#1109251 /usr/bin/uscan: uscan must not skip OpenPGP check after failed check in previous run #1109251
- Package:
- devscripts
- Source:
- devscripts
- Description:
- scripts to make the life of a Debian Package maintainer easier
- Submitter:
- Uwe Kleine-König
- Date:
- 2025-08-24 14:57:01 UTC
- Severity:
- normal
- Tags:
Hello, the linux-kernel packages suffer from upstream still relying on SHA-1 in their OpenPGP keys. This makes uscan fail to provide the orig.tar.xz (as expected) when sopv is used to verify the download: uwe@taurus:~/debpkg/linux$ uscan --download-current-version uscan warn: Using stable remote origin Newest version of linux on remote site is 6.16~rc5, specified download version is 6.16~rc5 No acceptable signatures found uscan: error: sopv verify /tmp/tmp.YLvUuQ1SxZ/sig debian/upstream/signing-key.asc subprocess returned exit status 3 However uscan keeps ../linux-6.16~rc5.tar.xz after that which makes the next uscan run succeed even though the signature check didn't pass: uwe@taurus:~/debpkg/linux$ uscan --download-current-version uscan warn: Using stable remote origin Newest version of linux on remote site is 6.16~rc5, specified download version is 6.16~rc5 uscan warn: File already downloaded, skipping OpenPGP verification Successfully repacked ../linux-6.16~rc5.tar.xz as ../linux_6.16~rc5.orig.tar.xz, deleting 28 files from it. Without `--skip-signature` this must not happen and the warning isn't enough. The obvious fixes would be to either put linux-6.16~rc5.tar.xz into a tmpfile only (i.e. under a different name) until signature verification passed; or to not skip the verification in the 2nd run. Best regards Uwe
control: severity -1 important thanks \ that's obviously very bad but it doesnt make the whole devscripts package seriously buggy.
Hello Holger, I picked serious according to "Most security bugs should also be set at critical or grave severity." from https://www.debian.org/Bugs/Developer and so even stayed below that severity. (I intended to tag the bug "security" and I recall that I had that in my mail text. I have no explanation about how that didn't make that to the bts. Thanks to Salvatore to add the tag later for me.) Not wanting to fight about severities, I wonder if this will be fixed for trixie. I agree to your statement that this issue is very bad, so a fix for the upcoming stable release would be good. Best regards Uwe
My perl foo isn't enough to implement the first suggestion (which IMHO
is superior), untested patch for the second:
diff --git a/lib/Devscripts/Uscan/WatchSource.pm b/lib/Devscripts/Uscan/WatchSource.pm
index 382d3a0b122f..974589c1973d 100644
--- a/lib/Devscripts/Uscan/WatchSource.pm
+++ b/lib/Devscripts/Uscan/WatchSource.pm
@@ -1128,7 +1128,6 @@ our %already_downloaded;
sub download_file_and_sig {
my ($self) = @_;
uscan_debug "line: download_file_and_sig()";
- my $skip_git_vrfy;
# If we're not downloading or performing signature verification, we can
# stop here
@@ -1180,7 +1179,6 @@ sub download_file_and_sig {
$download_available = 1;
dehs_verbose
"Not downloading, using existing file: $self->{newfile_base}\n";
- $skip_git_vrfy = 1;
} elsif ($self->shared->{download} > 0) {
uscan_verbose "Downloading upstream package: $upstream_base";
$download_available = $self->downloader->download(
@@ -1442,10 +1440,7 @@ sub download_file_and_sig {
} elsif ($self->pgpmode eq 'auto') {
uscan_verbose "Don't check OpenPGP signature";
} elsif ($self->pgpmode eq 'gittag') {
- if ($skip_git_vrfy) {
- uscan_warn
- "File already downloaded, skipping OpenPGP verification";
- } elsif (!$self->keyring) {
+ if (!$self->keyring) {
uscan_warn "No keyring file, skipping OpenPGP verification";
return $self->status(1);
} else {
Seeing that code snippet, I wonder if failing would also be the saner
option if no keyring is available.
Best regards
Uwe
My perl foo isn't enough to implement the first suggestion (which IMHO
is superior), untested patch for the second:
diff --git a/lib/Devscripts/Uscan/WatchSource.pm b/lib/Devscripts/Uscan/WatchSource.pm
index 382d3a0b122f..974589c1973d 100644
--- a/lib/Devscripts/Uscan/WatchSource.pm
+++ b/lib/Devscripts/Uscan/WatchSource.pm
@@ -1128,7 +1128,6 @@ our %already_downloaded;
sub download_file_and_sig {
my ($self) = @_;
uscan_debug "line: download_file_and_sig()";
- my $skip_git_vrfy;
# If we're not downloading or performing signature verification, we can
# stop here
@@ -1180,7 +1179,6 @@ sub download_file_and_sig {
$download_available = 1;
dehs_verbose
"Not downloading, using existing file: $self->{newfile_base}\n";
- $skip_git_vrfy = 1;
} elsif ($self->shared->{download} > 0) {
uscan_verbose "Downloading upstream package: $upstream_base";
$download_available = $self->downloader->download(
@@ -1442,10 +1440,7 @@ sub download_file_and_sig {
} elsif ($self->pgpmode eq 'auto') {
uscan_verbose "Don't check OpenPGP signature";
} elsif ($self->pgpmode eq 'gittag') {
- if ($skip_git_vrfy) {
- uscan_warn
- "File already downloaded, skipping OpenPGP verification";
- } elsif (!$self->keyring) {
+ if (!$self->keyring) {
uscan_warn "No keyring file, skipping OpenPGP verification";
return $self->status(1);
} else {
Seeing that code snippet, I wonder if failing would also be the saner
option if no keyring is available.
Best regards
Uwe
Hello, I confirm that this patch works for me. With that the second run fails in the same way as the first as it should be. I highlight again that while considerably better, this is still non-optimal as after the failed download the unchecked archive is still in place for a build to continue. IMHO the unchecked file must get a different name (e.g. linux-6.16~rc5.tar.xz-unchecked) until the signature was verified (or uscan was called with --skip-signature). Best regards Uwe
Hello, I confirm that this patch works for me. With that the second run fails in the same way as the first as it should be. I highlight again that while considerably better, this is still non-optimal as after the failed download the unchecked archive is still in place for a build to continue. IMHO the unchecked file must get a different name (e.g. linux-6.16~rc5.tar.xz-unchecked) until the signature was verified (or uscan was called with --skip-signature). Best regards Uwe
Hi Uwe, CVE-2025-8454 is assigned for this issue. Regards, Salvatore
Hi, I tried to build a test to reproduce CVE-2025-8454 but for now I didn't succeed: uscan checked signatures. Can someone help here ? The MR is https://salsa.debian.org/debian/devscripts/-/merge_requests/552
Hi Yadd, how about putting a 'fake' (i.e. simulating the previous run which had either an error or did now verify the signature, because e.g. sequoia was used, and upstream still relies on SHA1 signatures), in that location then re-run uscan as described, so mostly replicating what Uwe did in https://bugs.debian.org/1109251#5 (note it is not a sopv problem here). "uscan warn: File already downloaded, skipping OpenPGP verification" is not enough in this case when --skip-signature is not passed. Does this help for developing a testcase? Regards, Salvatore
This warning is only for git-tags signature. If we want to verify git-tag signature in this case, this means that we need to ignore previously downloaded files