gpg: Ohhhh jeeee: Assertion "sig->version >= 4"
FrostyX opened this issue · comments
The following command started failing after migrating from F33 to F35
[root@copr-keygen-dev ~][STG]# /bin/sign -u frostyx#foo@copr.fedorahosted.org -k
gpg: problem with fast path key listing: Result truncated - ignored
gpg: Ohhhh jeeee: Assertion "sig->version >= 4" in mk_notation_policy_etc failed (sign.c:89)
Aborted (core dumped)
Surprisingly (at least to me), this works fine
[root@copr-keygen-dev ~][STG]# /bin/sign -u frostyx#foo@copr.fedorahosted.org -p
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF6e/jsBCAC8U+LeeHcPzsPGPwhBXJPX0VwCbAFbupF0Qo3vFSv3zyru6wFs
uvw8Udahxa+ii0D58/rKuxVMD6AxsdJWSM3h9dIwscSnGVC6UN5pnxjYRIV7S6CS
WYGoYFDjOEsFNNWRoQ6Q70lJUyyM0CQPXk9LxWqlyaFo8YfMa8oCWoV1sMg5tR9M
JMM8le1PRDuXF232pzzbIigAqtiVnN8FbsoR7QcBSmGr0r3KSU9rPyBzOkeVGh4O
fmq5O/iteWqzoZK4vNlnU4liwqhxhSS9hC8hq6uoGVzVdqD0BffFAoEXpTPaW+7N
QYwDjyJ5W5diEUr6vSaFKJuyyanGTwYbutIPABEBAAG0NmZyb3N0eXhfZm9vIChO
b25lKSA8ZnJvc3R5eCNmb29AY29wci5mZWRvcmFob3N0ZWQub3JnPokBVAQTAQgA
PhYhBP12fJGVWCJkB69KycVZ1DJS69rIBQJenv47AhsvBQkJZgGABQsJCAcCBhUK
CQgLAgQWAgMBAh4BAheAAAoJEMVZ1DJS69rIyqMH/RmmhsoBgKixj98incENB7+y
/6xT2ZYdfI2tLpAwHDuI8pf/MxRRCJafa/wG3aUo+fccAhPp6xUoD0HOIUvn1k6x
U3NTPjl11fed0T6KVvJvUeDiSgrHAIdfomKjPR01vMPSkl11KXC1HjnT3B5dI8lY
gyeEO44x1gOOk6qEuLIm5unb/17tKBHV01SzJkOnR7LTfHbtkwCrL1yjUH28OSA/
cZ8jobhAfAqLwS1VVAQ4D5GQqzoXhApXHgBeQC8lV9jVSwQH003b16W1Nvte+RrE
KS94l3KAU5HPekSbHyiMyTRXnsMIqn9HqgS2IpheoHB6lHQclXEuMZLIqa9Jn2Y=
=BhdG
-----END PGP PUBLIC KEY BLOCK-----
Do you have any idea what might be wrong?
Note that Fedora 33 has gnupg2-2.2.25, while Fedora 35 has gnupg2-2.3.3.
This assert was added in
https://dev.gnupg.org/rGcd2d9288aaf9c584673675826ba76e7dbc2ad239#change-8aGhysOnbpOH
which refers https://dev.gnupg.org/T800
I am afraid that the comment (and code) on this line is no longer valid:
https://github.com/openSUSE/obs-sign/blob/master/sign.c#L1592
FTR I created an issue for gpg2
https://bugzilla.redhat.com/show_bug.cgi?id=2025727
But why would gpg try to add a notation policy for v3 signatures?
I think you need to revert this part:
@@ -727,11 +700,8 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash,
if (gcry_md_copy (&md, hash))
BUG ();
- if (sig->version >= 4)
- {
- build_sig_subpkt_from_sig (sig);
- mk_notation_policy_etc (sig, pk, NULL);
- }
+ build_sig_subpkt_from_sig (sig);
+ mk_notation_policy_etc (sig, pk, NULL);
hash_sigversion_to_magic (md, sig);
gcry_md_final (md);
@mlschroe thank you for the investigation. I will rebuild obs-signd with this patch and see if it helps.
The change was in gnupg (not in obs-sign) and was done in 64a1e86fc06d89c980a196c61d2b6d77d167565e
Hmm, BTW out of curiosity I checked why we still use v3 signatures: rpm < 4.14 can work only with v3. In the RHEL world that is RHEL 7 with rpm-4.11.3. RHEL 8 uses rpm-4.14.3. I guess the SUSE world will be similar.
So it will be still few years before we can move to v4.
I'm I was about to forward this to gpg upstream (dev.gnupg.org), but it's not an instant action :-(
They moderate new accounts ...
@FrostyX can you actually try the updated version?
That version fixes the write_signature_packets method.
@praiskup, the updated versions works!
[root@copr-be-dev ~][STG]# /bin/sign -u frostyx#test-keygen-2@copr.fedorahosted.org -k
gpg: problem with fast path key listing: Result truncated - ignored
9D17C58B