Problem verifying signature
Hi, I'm working on a new version of tiff and have a problem with the signature. I have a signature in the download directory, and added the owners gpg Key as source file in the spec. However, when checking in I get the error: docb@X1E:~/buildservice/home:DocB:branches:network:telephony/tiff> osc ci Default log message was not changed. Press 'c' to continue. a)bort, c)ontinue, e)dit: c - package has baselibs.conf: (unchanged) gpg: Signatur vom Do 28 Mär 2024 20:57:55 CET gpg: mittels RSA-Schlüssel 7028E1E83B6BF652 gpg: Signatur kann nicht geprüft werden: Kein öffentlicher Schlüssel ERROR: signature /home/docb/buildservice/home:DocB:branches:network:telephony/tiff/tiff-4.6.0t.tar.xz.sig does not validate Aborting: service call failed: /usr/lib/obs/service/source_validator --outdir /home/docb/buildservice/home:DocB:branches:network:telephony/tiff/tmpzrbafk6b.source_validator.service A service failed with error: 1 Any idea? Thanks! Axel
Citeren Axel Braun <docb@opensuse.org>:
Hi,
I'm working on a new version of tiff and have a problem with the signature. I have a signature in the download directory, and added the owners gpg Key as source file in the spec. However, when checking in I get the error:
docb@X1E:~/buildservice/home:DocB:branches:network:telephony/tiff> osc ci Default log message was not changed. Press 'c' to continue. a)bort, c)ontinue, e)dit: c - package has baselibs.conf: (unchanged) gpg: Signatur vom Do 28 Mär 2024 20:57:55 CET gpg: mittels RSA-Schlüssel 7028E1E83B6BF652 gpg: Signatur kann nicht geprüft werden: Kein öffentlicher Schlüssel ERROR: signature /home/docb/buildservice/home:DocB:branches:network:telephony/tiff/tiff-4.6.0t.tar.xz.sig does not validate Aborting: service call failed: /usr/lib/obs/service/source_validator --outdir /home/docb/buildservice/home:DocB:branches:network:telephony/tiff/tmpzrbafk6b.source_validator.service A service failed with error: 1
Any idea?
You've changed the source to a fork of libtiff, but added the GPG key of the original project author. That doesn't fly. You'd need the key from Lee Howard (who forked libtiff), not from Even Rouault. Having said that, I'm not convinced that changing to the fork is a good idea in the first place. Looking at the warning included in libtiff: "Starting with libtiff v4.6.0, the source code for most TIFF tools (except tiffinfo, tiffdump, tiffcp and tiffset) was discontinued, due to the lack of contributors able to address reported security issues. tiff2ps and tiff2pdf source code has been moved in a unsupported category, no longer built by default, but are still part of the the source distribution. Other retired utilities are in a archive/ directory, only available in the libtiff git repository. Issues related to unsupported and archived tools will no longer be accepted in the libtiff bug tracker." Just reverting the changes to discontinue these tools doesn't magically fix the reported security issues. If upstream doesn't want to support these anymore, I don't think changing to this fork is what we want.
Am Sonntag, 31. März 2024, 18:13:42 CEST schrieb Arjen de Korte:
Citeren Axel Braun <docb@opensuse.org>:
Hi,
I'm working on a new version of tiff and have a problem with the signature. I have a signature in the download directory, and added the owners gpg Key as source file in the spec. However, when checking in I get the error:
docb@X1E:~/buildservice/home:DocB:branches:network:telephony/tiff> osc ci Default log message was not changed. Press 'c' to continue. a)bort, c)ontinue, e)dit: c - package has baselibs.conf: (unchanged) gpg: Signatur vom Do 28 Mär 2024 20:57:55 CET gpg: mittels RSA-Schlüssel 7028E1E83B6BF652 gpg: Signatur kann nicht geprüft werden: Kein öffentlicher Schlüssel ERROR: signature /home/docb/buildservice/home:DocB:branches:network:telephony/tiff/tiff-4.6.0t.tar.xz.sig does not validate Aborting: service call failed: /usr/lib/obs/service/source_validator --outdir /home/docb/buildservice/home:DocB:branches:network:telephony/tiff/tmpzrbafk6b.source_validator.service A service failed with error: 1
Any idea?
You've changed the source to a fork of libtiff, but added the GPG key of the original project author. That doesn't fly. You'd need the key from Lee Howard (who forked libtiff), not from Even Rouault.
Thanks for the hint, I needed to rename Lee's signature to tiff.keyring to get it working
Having said that, I'm not convinced that changing to the fork is a good idea in the first place. Looking at the warning included in libtiff:
4.6.0t looks like a development version where not only Lee (the author of hylafax+) takes part.
"Starting with libtiff v4.6.0, the source code for most TIFF tools (except tiffinfo, tiffdump, tiffcp and tiffset) was discontinued, due to the lack of contributors able to address reported security issues. tiff2ps and tiff2pdf source code has been moved in a unsupported category, no longer built by default, but are still part of the the source distribution. Other retired utilities are in a archive/ directory, only available in the libtiff git repository. Issues related to unsupported and archived tools will no longer be accepted in the libtiff bug tracker."
Just reverting the changes to discontinue these tools doesn't magically fix the reported security issues. If upstream doesn't want to support these anymore, I don't think changing to this fork is what we want.
Looking at the change log there seem to be some from Evan Roualt as well. You can find the discussion at the hylafax mailing list: https://sourceforge.net/p/hylafax/mailman/hylafax-users/thread/582b124b-07dc... Cheers Axel
participants (2)
-
Arjen de Korte -
Axel Braun