Fix some issues spotted with OpenPGP v6 keys #3757
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For OpenPGP v6 we need sequoia-sq >= 1.3 and rpm-sequoia >= 1.8 in the bare minimum, the latter is only available from rawhide so we need to pull it from there. This also requires a newer crypto-policies package than is available on any released version to permit ed25519 and x25519, otherwise we'll get funky "denied by policy" errors when signing. Talk about bleeding edge!
Created using Sequoia SQ 1.3.1 with:
sq key generate
--own-key \
--userid v6-ed25519-testkey
--name "rpm.org ed25519 v6 testkey"
--email "[email protected]"
--profile rfc9580
--expiration=never
--cannot-authenticate
--cannot-encrypt
--without-password
The length of identifiers is none of our business, they either match something or they don't. This check causes a wholly unnecessary failure with v6 keys, removing it protects us from similar breakages when the underlying standard evolves. Update the tests to match the new behavior.
Adding an rpm v6 signature fails with a message such as "error: Unsupported OpenPGP pubkey algorithm 27" if the algorithm isn't supported by rpm v4 signatures. The issue here seems simple enough: makeSigTag() assumes there'll always be a legacy tag to map to, but that's not the case with new algorithms such as those added in RFC-9580. Only, this tiny thing causes a bit of an avalance: we need to move the tag decision logic to putSignature(), but to do that we also need to move the check for identical signatures there, and to do that we need to pay more attention to putSignature() retuns. And then we can finally make the decisions we need, where we need them: When adding an rpm v4 signature, suppress the error from an "unknown" algorithm if we already added an rpm v6 signature for it in the same run. Add tests to the extent we can, rpm-sequoia 1.8 doesn't fully handle OpenPGP v6 it seems: rpm-software-management/rpm-sequoia#87 Fixes: rpm-software-management#3752
Member
Author
This was referenced May 16, 2025
Contributor
|
LGTM. Took a while to see how this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add some test-cases for OpenPGP v6 keys, address a couple of issues spotted with them:
To be able to test this stuff at all we need to go real bleeding edge and pull in stuff from Fedora rawhide.
More fancy details in the commit messages.