Bug 32177

Summary: urpmi cannot handle subkeys of a signing key?
Product: Mageia Reporter: Martin Spiegel <mnspiegel>
Component: Release (media or process)Assignee: Thierry Vignaud <thierry.vignaud>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal CC: anaselli, davidwhodgins, surfzoid, sysadmin-bugs
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: urpmi-8.131-1.mga9.src.rpm CVE:
Status comment:

Description Martin Spiegel 2023-08-16 12:01:12 CEST 
Description of problem:
I have added 
https://dl.google.com/linux/chrome/rpm/stable/x86_64 
as a custom medium in mcc (configure media sources for install and update). I have also downloaded and installed the package signing key using
wget https://dl.google.com/linux/linux_signing_key.pub 
and as root 
rpm --import linux_signing_key.pub 
To make urpmi aware of the key(s) I've added them in mcc->configure media->manage keys and they are present in /etc/urpmi/urpmi.cfg. If I now try to install google-chrome (via command -line or gui) urpmi complains about an invalid key:
urpmi google-chrome-stable

The following package has bad signature:
/var/cache/urpmi/rpms/google-chrome-stable-115.0.5790.170-1.x86_64.rpm: Invalid Key ID (OK (RSA/SHA512, Di 01 Aug 2023 20:23:56 CEST, Key ID 4eb27db2a3b88b8b))

However, if I check the package with:
rpm --verbose --checksig -v google-chrome-stable-115.0.5790.170-1.x86_64.rpm
everything is ok:
D: loading keyring from rpmdb
D: PRAGMA secure_delete = OFF: 0
D: PRAGMA case_sensitive_like = ON: 0
D:  read h#       1 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-80420f66-4d4fe123 to keyring
D:  read h#    2296 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-7fac5991-45f06f46 to keyring
D:  read h#    2297 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 0 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 1 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 2 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 3 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 4 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
google-chrome-stable-115.0.5790.170-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID a3b88b8b: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID a3b88b8b: OK
    MD5 digest: OK
 
Version-Release number of selected component (if applicable):
urpmi 8.131

The google-chrome-stable package is signed with a subkey of the signing key. My guess is therefore that urpmi cannot handle the subkey correctly.

How reproducible:
Every time when installing or updating google-chrome-stable from https://dl.google.com/linux/chrome/rpm/stable/x86_64

Steps to Reproduce:
1.Add https://dl.google.com/linux/chrome/rpm/stable/x86_64 as custom medium
2.Import and install signing keys 
3.Add the keys to /etc/urpmi/urpmi.cfg
4.Try to install google-chrome-stable via urpmi
Comment 1 Dave Hodgins 2023-08-16 17:29:52 CEST 
Also discussed at https://bugs.chromium.org/p/chromium/issues/detail?id=1456806

Workaround is to skip signature verification during the package install ...

rpm -i --nosignature google-chrome-stable_current_x86_64.rpm

Source RPM: (none) => urpmi-8.131-1.mga9.src.rpm
Assignee: bugsquad => thierry.vignaud
CC: (none) => davidwhodgins

Comment 2 sturmvogel 2023-10-18 11:55:58 CEST 
*** Bug 32405 has been marked as a duplicate of this bug. ***

CC: (none) => surfzoid

Comment 3 Eric Petit 2023-10-19 07:30:53 CEST 
(In reply to Dave Hodgins from comment #1)
> Also discussed at
> https://bugs.chromium.org/p/chromium/issues/detail?id=1456806
> 
> Workaround is to skip signature verification during the package install ...
> 
> rpm -i --nosignature google-chrome-stable_current_x86_64.rpm

No, most user, use graphical not terminal.
Angelo Naselli 2023-12-21 19:53:48 CET

CC: (none) => anaselli

Comment 4 Angelo Naselli 2023-12-21 20:39:58 CET 
According to:
gpg2 --keyid-format=long --list-options show-unusable-subkeys --list-keys d38b4796
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid                 [ sconosciuto] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096/1397BC53640DB551 2016-04-12 [S] [scaduto: 2019-04-12]
sub   rsa4096/6494C6D6997C215E 2017-01-24 [S] [scaduto: 2020-01-24]
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [scaduto: 2022-07-21]
sub   rsa4096/4EB27DB2A3B88B8B 2021-10-26 [S] [scadenza: 2024-10-25]
sub   rsa4096/E88979FB9B30ACF2 2023-02-15 [S] [scadenza: 2026-02-14]

if you add to /etc/urpmi/urpmi.cfg subkeys a3b88b8b and 9b30acf2 should work at least until they expire or google revoke them.

At the moment i have a patch that we are testing that uses rpmkeys as dnf does.

An alternative way could be extracting those keys in the repository key management and add them to urpmi.cfg.
Comment 5 Eric Petit 2023-12-21 20:58:45 CET 
(In reply to Angelo Naselli from comment #4)
> According to:
> gpg2 --keyid-format=long --list-options show-unusable-subkeys --list-keys
> d38b4796
> pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
>       EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
> uid                 [ sconosciuto] Google Inc. (Linux Packages Signing
> Authority) <linux-packages-keymaster@google.com>
> sub   rsa4096/1397BC53640DB551 2016-04-12 [S] [scaduto: 2019-04-12]
> sub   rsa4096/6494C6D6997C215E 2017-01-24 [S] [scaduto: 2020-01-24]
> sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [scaduto: 2022-07-21]
> sub   rsa4096/4EB27DB2A3B88B8B 2021-10-26 [S] [scadenza: 2024-10-25]
> sub   rsa4096/E88979FB9B30ACF2 2023-02-15 [S] [scadenza: 2026-02-14]
> 
> if you add to /etc/urpmi/urpmi.cfg subkeys a3b88b8b and 9b30acf2 should work
> at least until they expire or google revoke them.
> 
> At the moment i have a patch that we are testing that uses rpmkeys as dnf
> does.
> 
> An alternative way could be extracting those keys in the repository key
> management and add them to urpmi.cfg.

Do you mean:

Google\ Miroir\ 64bit http://dl.google.com/linux/rpm/stable/x86_64 {
  key-ids: d38b4796
  subkeys: a3b88b8b
Comment 6 Angelo Naselli 2023-12-21 22:26:01 CET 
I don't think subkyes is managed, I meant something like this:

google-chrome http://dl.google.com/linux/chrome/rpm/stable/x86_64 {
  key-ids: 7fac5991,d38b4796,a3b88b8b,9b30acf2
  update
}
Comment 7 Martin Spiegel 2023-12-22 12:45:06 CET 
(In reply to Angelo Naselli from comment #6)
> I don't think subkyes is managed, I meant something like this:
> 
> google-chrome http://dl.google.com/linux/chrome/rpm/stable/x86_64 {
>   key-ids: 7fac5991,d38b4796,a3b88b8b,9b30acf2
>   update
> }

Yes, as slightly different entry in urpmi.cfg works for me:

Google\ Chrome http://dl.google.com/linux/chrome/rpm/stable/x86_64 {
  key-ids: 7fac5991,d38b4796,a3b88b8b,9b30acf2
  update
}

No more complaints about bad package signatures when updating Google Chrome :-)
Thank you for the workaround.

Funnily if I check now the installed keys for the installation medium "Google Chrome" in mcc->configure media->manage keys I see a (wrong) warning for the subkeys I've added in urpmi.cfg that they do not exist in the rpm keyring...