GNU bug report logs - #33825
25.2; Failing to verify signature for ELPA debbugs package

Previous Next

Package: emacs;

Reported by: clemera <clemens.radermacher <at> posteo.de>

Date: Fri, 21 Dec 2018 16:22:01 UTC

Severity: normal

Tags: patch

Found in version 25.2

Done: Stefan Kangas <stefan <at> marxist.se>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33825 in the body.
You can then email your comments to 33825 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Fri, 21 Dec 2018 16:22:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to clemera <clemens.radermacher <at> posteo.de>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Fri, 21 Dec 2018 16:22:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: clemera <clemens.radermacher <at> posteo.de>
To: bug-gnu-emacs <at> gnu.org
Subject: 25.2; Failing to verify signature for ELPA debbugs package
Date: Fri, 21 Dec 2018 14:38:07 +0100
Hi,

I get the following error when I try to install debbugs package:


Failed to verify signature debbugs-0.16.tar.sig:
Bad signature from 474F05837FBDEF9B GNU ELPA Signing Agent 
<elpasign <at> elpa.gnu.org>
Command output:
gpg: Signature made Wed Oct 17 11:10:03 2018 CEST
gpg:                using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B
gpg: BAD signature from "GNU ELPA Signing Agent <elpasign <at> elpa.gnu.org>" 
[unknown]





Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Fri, 21 Dec 2018 23:40:02 GMT) Full text and rfc822 format available.

Message #8 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: clemera <clemens.radermacher <at> posteo.de>
Cc: 33825 <at> debbugs.gnu.org
Subject: Re: bug#33825: 25.2;
 Failing to verify signature for ELPA debbugs package
Date: Fri, 21 Dec 2018 18:39:07 -0500
clemera wrote:

> Failed to verify signature debbugs-0.16.tar.sig:
> Bad signature from 474F05837FBDEF9B GNU ELPA Signing Agent
> <elpasign <at> elpa.gnu.org>
> Command output:
> gpg: Signature made Wed Oct 17 11:10:03 2018 CEST
> gpg:                using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B
> gpg: BAD signature from "GNU ELPA Signing Agent
> <elpasign <at> elpa.gnu.org>" [unknown]

FWIW, it verifies fine here with Emacs 25.2, and also manually using
wget https://elpa.gnu.org/packages/debbugs-0.16.tar and tar.sig.




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Sat, 22 Dec 2018 12:09:02 GMT) Full text and rfc822 format available.

Message #11 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: clemera <clemens.radermacher <at> posteo.de>
To: rgm <at> gnu.org
Cc: 33825 <at> debbugs.gnu.org
Subject: Re: bug#33825: 25.2;, Failing to verify signature for ELPA debbugs
 package
Date: Sat, 22 Dec 2018 13:08:02 +0100
> FWIW, it verifies fine here with Emacs 25.2

I tried it again and now it works for me, too. Strange..., what could 
have caused that it failed before?





Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Sun, 30 Dec 2018 12:13:02 GMT) Full text and rfc822 format available.

Message #14 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Robert Pluim <rpluim <at> gmail.com>
To: clemera <clemens.radermacher <at> posteo.de>
Cc: rgm <at> gnu.org, 33825 <at> debbugs.gnu.org
Subject: Re: bug#33825: 25.2;
 , Failing to verify signature for ELPA debbugs package
Date: Sun, 30 Dec 2018 13:12:41 +0100
clemera <clemens.radermacher <at> posteo.de> writes:

>> FWIW, it verifies fine here with Emacs 25.2
>
> I tried it again and now it works for me, too. Strange..., what could
> have caused that it failed before?

There are 'transparent' proxies which will untar archives and then
retar them, resulting in a file that fails signature verification even
though the contents are identical. When you then repeat the download,
the proxy knows it has previously inspected the file, and thus lets
through the original. Using https solves this issue 99% of the time.

If youʼre using https already, then Iʼm out of ideas :-)

Robert




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Sun, 30 Dec 2018 12:35:02 GMT) Full text and rfc822 format available.

Message #17 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Clemens Radermacher <clemens.radermacher <at> posteo.de>
To: 33825 <at> debbugs.gnu.org
Cc: rpluim <at> gmail.com
Subject: Re: bug#33825: 25.2; , Failing to verify signature for ELPA debbugs
 package
Date: Sun, 30 Dec 2018 13:34:09 +0100
On 30.12.18 13:12, Robert Pluim wrote:

> There are 'transparent' proxies which will untar archives and then
> retar them, resulting in a file that fails signature verification even
> though the contents are identical. When you then repeat the download,
> the proxy knows it has previously inspected the file, and thus lets
> through the original. Using https solves this issue 99% of the time.

That's interesting thanks! For GNU ELPA I use http indeed, because I rely on Emacs 
taking care of the verification. I don't understand why those proxies should 
unpack archives though, is that for filtering purposes?

-- 
Clemens




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Sun, 30 Dec 2018 12:56:01 GMT) Full text and rfc822 format available.

Message #20 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Robert Pluim <rpluim <at> gmail.com>
To: Clemens Radermacher <clemens.radermacher <at> posteo.de>
Cc: 33825 <at> debbugs.gnu.org
Subject: Re: bug#33825: 25.2;
 , Failing to verify signature for ELPA debbugs package
Date: Sun, 30 Dec 2018 13:55:44 +0100
Clemens Radermacher <clemens.radermacher <at> posteo.de> writes:

> On 30.12.18 13:12, Robert Pluim wrote:
>
>> There are 'transparent' proxies which will untar archives and then
>> retar them, resulting in a file that fails signature verification even
>> though the contents are identical. When you then repeat the download,
>> the proxy knows it has previously inspected the file, and thus lets
>> through the original. Using https solves this issue 99% of the time.
>
> That's interesting thanks! For GNU ELPA I use http indeed, because I rely on Emacs 
> taking care of the verification. I don't understand why those proxies should 
> unpack archives though, is that for filtering purposes?

In enlightened democracies they want to see if there is any malware
hiding inside. In other types of countries they're filtering
'undesirable' content. Identifying which type youʼre living in is
becoming harder every day :-)

Robert




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Fri, 13 Sep 2019 19:51:01 GMT) Full text and rfc822 format available.

Message #23 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefan <at> marxist.se>
To: clemera <clemens.radermacher <at> posteo.de>
Cc: Glenn Morris <rgm <at> gnu.org>, 33825 <at> debbugs.gnu.org
Subject: Re: bug#33825: 25.2;
 , Failing to verify signature for ELPA debbugs package
Date: Fri, 13 Sep 2019 21:50:27 +0200
Robert Pluim <rpluim <at> gmail.com> writes:

> clemera <clemens.radermacher <at> posteo.de> writes:
>
>>> FWIW, it verifies fine here with Emacs 25.2
>>
>> I tried it again and now it works for me, too. Strange..., what could
>> have caused that it failed before?
>
> There are 'transparent' proxies which will untar archives and then
> retar them, resulting in a file that fails signature verification even
> though the contents are identical. When you then repeat the download,
> the proxy knows it has previously inspected the file, and thus lets
> through the original. Using https solves this issue 99% of the time.
>
> If youʼre using https already, then Iʼm out of ideas :-)

The reporter verified he was indeed using http.  Is there anything
that can or should be done here, or is this to be closed as notabug?

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Mon, 16 Sep 2019 09:08:01 GMT) Full text and rfc822 format available.

Message #26 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Robert Pluim <rpluim <at> gmail.com>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: 33825 <at> debbugs.gnu.org, clemera <clemens.radermacher <at> posteo.de>
Subject: Re: bug#33825: 25.2; , Failing to verify signature for ELPA debbugs
 package
Date: Mon, 16 Sep 2019 11:07:32 +0200
>>>>> On Fri, 13 Sep 2019 21:50:27 +0200, Stefan Kangas <stefan <at> marxist.se> said:

    Stefan> Robert Pluim <rpluim <at> gmail.com> writes:
    >> clemera <clemens.radermacher <at> posteo.de> writes:
    >> 
    >>>> FWIW, it verifies fine here with Emacs 25.2
    >>> 
    >>> I tried it again and now it works for me, too. Strange..., what could
    >>> have caused that it failed before?
    >> 
    >> There are 'transparent' proxies which will untar archives and then
    >> retar them, resulting in a file that fails signature verification even
    >> though the contents are identical. When you then repeat the download,
    >> the proxy knows it has previously inspected the file, and thus lets
    >> through the original. Using https solves this issue 99% of the time.
    >> 
    >> If youʼre using https already, then Iʼm out of ideas :-)

    Stefan> The reporter verified he was indeed using http.  Is there anything
    Stefan> that can or should be done here, or is this to be closed as notabug?

I think this is notabug. We can always reopen it if needed.

Robert




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Mon, 16 Sep 2019 11:06:02 GMT) Full text and rfc822 format available.

Message #29 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefan <at> marxist.se>
To: Robert Pluim <rpluim <at> gmail.com>
Cc: 33825 <at> debbugs.gnu.org, clemera <clemens.radermacher <at> posteo.de>
Subject: Re: bug#33825: 25.2;
 , Failing to verify signature for ELPA debbugs package
Date: Mon, 16 Sep 2019 13:04:55 +0200
Robert Pluim <rpluim <at> gmail.com> writes:

>     Stefan> The reporter verified he was indeed using http.  Is there anything
>     Stefan> that can or should be done here, or is this to be closed as notabug?
>
> I think this is notabug. We can always reopen it if needed.

Perhaps we could also add something about this issue to PROBLEMS?

How about also adding a recommendation to use https, as far as
possible, for package archives?  I guess that could be added to both
the doc string of package-archives and possibly also the manual.  That
would help security and avoid issues such as these.

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Mon, 16 Sep 2019 13:29:02 GMT) Full text and rfc822 format available.

Message #32 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Robert Pluim <rpluim <at> gmail.com>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: 33825 <at> debbugs.gnu.org, clemera <clemens.radermacher <at> posteo.de>
Subject: Re: bug#33825: 25.2; , Failing to verify signature for ELPA debbugs
 package
Date: Mon, 16 Sep 2019 15:28:07 +0200
>>>>> On Mon, 16 Sep 2019 13:04:55 +0200, Stefan Kangas <stefan <at> marxist.se> said:

    Stefan> Robert Pluim <rpluim <at> gmail.com> writes:
    Stefan> The reporter verified he was indeed using http.  Is there anything
    Stefan> that can or should be done here, or is this to be closed as notabug?
    >> 
    >> I think this is notabug. We can always reopen it if needed.

    Stefan> Perhaps we could also add something about this issue to PROBLEMS?

Maybe.

    Stefan> How about also adding a recommendation to use https, as far as
    Stefan> possible, for package archives?  I guess that could be added to both
    Stefan> the doc string of package-archives and possibly also the manual.  That
    Stefan> would help security and avoid issues such as these.

This Iʼd be more in favour of.

Robert




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Mon, 16 Sep 2019 14:31:02 GMT) Full text and rfc822 format available.

Message #35 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: rpluim <at> gmail.com, 33825 <at> debbugs.gnu.org, clemens.radermacher <at> posteo.de
Subject: Re: bug#33825: 25.2;
 , Failing to verify signature for ELPA debbugs package
Date: Mon, 16 Sep 2019 17:29:59 +0300
> From: Stefan Kangas <stefan <at> marxist.se>
> Date: Mon, 16 Sep 2019 13:04:55 +0200
> Cc: 33825 <at> debbugs.gnu.org, clemera <clemens.radermacher <at> posteo.de>
> 
> > I think this is notabug. We can always reopen it if needed.
> 
> Perhaps we could also add something about this issue to PROBLEMS?

Feel free to do that.

> How about also adding a recommendation to use https, as far as
> possible, for package archives?  I guess that could be added to both
> the doc string of package-archives and possibly also the manual.  That
> would help security and avoid issues such as these.

I'd leave this out of the manual.  Doc string should be enough.




Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Mon, 16 Sep 2019 19:14:02 GMT) Full text and rfc822 format available.

Message #38 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefan <at> marxist.se>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: Robert Pluim <rpluim <at> gmail.com>, 33825 <at> debbugs.gnu.org,
 Clemens Radermacher <clemens.radermacher <at> posteo.de>
Subject: Re: bug#33825: 25.2;
 , Failing to verify signature for ELPA debbugs package
Date: Mon, 16 Sep 2019 21:13:13 +0200
[Message part 1 (text/plain, inline)]
Eli Zaretskii <eliz <at> gnu.org> writes:

> > How about also adding a recommendation to use https, as far as
> > possible, for package archives?  I guess that could be added to both
> > the doc string of package-archives and possibly also the manual.  That
> > would help security and avoid issues such as these.
>
> I'd leave this out of the manual.  Doc string should be enough.

Thanks.  How about the attached patch?

Best regards,
Stefan Kangas
[0001-Recommend-https-for-package-archives.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from Stefan Kangas <stefan <at> marxist.se> to control <at> debbugs.gnu.org. (Mon, 16 Sep 2019 19:15:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#33825; Package emacs. (Tue, 17 Sep 2019 13:35:01 GMT) Full text and rfc822 format available.

Message #43 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Robert Pluim <rpluim <at> gmail.com>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 33825 <at> debbugs.gnu.org,
 Clemens Radermacher <clemens.radermacher <at> posteo.de>
Subject: Re: bug#33825: 25.2; , Failing to verify signature for ELPA debbugs
 package
Date: Tue, 17 Sep 2019 15:34:04 +0200
>>>>> On Mon, 16 Sep 2019 21:13:13 +0200, Stefan Kangas <stefan <at> marxist.se> said:

    Stefan> Eli Zaretskii <eliz <at> gnu.org> writes:
    >> > How about also adding a recommendation to use https, as far as
    >> > possible, for package archives?  I guess that could be added to both
    >> > the doc string of package-archives and possibly also the manual.  That
    >> > would help security and avoid issues such as these.
    >> 
    >> I'd leave this out of the manual.  Doc string should be enough.

    Stefan> Thanks.  How about the attached patch?

Nits below

    Stefan> Best regards,
    Stefan> Stefan Kangas

    Stefan> From afc49ccd4e3e593f1f2dfffbdd6e457132efa9cd Mon Sep 17 00:00:00 2001
    Stefan> From: Stefan Kangas <stefankangas <at> gmail.com>
    Stefan> Date: Mon, 16 Sep 2019 21:09:32 +0200
    Stefan> Subject: [PATCH] Recommend https for package-archives

    Stefan> * lisp/emacs-lisp/package.el (package-archives): Doc fix to recommend
    Stefan> using https sources instead of http where possible.
    Stefan> (Bug#33825)

"Recommend using https..." is shorter and more direct.

    Stefan> ---
    Stefan>  lisp/emacs-lisp/package.el | 5 ++++-
    Stefan>  1 file changed, 4 insertions(+), 1 deletion(-)

    Stefan> diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
    Stefan> index ef0c5171de..69c4427e0a 100644
    Stefan> --- a/lisp/emacs-lisp/package.el
    Stefan> +++ b/lisp/emacs-lisp/package.el
    Stefan> @@ -214,7 +214,10 @@ package-archives
    Stefan>    (Other types of URL are currently not supported.)
 
    Stefan>  Only add locations that you trust, since fetching and installing
    Stefan> -a package can run arbitrary code."
    Stefan> +a package can run arbitrary code.
    Stefan> +
    Stefan> +It is advisable to prefer HTTPS URLs over HTTP URLs where
    Stefan> +possible, for improved security and stability."

Similarly: "HTTPS URLs should be used where possible, as they offer
superior security."

"stability" is not really something you can define, so probably better
not to mention it..

Robert




Reply sent to Stefan Kangas <stefan <at> marxist.se>:
You have taken responsibility. (Fri, 20 Sep 2019 17:25:02 GMT) Full text and rfc822 format available.

Notification sent to clemera <clemens.radermacher <at> posteo.de>:
bug acknowledged by developer. (Fri, 20 Sep 2019 17:25:03 GMT) Full text and rfc822 format available.

Message #48 received at 33825-done <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefan <at> marxist.se>
To: Robert Pluim <rpluim <at> gmail.com>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 33825-done <at> debbugs.gnu.org,
 Clemens Radermacher <clemens.radermacher <at> posteo.de>
Subject: Re: bug#33825: 25.2;
 , Failing to verify signature for ELPA debbugs package
Date: Fri, 20 Sep 2019 19:24:14 +0200
Robert Pluim <rpluim <at> gmail.com> writes:
> Nits below

Thanks, I've now installed the patch with your suggested changes as
commit f1f2de7cdf.

Since we seem to agree that there is not much else to do here, I'm
also closing this bug.

Best regards,
Stefan Kangas




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 19 Oct 2019 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 162 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.