CVS commit: pkgsrc/security/netpgpverify

["Taylor R Campbell" <riastradh%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   riastradh
Date:           Sun Jan  4 06:19:40 UTC 2026

Modified Files:
        pkgsrc/security/netpgpverify: Makefile
        pkgsrc/security/netpgpverify/files: Makefile.in libverify.c
Added Files:
        pkgsrc/security/netpgpverify/files: gpg2test gpg2test.gpg2
            keypubring.gpg2 keysecring.gpg2

Log Message:
security/netpgpverify: Handle issuer fingerprint subpackets.

This is an extremely dodgy stop-gap measure to verify signatures
produced by gpg2.  It does nothing to address pervasive problems in
netpgpverify, like PR security/57449 or PR bin/59823, or even more
narrowly scoped problems with using keyids instead of fingerprints.
I'm a little reluctant to even commit this stop-gap because the
problems are so bad, and a band-aid won't fix a spurting carotid.

The symptom is:

> ./netpgpverify -k keypubring.gpg2 gpg2test.gpg2
> Ignoring unusual/reserved signature subpacket 34
> Signature did not match contents -- Signature key id 38fa6a2833ed1efa does not match onepass keyid

Test case generated by:

mkdir -m 0700 gpghome
gpg2 --homedir gpghome --batch --passphrase '' \
    --quick-gen-key user%example.com@localhost rsa2048 sign never
echo hello world >gpg2test
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
    --output gpg2test.gpg2 --sign gpg2test
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
    --export-secret-keys >keysecring.gpg2
gpg2 --homedir gpghome --batch --no-comments --no-emit-version \
    --export >keypubring.gpg2


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 pkgsrc/security/netpgpverify/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/security/netpgpverify/files/Makefile.in
cvs rdiff -u -r0 -r1.1 pkgsrc/security/netpgpverify/files/gpg2test \
    pkgsrc/security/netpgpverify/files/gpg2test.gpg2 \
    pkgsrc/security/netpgpverify/files/keypubring.gpg2 \
    pkgsrc/security/netpgpverify/files/keysecring.gpg2
cvs rdiff -u -r1.31 -r1.32 pkgsrc/security/netpgpverify/files/libverify.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/netpgpverify/Makefile
diff -u pkgsrc/security/netpgpverify/Makefile:1.22 pkgsrc/security/netpgpverify/Makefile:1.23
--- pkgsrc/security/netpgpverify/Makefile:1.22  Sun Nov  1 11:28:35 2020
+++ pkgsrc/security/netpgpverify/Makefile       Sun Jan  4 06:19:39 2026
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.22 2020/11/01 11:28:35 wiz Exp $
+# $NetBSD: Makefile,v 1.23 2026/01/04 06:19:39 riastradh Exp $
 
 DISTNAME=              netpgpverify-${VERSION}
+PKGREVISION=           1
 CATEGORIES=            security
 MASTER_SITES=          # empty
 DISTFILES=             # empty

Index: pkgsrc/security/netpgpverify/files/Makefile.in
diff -u pkgsrc/security/netpgpverify/files/Makefile.in:1.9 pkgsrc/security/netpgpverify/files/Makefile.in:1.10
--- pkgsrc/security/netpgpverify/files/Makefile.in:1.9  Sun Nov  1 11:28:35 2020
+++ pkgsrc/security/netpgpverify/files/Makefile.in      Sun Jan  4 06:19:39 2026
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.in,v 1.9 2020/11/01 11:28:35 wiz Exp $
+# $NetBSD: Makefile.in,v 1.10 2026/01/04 06:19:39 riastradh Exp $
 
 PROG=netpgpverify
 
@@ -49,6 +49,8 @@ tst:
        ./${PROG} -k pubring.gpg noversion.asc
        @echo "testing dash-escaped text"
        ./${PROG} -k pubring.gpg dash-escaped-text.asc
+       @echo "testing gpg2-generated signature"
+       ./${PROG} -k keypubring.gpg2 gpg2test.gpg2
 
 clean:
        rm -rf *.core ${OBJS} ${PROG}

Index: pkgsrc/security/netpgpverify/files/libverify.c
diff -u pkgsrc/security/netpgpverify/files/libverify.c:1.31 pkgsrc/security/netpgpverify/files/libverify.c:1.32
--- pkgsrc/security/netpgpverify/files/libverify.c:1.31 Sun Nov  1 11:28:35 2020
+++ pkgsrc/security/netpgpverify/files/libverify.c      Sun Jan  4 06:19:40 2026
@@ -1183,10 +1183,29 @@ read_sig_subpackets(pgpv_t *pgp, pgpv_si
                        sigpkt->sig.revoked = *p++ + 1;
                        sigpkt->sig.why_revoked = (char *)(void *)p;
                        break;
-               case SUBPKT_ISSUER_FINGERPRINT:
+               case SUBPKT_ISSUER_FINGERPRINT: {
+                       /* RFC 9580, Sec. 5.2.3.35 Issuer Fingerprint */
+                       unsigned N;
+
                        sigpkt->sig.ifver = *p;
+                       switch (sigpkt->sig.ifver) {
+                       case 4:
+                               N = 20;
+                               break;
+                       case 6:
+                               N = 32;
+                               break;
+                       default:
+                               printf("unknown issuer fpr version %d\n",
+                                   sigpkt->sig.ifver);
+                               return 0;
+                       }
                        sigpkt->sig.issuer_fingerprint = &p[1];
+                       memcpy(sigpkt->sig.signer,
+                           &p[1 + N - sizeof(sigpkt->sig.signer)],
+                           sizeof(sigpkt->sig.signer));
                        break;
+               }
                default:
                        printf("Ignoring unusual/reserved signature subpacket %d\n", subpkt.tag);
                        break;

Added files:

Index: pkgsrc/security/netpgpverify/files/gpg2test
diff -u /dev/null pkgsrc/security/netpgpverify/files/gpg2test:1.1
--- /dev/null   Sun Jan  4 06:19:40 2026
+++ pkgsrc/security/netpgpverify/files/gpg2test Sun Jan  4 06:19:39 2026
@@ -0,0 +1 @@
+hello world
Index: pkgsrc/security/netpgpverify/files/gpg2test.gpg2
Binary files are different
Index: pkgsrc/security/netpgpverify/files/keypubring.gpg2
Binary files are different
Index: pkgsrc/security/netpgpverify/files/keysecring.gpg2
Binary files are different