[Bug 1801762] Re: Dual-signed things should be easy to verify with one key

TJ ubuntu at iam.tj
Mon Nov 5 21:41:08 UTC 2018 

I've created a shell wrapper than might be useful for this called
"gpgpv-multisig" which is a multi-call executable. Given /usr/bin/gpgv-
multisig

ln -s gpgv-multisig /usr/bin/gpgv-aptkeys

and called as 'gpgv-aptkeys' it will assume the keyring to be used is
/etc/apt/trusted.gpg (set by APT_KEYRING).

Returns the same exit codes as detailed in man gpgv(1):

0 = all signatures good
1 = at least one signature good
2 = no signatures good

Many configuration variables can be over-ridden from the environment but
adopt sensible defaults.


** Attachment added: "Shell script wrapping gpgv for multi-signature gpgv"
   https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1801762/+attachment/5209443/+files/gpgv-multisig

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/1801762

Title:
  Dual-signed things should be easy to verify with one key

Status in apt package in Ubuntu:
  New
Status in debmirror package in Ubuntu:
  New
Status in gnupg2 package in Ubuntu:
  New
Status in ubuntu-keyring package in Ubuntu:
  New
Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  As part of Ubuntu key rotation strategy, we rely on dual-signing
  (inline, or detached) such that validation with at least one key
  available in a keyring should be trusted, without using web-of-trust.

  However, it seems to be only correctly so far implemented by the apt's
  gpgv method.

  Ideally, we should ship an easy enough to use the helper that is `like
  gpgv` to use, and possibly reusing apt's gpgv code and/or exposing it
  via apt-key's verify.

  The problem seems to be that 1 good sig + 1 no public key available,
  results in gpgv exiting with 2, instead of 0 or 1.

  Ideally it should be easy enough to use gpgv/gpg to verify that at
  least one signature is good, and decrypt/extract signed contents only.

  More details and reproducers to follow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1801762/+subscriptions

More information about the foundations-bugs mailing list