Mailinglist Archive: opensuse-buildservice (138 mails)

< Previous Next >
Re: [opensuse-buildservice] v4 signs in obs-signd
On Tue, Feb 02, 2016 at 08:14:46PM +0100, Miroslav Suchy wrote:
Dne 2.2.2016 v 13:46 Michael Schroeder napsal(a):
What code is no more? gnupg-2.1.10 still has a write_signature_packets
function AFAICS.

It is there, but other functions which this one call and to which is
version of signature passed, are cut of. E.g. compare:

gnupg 2.0:
static void
hash_sigversion_to_magic (gcry_md_hd_t md, const PKT_signature *sig)
{
if (sig->version >= 4)
gcry_md_putc (md, sig->version);
gcry_md_putc (md, sig->sig_class);
if (sig->version < 4) {
u32 a = sig->timestamp;
gcry_md_putc (md, (a >> 24) & 0xff );
gcry_md_putc (md, (a >> 16) & 0xff );
gcry_md_putc (md, (a >> 8) & 0xff );
gcry_md_putc (md, a & 0xff );
}
...

gnupg 2.1:
static void
hash_sigversion_to_magic (gcry_md_hd_t md, const PKT_signature *sig)
{
byte buf[6];
size_t n;

gcry_md_putc (md, sig->version);
gcry_md_putc (md, sig->sig_class);
gcry_md_putc (md, sig->pubkey_algo);
gcry_md_putc (md, sig->digest_algo);
....

An if you grep the old code for 'sig->version < 4' then you will find
lots of part, which are there and which are missing in the new code.
Yes, I did not tested it, but IMHO the format is so different that it
cannot work when you just change the version number.

Well, hash_sigversion_to_magic mustn't get called for files_are_digest
anyway, as we already provide the "final" hash.

(And I wonder the upstream did the correct thing when they changed
hash_sigversion_to_magic. If you have a v3 pubkey, the code seems to
still set sig->version to 3, which will result in a broken signature.)

Cheers,
Michael.

--
Michael Schroeder mls@xxxxxxx
SUSE LINUX GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >