debgsig-verify失败并出现gpg:gpg解密可以验证分离的签名时,找不到有效的OpenPGP数据

时间:2019-04-25 23:02:15

标签: gnupg sign apt deb

为什么_gpgorigin分离的签名与组合的debian-binary control.tar.gz data.tar.gz文件匹配时,debsig-verify无法验证?

是因为这个WARNING: This key is not certified with a trusted signature!吗?

debian:7码头集装箱包装上的签名工作良好,在debian:9.8上失败并显示

gpg: no valid OpenPGP data found.
    gpg: processing message failed: Unknown system error
    debsig: subprocess getKeyID returned error exit status 2

签名过程

# Unpack
ar x unsigned.deb

# Generate combine file
cat debian-binary control.tar.gz data.tar.gz > combined

# Create detached signature for combined
gpg -abs -o _gpgorigin combined

# Repack
ar rc signed.deb _gpgorigin debian-binary control.tar.gz data.tar.gz

验证分离的签名(似乎成功)

gpg --output doc --decrypt _gpgorigin
        Detached signature.
        Please enter name of data file: combined
        gpg: Signature made Thu Apr 25 22:43:37 2019 UTC
        gpg:                using RSA key AAAABBBBCCCCDDDD996FCC98FFFFFFFFFFFFFFFF
        gpg: Good signature from "mygroup Testing <testing@mygroup.net>" [unknown]
        gpg: WARNING: This key is not certified with a trusted signature!
        gpg:          There is no indication that the signature belongs to the owner.
        Primary key fingerprint: AAAA BBBB CCCC DDDD 996F CC98 FFFF FFFF FFFF FFFF

验证已签名的程序包(失败)

debsig-verify -v -d signed.deb

    debsig: Starting verification for: signed.deb
    debsig:         getSigKeyID: got FFFFFFFFFFFFFFFF for origin key
    debsig: Using policy directory: /etc/debsig/policies/FFFFFFFFFFFFFFFF
    debsig:   Parsing policy file: /etc/debsig/policies/FFFFFFFFFFFFFFFF/mygroup-test.pol
    debsig:     parsePolicyFile: parsing '/etc/debsig/policies/FFFFFFFFFFFFFFFF/mygroup-test.pol'
    debsig:     parsePolicyFile: completed
    debsig:     Checking Selection group(s).
    debsig:       Processing 'origin' key...
    gpg: no valid OpenPGP data found.
    gpg: processing message failed: Unknown system error
    debsig: subprocess getKeyID returned error exit status 2

策略密钥环的密钥列表

 gpg --no-default-keyring --keyring  /usr/share/debsig/keyrings/FFFFFFFFFFFFFFFF/pubring.gpg --list-sigs
/usr/share/debsig/keyrings/FFFFFFFFFFFFFFFF/pubring.gpg
-------------------------------------------------------
pub   rsa2048 2017-06-19 [SC]
      AAAABBBBCCCCDDDD996FCC98FFFFFFFFFFFFFFFF
uid           [ unknown] MyGroup Testing <testing@mygroup.net>
sig 3        FFFFFFFFFFFFFFFF 2017-06-19  MyGroup Testing <testing@mygroup.net>
sub   rsa2048 2017-06-19 [E]
sig          FFFFFFFFFFFFFFFF 2017-06-19  MyGroup Testing <testing@mygroup.net>

2 个答案:

答案 0 :(得分:1)

我刚刚遇到了类似的问题,发现我做错了很多事情,这些问题在文档/示例中并不明显:

  1. 确保策略文件具有使用https的XML名称空间(不是少数示例使用的http),即<Policy xmlns="https://www.debian.org/debsig/1.0/">

  2. “密钥环”文件不是密钥环,它只是一个(公共)密钥。

  3. “密钥”文件不得使用ASCII防护。

通过上述更改,软件包验证成功(Ubuntu 18.04)

答案 1 :(得分:1)

我有同样的错误。 为了阐明Anthony的答案,不能将密钥文件导入密钥环。 它必须是复制到密钥环文件夹的公共密钥。 (使用DDDF2F4CE732A79A的示例)

这将导致错误 

WHERE

这将起作用 

$ gpg --no-default-keyring \
      --keyring /usr/share/debsig/keyrings/DDDF2F4CE732A79A/debsig.gpg \
      --import <public key>
相关问题
最新问题