu 18.04)
I had the same error.
To clarify Anthony's answer, the key file cannot be imported to the keyring.
It has to be a public key that is copied to the keyring folder.
(Example using DDDF2F4CE732A79A)
This will cause the error
$ gpg --no-default-keyring \
--keyring /usr/share/debsig/keyrings/DDDF2F4CE732A79A/debsig.gpg \
--import <public key>
This will work
$ cp <public key> /usr/share/debsig/keyrings/DDDF2F4CE732A79A/debsig.gpg
Related
I'm building an Android apk using Github actions, and I need to use the Android sign key in order to sign it before releasing it.
To do so I'm using the technic described here with GPG to encrypt the release key as base64 string, and use it as a secret in Github actions.
Then, inside my workflow, I use GPG to decrypt it back into the key file.
However, this process that works fine on my mac, is failing in Github actions.
Running this
- name: Decode keystore file
run: |
echo "${{ secrets.KEY_STORE }}" > release.keystore.asc
gpg -d --passphrase "${{ secrets.KEY_STORE_PASSPHRASE }}" --batch release.keystore.asc > signing-key.jks
results in this
gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: Unknown system error
##[error]Process completed with exit code 2.
Running sudo apt-get install ca-certificates before using GPG is at no help either, since it says that it's already installed.
Any ideas?
It seems release.keystore.asc contains invalid PGP data or no data at all. First, I would check the content of a release.keystore.asc. You can upload the file as an artifact then download it to examine its contents. Modify the workflow by adding the upload-artifact action step after Decode keystore file step
- name: Decode keystore file
run: |
echo "${{ secrets.KEY_STORE }}" > release.keystore.asc
gpg -d --passphrase "${{ secrets.KEY_STORE_PASSPHRASE }}" --batch release.keystore.asc > signing-key.jks
- uses: actions/upload-artifact#v2
if: failure()
with:
name: release.keystore.asc
path: release.keystore.asc
Now you can download the release.keystore.asc artifact (it will be zipped so you have to unzip it) and check if the file contains valid PGP data (the file should start with -----BEGIN PGP MESSAGE----- and end with -----END PGP MESSAGE----- and contain valid encrypted PGP content between). If it does not then it means KEY_STORE secret contains invalid data.
I was getting same error. I made a silly mistake, not sure if you also made same.
while copying the base 64 key store string to git secret, I was only copying the base64 string and not the whole file. i.e.
whole .asc file is like this:
-----BEGIN PGP MESSAGE-----
**base64 string here**
-----END PGP MESSAGE-----
You need to copy this whole file content (including BEGIN PGP and END PGP message). This solved my problem.
I'm trying to build a debian package from a very simple "hithere"/helloworld c code. I'm getting this error
$ DEBNAME="Maintainer" DEBEMAIL=user#buildserver.org debmake -a hithere-0.8.1.tar.gz -T -i debuild
...
W: hithere: copyright-without-copyright-notice
W: hithere: readme-debian-contains-invalid-email-address bogus#localhost
W: hithere: extended-description-line-too-long
E: hithere: maintainer-name-missing <bogus#localhost>
E: hithere: maintainer-address-malformed <bogus#localhost>
E: hithere: maintainer-address-is-on-localhost <bogus#localhost>
W: hithere: unknown-section local
Finished running lintian.
Now signing changes and any dsc files...
signfile dsc hithere_0.8.1-1.dsc <bogus#localhost>
gpg --local-user "<bogus#localhost>" --clearsign --list-options no-show-policy-urls --armor --textmode --output "/tmp/debsign.XYoWdyn7/hithere_0.8.1-1.dsc.asc" "/tmp/debsign.XYoWdyn7/hithere_0.8.1-1.dsc"
gpg: signing failed: Permission denied
gpg: /tmp/debsign.XYoWdyn7/hithere_0.8.1-1.dsc: clear-sign failed: Permission denied
debsign: gpg error occurred! Aborting....
debuild: fatal error at line 1045:
running debsign failed
E: failed to build Debian package(s).
Isolating the command I get the same:
$gpg --local-user "<bogus#localhost>" --clearsign --list-options no-show-policy-urls --armor --textmode test
gpg: signing failed: Permission denied
gpg: test: clear-sign failed: Permission denied
No luck with strace:
$strace gpg --local-user "<bogus#localhost>" --clearsign --list-options no-show-policy-urls --armor --textmode test
strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
+++ exited with 1 +++
this is my gnupg
$ls ~/.gnupg/
openpgp-revocs.d private-keys-v1.d pubring.kbx pubring.kbx~ S.gpg-agent S.gpg-agent.browser S.gpg-agent.extra S.gpg-agent.ssh trustdb.gpg
Thanks for any help
i have a file.txt.pgp which i want to decrypt in solaris. i have a key.asc file as well.
I imported the key using
gpg --import key.asc
when i am trying to decrpty the file using
gpg --decrypt file.txt.pgp
I am getting the below error
gpg:no valid OpenPGP data found.
gpg:decrypt message failed:eof
Also there is no secret/private key corresponding to the public key i imported. How can i fix this?
I'm trying to build a linux kernel for my Arch install. I'd like to verify the signatures but find I can't get the keys needed to do that:
[joemadeus#<host>]$ gpg2 -vvv --locate-keys torvalds#kernel.org gregkh#kernel.org
gpg: using character set 'iso-8859-1'
gpg: using pgp trust model
gpg: key <HEX CHARS HERE> accepted as trusted key
gpg: error retrieving 'gregkh#kernel.org` via Local: No public key
gpg: error retrieving 'gregkh#kernel.org` via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'torvalds#kernel.org` via Local: No public key
gpg: error retrieving 'torvalds#kernel.org` via WKD: No data
gpg: error reading key: No data
Obviously these keys are there and something is wrong with the way I'm going after them. Unfortunately there's nothing here that gives me any hints, even with verbose turned on. And, searching about I find... nothing.
I do have connectivity to the outside world and can get to kernel.org via http without any trouble. In fact, that's where I found out how to get the keys: https://www.kernel.org/category/signatures.html I've tried several times over the last couple of days, so I don't think kernel.org is having problems (unless they're very long-lived ones.)
I have created a key for myself with this login on the local system. I haven't pushed it out anywhere. I don't know if any of that matters.
Any hints?
The solution comes from this post, found by a friend of mine, which answers a similar question (but with a different error message): https://askubuntu.com/a/1027703
The default gpg config on Arch does not include:
auto-key-locate cert,pka,dane,wkd,keyserver
...and I did not supply it on the command line (didn't know it existed.) Once this option was specified it found the keys.
The easiest way of importing the key of Linus and Greg is by fetching it directly by fingerprint as found by your link.
Fetch Linus Torvalds key:
gpg --search-keys ABAF11C65A2970B130ABE3C479BE3E4300411886
Fetch Greg Kroah-Hartmans key:
gpg --search-keys 647F28654894E3BD457199BE38DBBDC86092693E
This approach also makes it easier to ensure you fetch the correct keys and not any key published with the email addresses.
The former xxx.BrokerImport is expired, and I generate a new key with the same name 'xxx.Import' and import it into remote server. But I can't delete the former one. They have same name, when I use 'xxx.Import' to encrypt, it will failed, I guess it used the former one not the new import one.
I want to delete one expired key in remote server.
Use root user to execute commands:
[root#ip-xxx xxx_ansible]#gpg --delete-key B7C1CB35
But get following error:
gpg: WARNING: unsafe ownership on homedir `/XXX/XXX_Import_tools/Keys'
I used root user to execute this, no idea why I haven't permission.
And I try:
[root#ip-xxx xxx_ansible]# sudo gpg --delete-key B7C1CB35
then get another error:
gpg: key "B7C1CB35" not found: Unknown system error
gpg: B7C1CB35: delete key failed: Unknown system error
However the public key is exist.
[root#ip-xxx xxx_ansible]# gpg --list-keys
gpg: WARNING: unsafe ownership on homedir `/xxx/xxx_Import_tools/Keys'
/xxx/xxx_Import_tools/Keys/pubring.gpg
------------------------------------------------
pub 2048R/B7C1CB35 2016-05-12 [expired: 2018-04-24]
uid xxx.Import <xxx#xxx.com>
pub 2048R/B75F015E 2018-07-23
uid xxx.Import <xxx#xxx.com>
sub 2048R/65AED995 2018-07-23
Does anyone has idea about this? Hope to get your help.
Since I have resolve this issue, I'd like to share my solution.
I want to delete the key with command directly, but due to permission deny, I delete the pubring.gpg / secring.gpg / trustdb.gpg in remote server. And After next deployment, these key will be import by ansible script. And these file will be generated.