为什么 debsig-verify 在 _gpgorigin 时验证失败分离的签名与组合的 debian-binary control.tar.gz data.tar.gz 相匹配文件?
是因为这个WARNING: This key is not certified with a trusted signature! ?
关于 debian:7 docker 容器包签名运行良好并且在 debian:9.8它失败了
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: subprocess getKeyID returned error exit status 2
签名流程
# Unpack
ar x unsigned.deb
# Generate combine file
cat debian-binary control.tar.gz data.tar.gz > combined
# Create detached signature for combined
gpg -abs -o _gpgorigin combined
# Repack
ar rc signed.deb _gpgorigin debian-binary control.tar.gz data.tar.gz
验证分离的签名(似乎成功)
gpg --output doc --decrypt _gpgorigin
Detached signature.
Please enter name of data file: combined
gpg: Signature made Thu Apr 25 22:43:37 2019 UTC
gpg: using RSA key AAAABBBBCCCCDDDD996FCC98FFFFFFFFFFFFFFFF
gpg: Good signature from "mygroup Testing <<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a7d3c2d4d3cec9c0e7cadec0d5c8d2d789c9c2d3" rel="noreferrer noopener nofollow">[email protected]</a>>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: AAAA BBBB CCCC DDDD 996F CC98 FFFF FFFF FFFF FFFF
验证签名包(失败)
debsig-verify -v -d signed.deb
debsig: Starting verification for: signed.deb
debsig: getSigKeyID: got FFFFFFFFFFFFFFFF for origin key
debsig: Using policy directory: /etc/debsig/policies/FFFFFFFFFFFFFFFF
debsig: Parsing policy file: /etc/debsig/policies/FFFFFFFFFFFFFFFF/mygroup-test.pol
debsig: parsePolicyFile: parsing '/etc/debsig/policies/FFFFFFFFFFFFFFFF/mygroup-test.pol'
debsig: parsePolicyFile: completed
debsig: Checking Selection group(s).
debsig: Processing 'origin' key...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: subprocess getKeyID returned error exit status 2
警察 key 环的 key 列表
gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/FFFFFFFFFFFFFFFF/pubring.gpg --list-sigs
/usr/share/debsig/keyrings/FFFFFFFFFFFFFFFF/pubring.gpg
-------------------------------------------------------
pub rsa2048 2017-06-19 [SC]
AAAABBBBCCCCDDDD996FCC98FFFFFFFFFFFFFFFF
uid [ unknown] MyGroup Testing <<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="76021305021f1811361b0f110419030658181302" rel="noreferrer noopener nofollow">[email protected]</a>>
sig 3 FFFFFFFFFFFFFFFF 2017-06-19 MyGroup Testing <<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="45312036312c2b2205283c22372a30356b2b2031" rel="noreferrer noopener nofollow">[email protected]</a>>
sub rsa2048 2017-06-19 [E]
sig FFFFFFFFFFFFFFFF 2017-06-19 MyGroup Testing <<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="35415046415c5b5275584c52475a40451b5b5041" rel="noreferrer noopener nofollow">[email protected]</a>>
最佳答案
我刚刚遇到了类似的问题,并发现了一些我做错的事情,这些事情在文档/示例中并不明显:
确保策略文件具有使用 https(而不是少数示例使用的 http)的 XML 命名空间,即
<Policy xmlns="https://www.debian.org/debsig/1.0/">“ key 环”文件不是 key 环,它只是一个(公共(public)) key 。
“ key 环”文件不得采用 ASCII 防护。
经过上述更改,包验证成功(Ubuntu 18.04)
关于gnupg - debgsig-verify 失败,gpg : no valid OpenPGP data found while gpg decrypt can verify the detached signature,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55858700/