Hi everyone,
I'm pleased to announce v1.4.0 of the RPM Sequoia crate.
I have published rpm-sequoia on crates.io:
https://crates.io/crates/rpm-sequoia
You can also fetch version 1.4.0 using the v1.4.0 tag:
https://github.com/rpm-software-management/rpm-sequoia/releases/tag/v1.4.0
which I signed:
$ git verify-tag v1.4.0 gpg: Signature made Thu Apr 13 23:10:27 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield neal@walfield.org" [ultimate] gpg: "Neal H. Walfield neal@gnupg.org" gpg: "Neal H. Walfield neal@pep-project.org" gpg: "Neal H. Walfield neal@pep.foundation" gpg: "Neal H. Walfield neal@sequoia-pgp.org"
The most notable change in this release is better error reporting. Based on feedback from users of rpm on Fedora 38 beta, we learned that many certificates, and many packages use outdated cryptography, or are generated from broken OpenPGP implementations. As sequoia-openpgp is more strict in what it accepts than rpm's deprecated internal OpenPGP implementation, installing these packages now results in an error.
Although rpm-sequoia often knows in detail why a certificate or signature is invalid, rpm did not have a way to return this information. As such, rpm could only print out that the package could not be installed, like this:
``` $ rpm -i google-chrome-stable-109.0.5414.119-1.x86_64.rpm warning: google-chrome-stable-109.0.5414.119-1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOTTRUSTED package google-chrome-stable-109.0.5414.119-1.x86_64 does not verify: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOTTRUSTED ```
This release introduces two new functions, which are identical to existing functions in their functionality, but also return rich error messages, which will hopefully help users more easily diagnose the underlying problem. For instance, using a patched version of rpm, which uses these new interfaces, here's what happens when trying to install a package whose signature can't be verified:
``` $ rpm -i google-chrome-stable-109.0.5414.119-1.x86_64.rpm error: Verifying a signature using certificate 4CCA1EAF950CEE4AB83976DCA040830F7FAC5991 (Google, Inc. Linux Package Signing Key linux-packages-keymaster@google.com): 1. Signature 02b3 created at Mon Jan 23 21:23:32 2023 invalid: signature relies on legacy cryptography because: Policy rejected non-revocation signature (Binary) requiring collision resistance because: SHA1 is not considered secure since 1970-01-01T00:00:00Z 2. Certificate A040830F7FAC5991 invalid: policy violation because: No binding signature at time 2023-01-23T21:23:32Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 1970-01-01T00:00:00Z warning: google-chrome-stable-109.0.5414.119-1.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOTTRUSTED error: Failed dependencies: rpmlib(PayloadIsXz) <= 5.2-1 is needed by google-chrome-stable-109.0.5414.119-1.x86_64 $ rpm -i anydesk-6.1.1-1.el7.x86_64.rpm error: Verifying a signature using certificate D56311E5FF3B6F39D5A16ABE18DF3741CDFFDE29 (philandro Software GmbH info@philandro.com): 1. Signature 9b8f created at Tue Apr 13 11:08:37 2021 invalid: signature relies on legacy cryptography because: Policy rejected non-revocation signature (Binary) requiring collision resistance because: SHA1 is not considered secure since 1970-01-01T00:00:00Z 2. Certificate 18DF3741CDFFDE29 invalid: policy violation because: No binding signature at time 2021-04-13T11:08:37Z error: anydesk-6.1.1-1.el7.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID cdffde29: BAD error: anydesk-6.1.1-1.el7.x86_64.rpm cannot be installed ```
And here's what rpm emits when trying to install a package with an incorrectly generated signature:
``` $ rpm -i intel-oneapi-common-licensing-2023.1.0-2023.1.0-43473.noarch.rpm error: intel-oneapi-common-licensing-2023.1.0-2023.1.0-43473.noarch.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet: Failed to parse Signature Packet because: Signature appears to be created by a non-conformant OpenPGP implementation, see https://github.com/rpm-software-management/rpm/issues/2351. because: Malformed MPI: leading bit is not set: expected bit 8 to be set in 101 (5)) error: intel-oneapi-common-licensing-2023.1.0-2023.1.0-43473.noarch.rpm cannot be installed ```
Neal on behalf of the whole Sequoia PGP team
announce@lists.sequoia-pgp.org