Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2141686

Summary: RPM Sequoia crypto breaks Copr
Product: [Fedora] Fedora Reporter: Miro Hrončok <mhroncok>
Component: rpmAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dkg, fweimer, igor.raits, ksurma, mdomonko, neal, ngompa13, packaging-team-maint, pmatilai, pmoravco, praiskup, vmukhame, yaneti
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rpm-4.18.0-7.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-24 09:19:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2130122    
Attachments:
Description Flags
An utility for grabbing signatures from packages none

Description Miro Hrončok 2022-11-10 13:32:18 UTC
Since rpm-4.18.0-5.fc38 Copr builds are unable to install packages built with Copr before the change. Not sure if they can install packages built after the change.

See for example https://copr.fedorainfracloud.org/coprs/ksurma/docutils-0.19/build/5030501/

We see:

Error: Transaction test error:
  package python3-pytest-7.1.3-1.fc38.noarch does not verify: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
  package python3-docutils-0.19-1.fc38.noarch does not verify: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)


The packages can be found at https://download.copr.fedorainfracloud.org/results/ksurma/docutils-0.19/fedora-rawhide-x86_64/05025807-pytest/python3-pytest-7.1.3-1.fc38.noarch.rpm and https://download.copr.fedorainfracloud.org/results/ksurma/docutils-0.19/fedora-rawhide-x86_64/05025169-python-docutils/python3-docutils-0.19-1.fc38.noarch.rpm for now.

Panu said: "They are not the usual SHA1 case, both are RSA/SHA256 signed so this looks like an actual bug. Please report on bugzilla so it gets properly tracked and we have a place to direct people to."

This blocks a lot of our (Python-Maint) work, so setting high severity.

Comment 1 Panu Matilainen 2022-11-10 13:37:46 UTC
Based on a few more random samples, it would appear that everything signed by COPR is broken this way now.

Comment 2 Miro Hrončok 2022-11-10 13:40:54 UTC
OK. Packages built in Copr with rpm-4.18.0-5.fc38 still cannot be installed in Copr with rpm-4.18.0-5.fc38.

See https://copr.fedorainfracloud.org/coprs/churchyard/sequoia/builds/

Comment 3 Panu Matilainen 2022-11-10 13:44:41 UTC
I'd untag the rpm-4.18.0-5.fc38 build until we've had a chance to investigate, breaking all of COPR is a bit much.

Comment 4 Panu Matilainen 2022-11-10 13:49:56 UTC
That, as in "I would do so but apparently don't have the permissions to untag".

Comment 5 Yanko Kaneti 2022-11-10 14:06:37 UTC
rpm-4.18.0-5.fc38 also doesn't like the already installed rpmfusion packages here 
e.g. rfpkg-minimal 
Header RSA signature: BAD (header tag 268: invalid OpenPGP signature)

and last but not least google-chrome-stable rpm   from google is 
Header V4 DSA/SHA1 Signature, key ID 7fac5991: BAD

Comment 6 neal 2022-11-10 14:08:16 UTC
@pmatilai Thanks for cc'ing me.  I'm actively looking into this.

Comment 7 neal 2022-11-10 14:43:02 UTC
Here's what I'm seeing after adding a bit more instrumentation to rpm-sequoia (note `RPM_TRACE` is compiled in by default):

```
$ RPM_TRACE=1 ~/rpm/_build/rpmkeys -K /tmp/python3-pytest-7.1.3-1.fc38.noarch.rpm
...
_pgpPrtParams: entered
_pgpPrtParams: pkts: &[] <- 0xbcbe40
_pgpPrtParams: paramsp: &mut <- 0x7ffe50716760
_pgpPrtParams: Packet: PublicKey(V4(Key4 { fingerprint: Fingerprint("53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4"), creation_time: 1612983048, pk_algo: RSAEncryptSign, mpis: RSA { e: 17 bits: 0100 01, n: 4096 bits: BE21 02AA A7F0 48D5 522F 451A 9C9D 1A00 C64C EC63 7A71 212D 4BF8 2E20 6968 C831 FD5E 0414 EABF D78A 778C 47B1 6F34 54BF ED97 CD56 6563 BFEC 95CA 9A01 CE0E 25EB BF81 E60C 83A8 E99D 61C5 E863 5511 7722 1E3E B0A1 D15C 2260 C1C7 499C C7EA 4CA9 C78B 2710 8207 83BA 1796 6DF8 D5D8 5826 BF1C B48E 1D0C E4F0 81E6 D68D CF8D 4B98 F39A 5109 A73D 7708 D390 A33F 99AC 2A34 4139 BC39 09DD A869 DEB4 A533 619C 1591 7F6F 3C4B C5B8 C07E 2334 848E 64B6 5339 FE87 5398 09C3 DC14 F516 686B 3F24 64F3 40AE 5263 66C3 7CDD 2D17 2C2C 696B A514 8187 733C 31CE 586B 5C58 6B37 6EF3 4095 362E 69CB A7A0 808E BD31 FF64 953B 9A06 996D B752 3D52 C325 D2C1 2915 601D B753 00AD 09F7 5DC5 1225 3DDC 6251 E5B7 FF5B 914C 37B0 D5EA 1B09 54C8 98FE 49C9 9A44 C513 DC21 0D28 C473 44C0 6214 2E0B 51E7 CEF3 0F18 9BE4 784C FD9D 1AA7 6B94 14BA 8ED5 E8B2 387D 9353 4A5A 85C8 88BF 39AD D9A2 588E C8EB 21C4 9994 DF2D 4768 D707 7AB3 B59C 56D3 B59E ECFD 3281 858F 6816 AE13 E202 55C8 55B2 DF7A 7F24 3C4E B655 63A4 7124 CF05 C674 F7BA 478C 4AF3 11CE 6C45 6B68 E319 31AC 1E20 8FAD 30E1 B055 BC59 BB69 0203 569F 94CF A87B 2535 171F 6AA8 CD3E 758C 873B E929 DCCE 54B5 F334 D3A4 5C35 C75F A06A C0E2 5EB3 F6C5 271C AB18 CCE2 CF46 F2A4 CF18 97DD 3F75 BC7B 5118 25E3 3CE8 0EB0 9273 8E41 6D13 56B9 A056 60DF D7C2 F7D1 D975 B5F4 AD4A 80B5 }, secret: None }))
_pgpPrtParams: PgpDigParams { obj, signid: buffer, userid: userid }: returning 0xb63c30
_pgpPrtParams: -> success
_pgpPrtParamsSubkeys: entered
_pgpPrtParamsSubkeys: pkts: &[] <- 0xbce250
_pgpPrtParamsSubkeys: subkeys: &mut <- 0x7ffe50716750
_pgpPrtParamsSubkeys: subkeys_count: &mut <- 0x7ffe5071674c
_pgpPrtParamsSubkeys: Got 0 subkeys
_pgpPrtParamsSubkeys: -> success
/tmp/python3-pytest-7.1.3-1.fc38.noarch.rpm:_pgpPrtParams: entered
_pgpPrtParams: pkts: &[] <- 0xbd2cb0
_pgpPrtParams: paramsp: &mut <- 0xbce7d8
_pgpPrtParams: Packet: Unknown(Unknown { common: Common { dummy: PhantomData }, tag: Signature, error: Malformed packet: unknown version, container: Container { unprocessed: " (0 bytes)", digest: "2D06800538D394C2" } })
_pgpPrtParams: -> error: Failure: Signature Packet
_pgpPrtParams: entered
_pgpPrtParams: pkts: &[] <- 0xbd2b28
_pgpPrtParams: paramsp: &mut <- 0xbcfb18
_pgpPrtParams: Packet: Unknown(Unknown { common: Common { dummy: PhantomData }, tag: Signature, error: Malformed packet: unknown version, container: Container { unprocessed: " (0 bytes)", digest: "2D06800538D394C2" } })
_pgpPrtParams: -> error: Failure: Signature Packet
...
...

So it seems that the certificate is parsed, but the signature is corrupted/unreadable/who knows ("unknown version").

(Still investigating...)

Comment 8 neal 2022-11-10 14:49:51 UTC
I extracted the signature and it looks like a version 3 sig.  Could that be?

```
$ sq packet dump /tmp/packets.pgp 
Unknown or Unsupported Packet, old CTB, 277 bytes
    Tag: Signature Packet
    Error: Malformed packet: unknown version
  
[neal@fedora-36 rpm-sequoia]$ sq packet dump --hex /tmp/packets.pgp 
Unknown or Unsupported Packet, old CTB, 3 header bytes + 277 bytes
    Tag: Signature Packet
    Error: Malformed packet: unknown version
  
    00000000  89                                                 CTB
    00000001     01 15                                           length
    00000003           03                                        version
    00000004              05 00 63 6a  70 3c 1f 96 2d 55 63 26       ..cjp<..-Uc&
    00000010  b3 35 01 08 ff 3d 07 ff  49 8d 98 e5 47 5c 7e 76   .5...=..I...G\~v
    00000020  70 3b 8f 3f 34 e4 d6 02  7c 93 0f 02 21 98 44 81   p;.?4...|...!.D.
    00000030  d9 f6 ec 47 d4 e5 cb 85  58 ab 81 b8 88 56 a3 4c   ...G....X....V.L
    00000040  fd fa 72 88 56 5d ef 97  5c 52 b3 a9 48 dc ee 16   ..r.V]..\R..H...
    00000050  a6 26 5a 4e eb dc 9e ea  cc 37 39 ed a6 e8 28 4c   .&ZN.....79...(L
    00000060  e1 5f 2d e5 9d fc 74 ac  3f 19 2f 38 47 51 04 62   ._-...t.?./8GQ.b
    00000070  4e ee b7 1b f7 09 9d 44  9d c2 56 f3 90 65 1d 84   N......D..V..e..
    00000080  5f b7 5b aa 37 67 c7 e3  3d d1 b6 eb 4e 4f 5b 41   _.[.7g..=...NO[A
    00000090  6c f4 d2 3f bd 92 4c ce  83 07 41 f8 73 54 8b 2e   l..?..L...A.sT..
    000000a0  46 2d a7 d4 cf 5f cb ac  3a 92 db 7a f7 30 12 c2   F-..._..:..z.0..
    000000b0  88 2d a9 5f 7a 81 40 10  72 57 dd 3a 61 aa eb 56   .-._z.@.rW.:a..V
    000000c0  9f 0c e6 bb cd 28 84 94  93 c2 cd a2 8d 4b 09 87   .....(.......K..
    000000d0  46 6e 61 4f 98 85 bc c6  c7 4b ca 8c b2 33 6d 30   FnaO.....K...3m0
    000000e0  57 9c 6b 7e ef 5e 0a bc  87 07 99 4a 89 51 b8 6f   W.k~.^.....J.Q.o
    000000f0  10 1e bd c6 bd 89 7f b6  06 2c dd d6 a3 ca 6d 3a   ........,....m:
    00000100  89 64 62 f7 be a5 0e 0d  25 c2 45 74 b3 26 35 88   .db.....%.Et.&5.
    00000110  1f 27 12 6b cd 51 88 f4                            .'.k.Q..
```

Comment 9 neal 2022-11-10 15:01:30 UTC
The package actually contains two signatures.  Here's the other one.  It's also v3.

```
$ sq packet dump --hex /tmp/packets-1.pgp 
Unknown or Unsupported Packet, old CTB, 3 header bytes + 277 bytes
    Tag: Signature Packet
    Error: Malformed packet: unknown version
  
    00000000  89                                                 CTB
    00000001     01 15                                           length
    00000003           03                                        version
    00000004              05 00 63 6a  70 3c 1f 96 2d 55 63 26       ..cjp<..-Uc&
    00000010  b3 35 01 08 73 1c 07 ff  68 42 ad 7e 62 6f fd d6   .5..s...hB.~bo..
    00000020  02 29 3d 78 c1 98 66 44  1b 62 00 69 22 59 15 f4   .)=x..fD.b.i"Y..
    00000030  e2 9e 4e 86 d6 bc ba 04  95 05 31 85 b2 f1 0b 03   ..N.......1.....
    00000040  67 31 66 56 07 fd 26 b1  6c da 40 a9 5e 9d 38 f7   g1fV..&.l.@.^.8.
    00000050  32 ac f0 86 e7 91 a9 6b  30 a0 3b 40 c4 e7 21 f2   2......k0.;@..!.
    00000060  a5 69 52 7a 7d 22 90 1f  8b c1 10 71 74 cc 30 93   .iRz}".....qt.0.
    00000070  16 c7 14 e6 61 33 af d8  ba 5a 0e 06 14 6c 55 b8   ....a3...Z...lU.
    00000080  86 5c 58 ad ef 71 ac 4a  b0 1f 4d d7 51 63 e1 2f   .\X..q.J..M.Qc./
    00000090  ff 02 08 f0 07 39 7b 19  95 13 70 16 4a d9 52 d0   .....9{...p.J.R.
    000000a0  ca 4b 0f f0 09 59 df e3  f0 d3 04 21 58 9f eb 9b   .K...Y.....!X...
    000000b0  ef dd 58 4e 66 84 71 c5  e2 21 66 91 cc 74 fc d3   ..XNf.q..!f..t..
    000000c0  e4 c2 71 63 99 0b 71 b5  62 68 b0 4f 88 23 bc d6   ..qc..q.bh.O.#..
    000000d0  bf 32 ed ba cc 4b ce 57  1d 72 fe b4 a6 e3 f1 28   .2...K.W.r.....(
    000000e0  43 82 ae 84 53 7a ad 46  b7 cf 8a 3b 3b fe 6e 5e   C...Sz.F...;;.n^
    000000f0  c3 93 fc aa 6b ee b8 ae  a7 a3 05 da 15 7c b3 ae   ....k........|..
    00000100  d0 51 ed 89 87 2d 36 b0  01 80 ff b8 93 09 0b e2   .Q...-6.........
    00000110  bd e6 4d ab 5b d0 73 89                            ..M.[.s.
```

Comment 10 neal 2022-11-10 15:18:38 UTC
FWIW, rpmkeys is also unhappy with the packages:

```
$ rpmkeys -K /tmp/python3-docutils-0.19-1.fc38.noarch.rpm 
/tmp/python3-docutils-0.19-1.fc38.noarch.rpm: digests SIGNATURES NOT OK
$ rpmkeys --version
RPM version 4.17.0
```

Comment 11 Panu Matilainen 2022-11-10 15:20:02 UTC
> I extracted the signature and it looks like a version 3 sig.  Could that be?

Righty... the internal parser supports V3 signatures, but not V3 keys. 

> The package actually contains two signatures.  Here's the other one.  It's also v3.

And yeah there can be two signatures, one on the header and one for header+payload, incidentally the latter is known in rpm as "rpm v3 signature" which can get confusing when talking about versions. But that's not the issue here of course.

What are COPR and rpmfusion using to sign packages? Rpm itself doesn't specify any particular version of signatures when calling gpg for signing, and even if it did, --force-v3-sigs option to gpg is long obsolete.

Comment 12 Pavel Raiskup 2022-11-10 15:26:04 UTC
FTR, what Copr does is:
https://pagure.io/copr/copr/blob/21c7baf7bd567fdb70d8bc42d2fe4c6a5b5aede6/f/backend/copr_backend/sign.py#_91

GPG keys for users are generated by:
https://pagure.io/copr/copr/blob/21c7baf7bd567fdb70d8bc42d2fe4c6a5b5aede6/f/keygen/src/copr_keygen/logic.py#_47

Copr keygen is a Fedora 35 machine, with pretty much a default configuration.

Comment 13 Pavel Raiskup 2022-11-10 15:31:32 UTC
Mistyped, sorry: GPG keys for users are generated by:
https://pagure.io/copr/copr/blob/21c7baf7bd567fdb70d8bc42d2fe4c6a5b5aede6/f/keygen/src/copr_keygen/logic.py#_122

Comment 14 Daniel Kahn Gillmor 2022-11-10 15:32:47 UTC
> and last but not least google-chrome-stable rpm   from google is 
> Header V4 DSA/SHA1 Signature, key ID 7fac5991: BAD

I'm also concerned by this.  Google's own OpenPGP certificate still has only SHA1 selfsigs:

```
$ sq keyserver get 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 | sq-keyring-linter 
Certificate A040830F7FAC5991 is not valid under the standard policy + SHA-1: No binding signature at time 2022-11-10T15:29:16Z
Examined 1 certificate.
  1 certificate is invalid and was not linted. (BAD)
$ 
```

I haven't sorted out how to extract the OpenPGP sig from chrome's RPM to inspect it further, but if it's also using SHA1, it is a *good* thing that the update is declining it.  It's 2022, new signatures made over SHA1 should definitely be rejected.

Comment 15 Daniel Kahn Gillmor 2022-11-10 15:34:01 UTC
(In reply to Pavel Raiskup from comment #13)
> Mistyped, sorry: GPG keys for users are generated by:
> https://pagure.io/copr/copr/blob/21c7baf7bd567fdb70d8bc42d2fe4c6a5b5aede6/f/
> keygen/src/copr_keygen/logic.py#_122

what seems like it really matters here is how the app's `GPG_BINARY` is configured:

https://pagure.io/copr/copr/blob/21c7baf7bd567fdb70d8bc42d2fe4c6a5b5aede6/f/keygen/src/copr_keygen/gpg.py

Comment 16 Panu Matilainen 2022-11-10 15:41:21 UTC
Okay, so Copr uses "sign", which is "Wrapper for /bin/sign from obs-sign package", which apparently comes from obs-signd package in Fedora. I didn't read+understand the code at this second but looking at https://github.com/openSUSE/obs-sign/blob/master/signd it talks about V3 quite a bit, including "--force-v3-sigs" to gpg. So that appears to be the thing creating V3 signatures. 

If rpmfusion uses the same, that explains a bit.

Comment 17 Panu Matilainen 2022-11-10 15:47:39 UTC
FWIW, I distinctively remember coming across this in rfc-4880 back in 2011 when I removed the support for v3 keys in rpm's parser and thinking whether v3 signatures should also be dropped or at least deprecated somehow:

   Implementations SHOULD accept V3 signatures.  Implementations SHOULD generate V4 signatures.

I haven't been looking, but that still stands in the official RFC, and even the draft-in-progress seems to only have deprecated V3 signature creation.

Comment 18 Pavel Raiskup 2022-11-10 15:54:16 UTC
Hm, so it seems like we should fix how we call the /bin/sign:
https://github.com/openSUSE/obs-sign/issues/40

Comment 19 Panu Matilainen 2022-11-10 15:59:40 UTC
Note that *RPM v3* and *OpenPGP v3* signatures are two entirely different entities and not to be confused (see comment #11). That obs-sign ticket is talking about *rpm* V4 signatures which are twenty years old by now.

Comment 20 Panu Matilainen 2022-11-10 16:12:18 UTC
Anyway, with the issue now identified: this is not an off-by-one someplace but lacking support for something that is in (unexpectedly) wide use. I'll revert the change now to limit the disruption while we figure what to do with this.

Comment 21 Panu Matilainen 2022-11-10 16:35:11 UTC
Ok, rpm-4.18.0-6.fc38 reverted back to the internal pgp parser just finished building so the world can continue to revolve while we consider the options.

Thanks Neal (and everybody) for the super-fast response on this.

Comment 22 Panu Matilainen 2022-11-11 08:13:56 UTC
Created attachment 1923736 [details]
An utility for grabbing signatures from packages

Attached is a simple utility for extracting binary format rpm signatures out of package files and the rpmdb. Eg

[pmatilai🎩︎localhost ~]$ ./grabsig.py /tmp/google-chrome-stable-107.0.5304.110-1.x86_64.rpm 
extracted /tmp/google-chrome-stable-107.0.5304.110-1.x86_64.rpm.dsaheader
extracted /tmp/google-chrome-stable-107.0.5304.110-1.x86_64.rpm.siggpg
[pmatilai🎩︎localhost ~]$ ./grabsig.py libde265
extracted libde265-1.0.9-1.fc36.x86_64.rsaheader
extracted libde265-1.0.9-1.fc36.x86_64.sigpgp

Best enjoyed with a tool capable of dumping the contents, such as 'gpg --list-packets', 'pgpdump' or 'sq packet dump' (but sq fails here because it doesn't support V3 signatures, which is why we have this bug), eg

[pmatilai🎩︎localhost ~]$ gpg --list-packets /tmp/google-chrome-stable-107.0.5304.110-1.x86_64.rpm.dsaheader
# off=0 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid A040830F7FAC5991
	version 4, created 1667878963, md5len 0, sigclass 0x00
	digest algo 2, begin of digest 4b b4
	hashed subpkt 2 len 4 (sig created 2022-11-08)
	subpkt 16 len 8 (issuer key ID A040830F7FAC5991)
	data: [159 bits]
	data: [159 bits]

Comment 23 Panu Matilainen 2022-11-11 08:30:18 UTC
So, basically everything signed by obs-signd is affected as it defaults to OpenPGP v3 signatures. And that being used by OBS and multiple other places for signing rpms, this affects at least
- opensuse (and so presumably their enterprise offerings too but can't verify that)
- copr
- rpmfusion

I don't know what RHEL is signed with, but packages in RHEL 7-9 (didn't bother with older) are signed using OpenPGP V3 signatures too. 

So there really is only one conclusion to make: this is a no-go until Sequoia adds support for verifying V3 signatures. Or the world catches up, which is going to be years before all relevant content signed with V3 has gone dropped out of relevance, even if everybody started just now.

FWIW, Fedora itself and also Mageia appear to have V4 signatures, at least as of current versions.

Comment 24 Daniel Kahn Gillmor 2022-11-11 15:43:47 UTC
I'm really glad that this was discovered, even if it represents a speedbump in the deployment of better OpenPGP tooling in the short term.

I just reported this to copr, asking them to move to something with more robust testing than obs-sign: https://pagure.io/copr/copr/issue/2360  fwiw, i believe newer versions of obs-sign should be making OpenPGP v4 signatures, so you might be seeing something running an older version of obs-sign, but i'd appreciate verification from folks who know OBS better than i do on that topic.

The upcoming cryptographic refresh of the OpenPGP standard explicitly says that clients MUST NOT generate v3 signatures but MAY verify them.  However, v3 signatures contain significantly less context than v4 signatures.  For example, the data signed by a v3 signature does not include the version number, the choices of hash and asymmetric algorithm involved, or any additional metadata that it is possible to embed in a v4 signature.  The only two pieces of metadata actually covered by a v3 signature are the sigtype (one octet) and a four-byte timestamp (unsigned seconds since the unix epoch).

If we've learned anything from cryptographic signing protocols over the last several decades, it's that one of the risks of signatures is that they can be interpreted out of context.  the simple and obvious fix for this is to ensure that the relevant pieces of context are included in the signed data in an unambiguous way.  v3 signatures cannot do that.

I strongly recommend rpm producing a warning when it encounters a v3 signature, so that we can flush out any remaining legacy signers.

Comment 25 Daniel Kahn Gillmor 2022-11-11 16:46:30 UTC
(In reply to Panu Matilainen from comment #22)
> Created attachment 1923736 [details]
> An utility for grabbing signatures from packages
> 
> Attached is a simple utility for extracting binary format rpm signatures out
> of package files and the rpmdb. Eg

thank you for this!  this is a super useful utility.  it would be great to see it exposed directly in the 

> [pmatilai🎩︎localhost ~]$ gpg --list-packets /tmp/google-chrome-stable-107.0.5304.110-1.x86_64.rpm.dsaheader
> # off=0 ctb=88 tag=2 hlen=2 plen=70
> :signature packet: algo 17, keyid A040830F7FAC5991
> 	version 4, created 1667878963, md5len 0, sigclass 0x00
> 	digest algo 2, begin of digest 4b b4
> 	hashed subpkt 2 len 4 (sig created 2022-11-08)
> 	subpkt 16 len 8 (issuer key ID A040830F7FAC5991)
> 	data: [159 bits]
> 	data: [159 bits]

this is an OpenPGPv4 signature, but it is problematic for two different reasons.  I'm glad we're looking at this, because these embedded signatures have been explicitly deprecated for a long time.  These are both 1024-bit DSA signatures, using SHA1 as the digest function.  They were made in 2022-11-08.

I won't rehearse the full history of deprecation of these primitives here, but as one datapoint:

Back in 2015 (7 years ago!) NIST explicitly deprecated DSA keys less than 2048 bits in table 2 of SP 800-131Ar1: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf  .  The same document deprecates SHA-1 as well (see table 9).   So for the last seven years (if not longer) they have been explicitly marked as "disallowed" for digital signature generation, and "legacy use only" for digital signature validation.

It is really not good for rpm that it accepts such a signature without a warning.  And it's a particularly bad look for Google to be distributing Chrome for GNU/Linux under such a signature in 2022 especially since Google led the way on SHA-1 deprecation for digital signatures in other contexts (https://words.filippo.io/the-unofficial-chrome-sha1-faq/).

Comment 26 Neal Gompa 2022-11-11 19:39:49 UTC
It doesn't matter, because OpenPGP v3 signatures will remain in use by the world over for a very long time. If Sequoia isn't going to support it, then we can't use it. No ifs, ands, or buts about it.

obs-signd is probably the only actively maintained signing service that supports a variety of inputs and outputs. Even Fedora's own sigul is basically not maintained. You need to make a case to the OBS people to break backwards compatibility by default.

It is not our responsibility when Sequoia is broken, that's the point of having the separated backend.

Comment 27 neal 2022-11-11 19:53:51 UTC
Hi all,

Thanks everyone for the quick help and the constructive feedback!  The [MR to add support for verifying v3 signatures](https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1377) is done.  Next week we'll do a release.

> (In reply to Neal Gompa from comment #26)
> It is not our responsibility when Sequoia is broken, that's the point of
> having the separated backend.

I'm sorry it seemed like we were unresponsive.  Next time, I'll try harder to respond more quickly.

Comment 28 Neal Gompa 2022-11-12 13:45:49 UTC
(In reply to neal from comment #27)
> Hi all,
> 
> Thanks everyone for the quick help and the constructive feedback!  The [MR
> to add support for verifying v3
> signatures](https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1377) is
> done.  Next week we'll do a release.
> 

Thanks for resolving this! :)

> > (In reply to Neal Gompa from comment #26)
> > It is not our responsibility when Sequoia is broken, that's the point of
> > having the separated backend.
> 
> I'm sorry it seemed like we were unresponsive.  Next time, I'll try harder
> to respond more quickly.

My problem wasn't the responsiveness, it was the attitude of the response. Comment 24 and Comment 25 basically implied that we're all doing it wrong and it's our fault. That is not an appropriate response. Moreover, from an RPM point of view, we can't be telling people that stuff they have can't be used anymore unless a gun is pointed to our heads to say that (e.g. FIPS policy modes breaking most of the world due to SHA-1 removal).

The OpenPGP RFCs do not outright say that OpenPGP v3 signatures are deprecated and should not be used. Opinions of the Sequoia PGP project members notwithstanding, a compliant OpenPGP implementation should handle them.

obs-sign and other solutions sill use v3 signatures by default because they support building for targets as old as SUSE Linux Enterprise 10 and Red Hat Enterprise Linux 5 today. GPG shipped then used OpenPGP v3 keys/signatures, not v4 ones.

Comment 29 Panu Matilainen 2022-11-14 08:32:51 UTC
(In reply to Neal Gompa from comment #26)
> obs-signd is probably the only actively maintained signing service that
> supports a variety of inputs and outputs. Even Fedora's own sigul is
> basically not maintained. You need to make a case to the OBS people to break
> backwards compatibility by default.
[...]
> obs-sign and other solutions sill use v3 signatures by default because they support building for targets as old as SUSE Linux Enterprise 10 and Red Hat Enterprise Linux 5 today. GPG shipped then used OpenPGP v3 keys/signatures, not v4 ones.

Sorry but that's just bulls***. Even rpm 4.4 supports OpenPGP v4 signatures, there really is no excuse for anything to use v3 these days, everything that does not support it went EOL something like a decade ago.

And mind you, that's not a criticism to obs-signd in particular, RHEL is equally guilty here. 

> 
> It is not our responsibility when Sequoia is broken, that's the point of
> having the separated backend.

Cut it, right now. We're in this together regardless of whose code it is.

> My problem wasn't the responsiveness, it was the attitude of the response. Comment 24 and Comment 25 basically implied that we're all doing it wrong and it's our fault.

They don't read anything like that to me. There are facts and some recommendations, and it IS us the rpm-ecosystem who has been sleeping here. The good news is that V3 doesn't appear to be heartbleed critically flawed, just that V4 is better and everybody should be using that instead. This actually reminds me a lot about rpm v3 vs v4 transition, certain parties were extremely show in adopting v4 format, probably because they didn't see the flaws in v3 and the somewhat simpler format was just easier for them to support.

Neal Walfield who's the one actually developing rpm-sequoia has been *extremely* responsive, helpful and unopionated towards us throughout. 

This caught us all by surprise. It's just another piece of rusty but vitally important piping in the backyard that everybody had forgotten until it bust open. It's a good thing this was discovered, now lets just move on to fix this up on the various fronts instead of harping at each other.

Comment 30 Panu Matilainen 2022-11-23 09:31:18 UTC
Status update across the board:

- support for v3 signature verification in Sequoia merged upstream: https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1377 and supported in >= 1.11.0 (https://bugzilla.redhat.com/show_bug.cgi?id=2143959)
- rpmfusion has switched to v4 signatures going forward: https://bugzilla.rpmfusion.org/show_bug.cgi?id=6496
- PR to switch COPR to v4 signatures submitted: https://github.com/fedora-copr/copr/pull/2379
- request to have obs-signd create v4 signatures by default submitted: https://github.com/openSUSE/obs-sign/issues/43
- upgrading RHEL signing to v4 raised internally

A couple of interesting bits found during investigating all this:

GnuPG only started creating v4 signatures by default as late as 1.4.8 released in December 2007, and for example RHEL 5 released earlier that year carried 1.4.5 through its lifetime all the way up to 2017 (and 2020 with extended life support). I didn't check, but I'd assume other enterprise distros to be in similar position here. Signatures created on RHEL 6 and newer are v4 by default (both gpg --sign and rpmsign), so that's pretty old news too.

Fedora and EPEL appear to have switched to v4 signatures during 2020, but I haven't found any explicit mention of this. Which makes me suspect this was accidental from Sigil switching to use gnupg2 internally at that time, gnupg2 which has ignored --force-v3-sigs even if passed to it since 2014.

Comment 31 Panu Matilainen 2022-11-23 09:34:22 UTC
> accidental from Sigil switching

Err, that'd be Sigul. Sigil is an e-book editing application, most certainly unrelated :D

Comment 32 neal 2022-11-23 14:38:06 UTC
As panu noted, I released sequoia-openpgp 1.11.0 (https://lists.sequoia-pgp.org/hyperkitty/list/devel@lists.sequoia-pgp.org/thread/QYRV5LLHTSTBW57QEBNFAH5VHS3YMG5Q/).  It includes support for parsing and verifying v3 signatures.  By default, the standard policy rejects v3 signatures.

I released sequoia-config-policy 0.5.0 (https://gitlab.com/sequoia-pgp/sequoia-policy-config/-/tags/v0.5.0), which includes support for setting a policy for individual versions of a packet.  That is, it is now possible to set different policies for v3 signature packets and v4 signature packets in a policy configuration file.

I created an MR against fedora-crypto-policies (https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/124) to enable support for v3 signatures by default.  I'm not terribly happy about this MR, because it means that v3 signatures are also enabled for other Sequoia-using programs, which I don't think is desirable.

I released rpm-sequoia 1.2.0 (https://github.com/rpm-software-management/rpm-sequoia/releases/tag/v1.2.0).  It adds support for v3 signature packets.  After talking with panu, we agreed that rpm-sequoia would allow v3 signature packets by default, however, these can be overridden by the crypto policy file (https://github.com/rpm-software-management/rpm-sequoia/commit/85be6f00ec2f9a29bddb8342126b89a496356453#diff-b1a35a68f14e696205874893c07fd24fdb88882b47c23cc0e0c80a30c7d53759R165).  Once v4 signatures are ubiquitous, we'll change rpm-sequoia to not accept v3 signatures by default (https://github.com/rpm-software-management/rpm-sequoia/issues/26).

decathorpe, who has been doing most of the packaging work knows about these releases.  AFAIK, these packages don't depend on any new packages.  Thus, we should be able to try using rpm with sequoia again soon.

Comment 34 Panu Matilainen 2022-11-24 07:00:23 UTC
Awesome, thanks guys for all the extra work here! I'll swap rpm back to Sequoia today once I've managed to test this locally first.

Comment 35 Panu Matilainen 2022-11-24 07:38:15 UTC
Hmm, NOKEY return doesn't seem to work with V3 signatures. With eg https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/30/Everything/x86_64/os/Packages/3/389-admin-console-doc-1.1.12-8.fc30.noarch.rpm I'm getting:

[pmatilai🎩︎localhost _build]$ ./rpmkeys -Kv /tmp/389-admin-console-doc-1.1.12-8.fc30.noarch.rpm
/tmp/389-admin-console-doc-1.1.12-8.fc30.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID cfc659b9: BAD
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID cfc659b9: BAD
    MD5 digest: OK

...whereas with the internal parser the above BAD's are NOKEY. I'll file a ticket on rpm-sequoia upstream to further sort this out.

Comment 36 neal 2022-11-24 07:42:31 UTC
Hmm, I see NOKEY:

$ RPM_TRACE=0 ~/rpm-4.18/b/rpmkeys -Kv /tmp/389-admin-console-doc-1.1.12-8.fc30.noarch.rpm 
/tmp/389-admin-console-doc-1.1.12-8.fc30.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID cfc659b9: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID cfc659b9: NOKEY
    MD5 digest: OK
[neal@fedora-36 rpm-sequoia]$ git describe
v1.1.2-8-g2a0ad53
[neal@fedora-36 rpm-4.18]$ git describe
rpm-4.18.0-release

Can you rerun with RPM_TRACE=1 and send me the trace, please.

Comment 37 Panu Matilainen 2022-11-24 08:04:28 UTC
Oops, turns out I was testing with rpm-sequoia 1.1.2 from yesterday instead of 1.2.0 with the v3 support. With 1.2.0 it's fine.

Sorry for the false alarm! With that cleared, I'll go ahead and re-enable this now.

Comment 38 Panu Matilainen 2022-11-24 09:19:54 UTC
Okay, this all should be sorted now in rpm-sequoia >= 1.2.0 and re-enabled in rpm-4.18.0-7.fc38.

Thanks again for all the debugging, development + packaging work neal and decathorpe!

Comment 39 neal 2022-11-24 09:23:28 UTC
I couldn't have done it without the great collaboration!  Thank you!

Comment 40 Pavel Raiskup 2022-11-26 23:02:25 UTC
This seems like a problem:

[mockbuild@523e7003234241e0ae27a4da6ee0b6e7 copr-backend-git-0.c25b27a]$ rpm -qpi ./test-data-copr-backend-2/build_results/00848963-example/example-1.0.14-1.fc30.x86_64.rpm
error: ./test-data-copr-backend-2/build_results/00848963-example/example-1.0.14-1.fc30.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID ac058ff1: BAD
error: ./test-data-copr-backend-2/build_results/00848963-example/example-1.0.14-1.fc30.x86_64.rpm: not an rpm package (or package manifest)
[mockbuild@523e7003234241e0ae27a4da6ee0b6e7 copr-backend-git-0.c25b27a]$ rpm -q rpm rpm-sequoia
rpm-4.18.0-7.fc38.x86_64
rpm-sequoia-1.2.0-1.fc38.x86_64

The guilty RPM is here:
https://raw.githubusercontent.com/fedora-copr/test-data-copr-backend/main/build_results/00848963-example/example-1.0.14-1.fc30.x86_64.rpm

Comment 41 Pavel Raiskup 2022-11-26 23:04:12 UTC
Per Jakub's report (Copr testsuite failure): https://github.com/fedora-copr/copr/issues/2388

Comment 42 Panu Matilainen 2022-11-28 07:58:39 UTC
> example/example-1.0.14-1.fc30.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID ac058ff1: BAD
                                                          ^^^^
That's rawhide crypto policy, not rpm.

"update-crypto-policies --set DEFAULT:FEDORA32" to make it accessible, but you really shouldn't. There may also be a smaller hammer to achieve that, this isn't my home turf.

Comment 43 Pavel Raiskup 2022-11-29 07:48:55 UTC
That's right.  Thank you for the fast reply!

```
error: /tmp/example-1.0.14-1.fc30.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID ac058ff1: BAD
error: /tmp/example-1.0.14-1.fc30.x86_64.rpm: not an rpm package (or package manifest)
```

But note the unfortunate spelling ^^^.  That file still _is_ an RPM
package, so I'd expect that /bin/rpm parses the headers and dumps the
requested info out (including a verbose SHA1 error/warning, sure).

I can confirm that `rpm --nosignature -qpi <that rpm>` still works.

Comment 44 Pavel Raiskup 2022-11-29 07:57:23 UTC
Side note, Fedora Copr switched to OpenPGP v4 signatures yesterday.  As I
understand it, RPM stays compatible with OpenPGP v3 headers -> so we don't
plan to mass-resign our (rather large) RPM storage.

Thanks to all for your work on this!

Comment 45 Panu Matilainen 2022-11-29 08:33:46 UTC
(In reply to Pavel Raiskup from comment #43)
> ```
> error: /tmp/example-1.0.14-1.fc30.x86_64.rpm: Header V3 RSA/SHA1 Signature,
> key ID ac058ff1: BAD
> error: /tmp/example-1.0.14-1.fc30.x86_64.rpm: not an rpm package (or package
> manifest)
> ```
> 
> But note the unfortunate spelling ^^^.  That file still _is_ an RPM
> package, so I'd expect that /bin/rpm parses the headers and dumps the
> requested info out (including a verbose SHA1 error/warning, sure).

As a security measure, rpm does not parse headers with failing signatures (or digests for that matter). But yeah I'm sure the error message could be worded better to cover this particular case.

(In reply to Pavel Raiskup from comment #44)
> Side note, Fedora Copr switched to OpenPGP v4 signatures yesterday.  As I
> understand it, RPM stays compatible with OpenPGP v3 headers -> so we don't
> plan to mass-resign our (rather large) RPM storage.

Excellent news, thanks! The old packages will fall out of fashion over time, and we wont still be in this situation five years from now. This is the best we can ask for, the existing mass of packages out there is such that we can't expect it all to be mass-resigned.

Comment 46 Panu Matilainen 2023-08-17 10:30:16 UTC
(In reply to Panu Matilainen from comment #30)
> Status update across the board:
[...]
> - upgrading RHEL signing to v4 raised internally

It took us a while, but I'm happy to report that the RH signing server is producing V4 signatures now (since mid-June actually).