[Please CC me on replies and keep discussion on d-release regardless of
how you received the mail]

Hi,

SRM is considering using an ed25519 GPG key for bookworm. Does anyone
see any issues with that?

We've tested merging signatures from a (different) ed25519 key and an
RSA key using dak's "gpg-merge-signatures" script, and gpgv is happy to
verify the result on an oldoldstable (Debian 9 / stretch) system.

We know that GPG(V) 1.X can't handle EC keys, which means that the
signatures won't be verifiable on jessie. jessie is still supported
externally via ELTS, but I don't know that anyone's trying to use it to
verify signatures from bookworm.

Thanks,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Mar 04, 2023 at 01:33:13PM +0000, Adam D. Barratt wrote:

...
Hi,

Hi Adam,

SRM is considering using an ed25519 GPG key for bookworm. Does anyone
see any issues with that?
...
We know that GPG(V) 1.X can't handle EC keys,
...

in all releases from stretch to bookworm:
Package: apt
Depends: ..., gpgv | gpgv2 | gpgv1, ...

This has to become only[1] "gpgv" in at least bullseye and bookworm,
otherwise there would be users running into problems - even in
unstable "apt-get remove gpgv" works and installs "gpgv1" instead.

Thanks,

Adam

cu
Adrian

[1] The "gpgv2" alternative is harmless but pointless since it
became a transitional package depending on "gpgv".

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adam,

On 04/03/2023 14:33, Adam D. Barratt wrote:

SRM is considering using an ed25519 GPG key for bookworm. Does anyone
see any issues with that?

We've tested merging signatures from a (different) ed25519 key and an
RSA key using dak's "gpg-merge-signatures" script, and gpgv is happy to verify the result on an oldoldstable (Debian 9 / stretch) system.

We know that GPG(V) 1.X can't handle EC keys, which means that the
signatures won't be verifiable on jessie. jessie is still supported externally via ELTS, but I don't know that anyone's trying to use it to verify signatures from bookworm.

jessie ships gpgv2 from src:gnupg2 alongside gnupg 1.x, so if there was anyone affected by this change, I don't think it would be a big issue.

Cheers,
Emilio

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 2023-03-04 at 16:03 +0200, Adrian Bunk wrote:

On Sat, Mar 04, 2023 at 01:33:13PM +0000, Adam D. Barratt wrote:

SRM is considering using an ed25519 GPG key for bookworm. Does
anyone
see any issues with that?
...
We know that GPG(V) 1.X can't handle EC keys,
...

in all releases from stretch to bookworm:
Package: apt
Depends: ..., gpgv | gpgv2 | gpgv1, ...

This has to become only[1] "gpgv" in at least bullseye and bookworm, otherwise there would be users running into problems - even in
unstable "apt-get remove gpgv" works and installs "gpgv1" instead.

FWIW I can't replicate that on bullseye:

$ sudo apt-get remove gpgv
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer
required:
[...]
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
apt apt-utils debian.org debian.org-recommended debian.org- recommended-bullseye devscripts gnupg gpgv
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
apt gpgv (due to apt)
0 upgraded, 0 newly installed, 8 to remove and 0 not upgraded.
After this operation, 9,999 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 10, 2023 at 09:27:30AM +0000, Adam D. Barratt wrote:

On Sat, 2023-03-04 at 16:03 +0200, Adrian Bunk wrote:

On Sat, Mar 04, 2023 at 01:33:13PM +0000, Adam D. Barratt wrote:

SRM is considering using an ed25519 GPG key for bookworm. Does
anyone
see any issues with that?
...
We know that GPG(V) 1.X can't handle EC keys,
...

in all releases from stretch to bookworm:
Package: apt
Depends: ..., gpgv | gpgv2 | gpgv1, ...

This has to become only[1] "gpgv" in at least bullseye and bookworm, otherwise there would be users running into problems - even in
unstable "apt-get remove gpgv" works and installs "gpgv1" instead.

FWIW I can't replicate that on bullseye:

$ sudo apt-get remove gpgv
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
[...]
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
apt apt-utils debian.org debian.org-recommended debian.org- recommended-bullseye devscripts gnupg gpgv
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
apt gpgv (due to apt)
...

Using fresh chroots created with
debootstrap bullseye bullseye
and
debootstrap sid sid
as testcases, apt in unstable does find the solution of installing gpgv1
when removing gpgv but apt in bullseye does not.

But the following should always work:
# apt-get install gpgv1
# apt-get remove gpgv

And something like this might have happened for various odd reasons in
the past years.

Regards,

Adam

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Mar 06, 2023 at 12:06:17PM +0100, Emilio Pozuelo Monfort wrote:

Hi Adam,

On 04/03/2023 14:33, Adam D. Barratt wrote:

SRM is considering using an ed25519 GPG key for bookworm. Does anyone
see any issues with that?

We've tested merging signatures from a (different) ed25519 key and an
RSA key using dak's "gpg-merge-signatures" script, and gpgv is happy to verify the result on an oldoldstable (Debian 9 / stretch) system.

We know that GPG(V) 1.X can't handle EC keys, which means that the signatures won't be verifiable on jessie. jessie is still supported externally via ELTS, but I don't know that anyone's trying to use it to verify signatures from bookworm.

jessie ships gpgv2 from src:gnupg2 alongside gnupg 1.x, so if there was anyone affected by this change, I don't think it would be a big issue.

There's an exit then, and since we don't support release skipping it's not
an issue on upgrades either - only if you were bootstrapping bookworm from jessie, which feels increasingly unlikely these days.

--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 10, 2023 at 12:30:15PM +0200, Adrian Bunk wrote:

On Fri, Mar 10, 2023 at 09:27:30AM +0000, Adam D. Barratt wrote:

On Sat, 2023-03-04 at 16:03 +0200, Adrian Bunk wrote:

On Sat, Mar 04, 2023 at 01:33:13PM +0000, Adam D. Barratt wrote:

SRM is considering using an ed25519 GPG key for bookworm. Does
anyone
see any issues with that?
...
We know that GPG(V) 1.X can't handle EC keys,
...

in all releases from stretch to bookworm:
Package: apt
Depends: ..., gpgv | gpgv2 | gpgv1, ...

This has to become only[1] "gpgv" in at least bullseye and bookworm, otherwise there would be users running into problems - even in
unstable "apt-get remove gpgv" works and installs "gpgv1" instead.

FWIW I can't replicate that on bullseye:

$ sudo apt-get remove gpgv
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
[...]
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
apt apt-utils debian.org debian.org-recommended debian.org- recommended-bullseye devscripts gnupg gpgv
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
apt gpgv (due to apt)
...

Using fresh chroots created with
debootstrap bullseye bullseye
and
debootstrap sid sid
as testcases, apt in unstable does find the solution of installing gpgv1
when removing gpgv but apt in bullseye does not.

But the following should always work:
# apt-get install gpgv1
# apt-get remove gpgv

And something like this might have happened for various odd reasons in
the past years.

I ran upgrade tests of a standard system from jessie onwards (wheezy's dpkg enjoyed segfaulting reliably for me and it's not important for this test).

In jessie apt does not have the alternative Depends line, and debian-archive-keyring (d-a-k) has Depends: gpgv.

In stretch apt gains the alternatives, and d-a-k continues to Depends:
gpgv. gpgv becomes version 2 and the gpgv1 package is introduced.

From buster onwards d-a-k drops its dependency.

Thus a standard system without any fiddling *must* have gained gpgv(2)
along the way and will be able to verify the new signature. We don't
support release skipping.

I did not succeed in tricking apt to give me that solution in any of these releases, so it only appears to be an issue in sid.

apt with *only* gpgv1 installed does fall back onto it automatically, so
it's true that if a user set that situation up they wouldn't know until the signature failed to validate. The two packages can happily co-exist.

I think a release note to that effect ("make sure you have gpgv installed")
is sufficient and we're otherwise safe to do this, unless anyone has found other problems.


--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)