open-build-service icon indicating copy to clipboard operation
open-build-service copied to clipboard

Published 20 hours ago verified publisher icon openSUSE

Detached image signatures break import into machined

Open lnussel opened this issue 4 years ago • 6 comments

The change to have gpg signatures in separate .asc files rather than signing the sha256 file breaks machinectl pull-tar

https://github.com/openSUSE/open-build-service/pull/9204 https://github.com/systemd/systemd/pull/5206

# machinectl pull-tar https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz
Enqueued transfer job 1. Press C-c to continue download in background.
Pulling 'https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz', saving as 'opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107'.
HTTP request to https://download.opensuse.org/tumbleweed/appliances/SHA256SUMS.gpg failed with code 404.
HTTP request to https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.nspawn failed with code 404.
Settings file could not be retrieved, proceeding without.
Download of https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz.sha256 complete.
Downloading 35.3M for https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz.
Set up default quota hierarchy for /var/lib/machines/.#tarea79a177139861ad.
Got 1% of https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz.
Got 24% of https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz. 5s left at 5.3M/s.
Got 43% of https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz. 3s left at 5.9M/s.
Got 66% of https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz. 1s left at 6.5M/s.
Got 93% of https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz. 304ms left at 7.2M/s.
Download of https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz complete.
SHA256 checksum of https://download.opensuse.org/tumbleweed/appliances/opensuse-tumbleweed-image.x86_64-1.0.0-networkd-Snapshot20201107.tar.xz is valid.
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
gpg failed with error code 2.
DOWNLOAD INVALID: Signature verification failed.
Exiting.

The previous method is built in systemd since three years already so works on 15.

lnussel avatar Nov 09 '20 13:11 lnussel

CC @tblume

lnussel avatar Nov 09 '20 13:11 lnussel

Seems like systemd needs to be patched to also support detached sigs.

mlschroe avatar Nov 09 '20 14:11 mlschroe

The point here is that we had the previous method for years and now it got changed, suddenly breaking the tool on stable distros. Upstream already indicated that they are not too happy to implement all kinds of random methods. Even if the new method was accepted there we'd have to backport it.

Btw, why not just sign the tarball directly instead of the checksum file?

lnussel avatar Nov 10 '20 09:11 lnussel

can we make this configurable so images for nspawn use a different method?

lnussel avatar Nov 16 '20 15:11 lnussel

would it be possible to have a SHA256SUMS file in the directory instead, signed with detached signature? That's something systemd-sysupdate also can consume so would help with that too.

lnussel avatar Jul 19 '22 12:07 lnussel

bs_publish already does something very similar: https://github.com/openSUSE/open-build-service/blob/5d47465dae894f2ef444c3000942f604c64b64a6/src/backend/bs_publish#L3061

Seems like a matter of a few lines of code to produce a SHA256SUMS file and sign it. Who do I need to bribe to implement it? :-)

lnussel avatar Aug 03 '22 11:08 lnussel

CC @bluca

lnussel avatar Oct 06 '22 13:10 lnussel

Ok, works ;-)

mlschroe avatar Apr 27 '23 08:04 mlschroe

systemd want a .gpg file rather than .asc. can we have that?

lnussel avatar May 04 '23 09:05 lnussel

Would that be without the ascii armor?

mlschroe avatar May 05 '23 13:05 mlschroe

It calls gpg --no-options --no-default-keyring --no-auto-key-locate --no-auto-check-trustdb --batch --trust-model=always --homedir=... --keyring=.... --verify, sowhatever that accepts. I think it can be either?

I think it would make sense to keep producing the .asc in armor format and a .gpg in binary format, that's the usual pattern IIRC?

bluca avatar May 05 '23 14:05 bluca

looking at https://cloud-images.ubuntu.com/mantic/current/ it's just what we have as .asc

lnussel avatar May 16 '23 09:05 lnussel