32177 – urpmi cannot handle subkeys of a signing key?

Bug 32177 - urpmi cannot handle subkeys of a signing key?

Summary: urpmi cannot handle subkeys of a signing key?

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Release (media or process) (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Thierry Vignaud
QA Contact:

URL:
Whiteboard:
Keywords:

Duplicates (1):	32405 (view as bug list)
Depends on:
Blocks:

Reported:	2023-08-16 12:01 CEST by Martin Spiegel
Modified:	2023-12-22 12:45 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	urpmi-8.131-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Martin Spiegel 2023-08-16 12:01:12 CEST

Description of problem:
I have added 
https://dl.google.com/linux/chrome/rpm/stable/x86_64 
as a custom medium in mcc (configure media sources for install and update). I have also downloaded and installed the package signing key using
wget https://dl.google.com/linux/linux_signing_key.pub 
and as root 
rpm --import linux_signing_key.pub 
To make urpmi aware of the key(s) I've added them in mcc->configure media->manage keys and they are present in /etc/urpmi/urpmi.cfg. If I now try to install google-chrome (via command -line or gui) urpmi complains about an invalid key:
urpmi google-chrome-stable

The following package has bad signature:
/var/cache/urpmi/rpms/google-chrome-stable-115.0.5790.170-1.x86_64.rpm: Invalid Key ID (OK (RSA/SHA512, Di 01 Aug 2023 20:23:56 CEST, Key ID 4eb27db2a3b88b8b))

However, if I check the package with:
rpm --verbose --checksig -v google-chrome-stable-115.0.5790.170-1.x86_64.rpm
everything is ok:
D: loading keyring from rpmdb
D: PRAGMA secure_delete = OFF: 0
D: PRAGMA case_sensitive_like = ON: 0
D:  read h#       1 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-80420f66-4d4fe123 to keyring
D:  read h#    2296 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-7fac5991-45f06f46 to keyring
D:  read h#    2297 
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 0 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 1 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 2 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 3 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
D: added subkey 4 of main key gpg-pubkey-d38b4796-570c8cd3 to keyring
google-chrome-stable-115.0.5790.170-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID a3b88b8b: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID a3b88b8b: OK
    MD5 digest: OK
 
Version-Release number of selected component (if applicable):
urpmi 8.131

The google-chrome-stable package is signed with a subkey of the signing key. My guess is therefore that urpmi cannot handle the subkey correctly.

How reproducible:
Every time when installing or updating google-chrome-stable from https://dl.google.com/linux/chrome/rpm/stable/x86_64

Steps to Reproduce:
1.Add https://dl.google.com/linux/chrome/rpm/stable/x86_64 as custom medium
2.Import and install signing keys 
3.Add the keys to /etc/urpmi/urpmi.cfg
4.Try to install google-chrome-stable via urpmi

Comment 1 Dave Hodgins 2023-08-16 17:29:52 CEST

Also discussed at https://bugs.chromium.org/p/chromium/issues/detail?id=1456806

Workaround is to skip signature verification during the package install ...

rpm -i --nosignature google-chrome-stable_current_x86_64.rpm

Source RPM: (none) => urpmi-8.131-1.mga9.src.rpm
Assignee: bugsquad => thierry.vignaud
CC: (none) => davidwhodgins

Comment 2 sturmvogel 2023-10-18 11:55:58 CEST

*** Bug 32405 has been marked as a duplicate of this bug. ***

CC: (none) => surfzoid

Comment 3 Eric Petit 2023-10-19 07:30:53 CEST

(In reply to Dave Hodgins from comment #1)
> Also discussed at
> https://bugs.chromium.org/p/chromium/issues/detail?id=1456806
> 
> Workaround is to skip signature verification during the package install ...
> 
> rpm -i --nosignature google-chrome-stable_current_x86_64.rpm

No, most user, use graphical not terminal.

Angelo Naselli 2023-12-21 19:53:48 CET

CC: (none) => anaselli

Comment 4 Angelo Naselli 2023-12-21 20:39:58 CET

According to:
gpg2 --keyid-format=long --list-options show-unusable-subkeys --list-keys d38b4796
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
uid                 [ sconosciuto] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub   rsa4096/1397BC53640DB551 2016-04-12 [S] [scaduto: 2019-04-12]
sub   rsa4096/6494C6D6997C215E 2017-01-24 [S] [scaduto: 2020-01-24]
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [scaduto: 2022-07-21]
sub   rsa4096/4EB27DB2A3B88B8B 2021-10-26 [S] [scadenza: 2024-10-25]
sub   rsa4096/E88979FB9B30ACF2 2023-02-15 [S] [scadenza: 2026-02-14]

if you add to /etc/urpmi/urpmi.cfg subkeys a3b88b8b and 9b30acf2 should work at least until they expire or google revoke them.

At the moment i have a patch that we are testing that uses rpmkeys as dnf does.

An alternative way could be extracting those keys in the repository key management and add them to urpmi.cfg.

Comment 5 Eric Petit 2023-12-21 20:58:45 CET

(In reply to Angelo Naselli from comment #4)
> According to:
> gpg2 --keyid-format=long --list-options show-unusable-subkeys --list-keys
> d38b4796
> pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
>       EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796
> uid                 [ sconosciuto] Google Inc. (Linux Packages Signing
> Authority) <linux-packages-keymaster@google.com>
> sub   rsa4096/1397BC53640DB551 2016-04-12 [S] [scaduto: 2019-04-12]
> sub   rsa4096/6494C6D6997C215E 2017-01-24 [S] [scaduto: 2020-01-24]
> sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [scaduto: 2022-07-21]
> sub   rsa4096/4EB27DB2A3B88B8B 2021-10-26 [S] [scadenza: 2024-10-25]
> sub   rsa4096/E88979FB9B30ACF2 2023-02-15 [S] [scadenza: 2026-02-14]
> 
> if you add to /etc/urpmi/urpmi.cfg subkeys a3b88b8b and 9b30acf2 should work
> at least until they expire or google revoke them.
> 
> At the moment i have a patch that we are testing that uses rpmkeys as dnf
> does.
> 
> An alternative way could be extracting those keys in the repository key
> management and add them to urpmi.cfg.

Do you mean:

Google\ Miroir\ 64bit http://dl.google.com/linux/rpm/stable/x86_64 {
  key-ids: d38b4796
  subkeys: a3b88b8b

Comment 6 Angelo Naselli 2023-12-21 22:26:01 CET

I don't think subkyes is managed, I meant something like this:

google-chrome http://dl.google.com/linux/chrome/rpm/stable/x86_64 {
  key-ids: 7fac5991,d38b4796,a3b88b8b,9b30acf2
  update
}

Comment 7 Martin Spiegel 2023-12-22 12:45:06 CET

(In reply to Angelo Naselli from comment #6)
> I don't think subkyes is managed, I meant something like this:
> 
> google-chrome http://dl.google.com/linux/chrome/rpm/stable/x86_64 {
>   key-ids: 7fac5991,d38b4796,a3b88b8b,9b30acf2
>   update
> }

Yes, as slightly different entry in urpmi.cfg works for me:

Google\ Chrome http://dl.google.com/linux/chrome/rpm/stable/x86_64 {
  key-ids: 7fac5991,d38b4796,a3b88b8b,9b30acf2
  update
}

No more complaints about bad package signatures when updating Google Chrome :-)
Thank you for the workaround.

Funnily if I check now the installed keys for the installation medium "Google Chrome" in mcc->configure media->manage keys I see a (wrong) warning for the subkeys I've added in urpmi.cfg that they do not exist in the rpm keyring...

Note You need to log in before you can comment on or make changes to this bug.