6.6 i386 pkg verification failure (wrong key) on 6.5

[fvgit]

I can't seem to be able to verify i386 packages for 6.6 on a 6.5 release. Can anyone confirm this?

Code:

$ uname -mr
6.5 i386

Code:

$ cat /etc/signify/openbsd-66-pkg.pub  
untrusted comment: OpenBSD 6.6 packages public key
RWSS4lqHZ5ayOFMBPj3leAkE9tCsSWG9OxD6MmAIS5Y3H3tD6F4vP/eF

Code:

$ ftp https://cdn.openbsd.org/pub/OpenBSD/...upobsd-1.1.tgz
Trying 151.101.130.217...
Requesting https://cdn.openbsd.org/pub/OpenBSD/...upobsd-1.1.tgz
100% |**************************************************| 11185       00:00    
11185 bytes received in 0.02 seconds (699.95 KB/s)

Code:

$ signify -C -p /etc/signify/openbsd-66-pkg.pub -x SHA256.sig upobsd-1.1.tgz 
signify: verification failed: checked against wrong key

Neither the release files (for both i386 and amd64) nor the stable packages (i386 and amd64) or the amd64 packages for that matter give me such an error. Verification only fails for i386 release packages. (I haven't tested other architectures)

[jggimi]

Packages are not included in a release's SHA256.sig file. Review the file contents.

Instead, the header within each package tarball contains the package signature. pkg_add(1) is used to check signatures for validity.


Edited to add: see pkg_sign(1). The signature is stored in the gzip(1) comment at the head of the tarball.

[fvgit]

Good catch, mate! Take a look a this! Apparently the signature file in the 6.6 package directory for the i386 architecture uses the 6.5 public key whereas the one in the amd64 directory uses the newer 6.6 public key. Weird.

/pub/OpenBSD/6.6/packages/i386/SHA256.sig
https://cdn.openbsd.org/pub/OpenBSD/...386/SHA256.sig

Code:

untrusted comment: verify with openbsd-65-pkg.pub
RWS5D4+188RI6h0taiwVO5j055UMwmNf7zKqzkT/lDY30Mvtv7jeEU1wVnG+3HmuT1cAXfmkcvwci/FDfkiN75gFFE3zlkg63gA=
SHA256 (0ad-0.0.23bp0.tgz) = 7YRlebcdDUsI+IS5o8YZaVIm7vrcOK5SlSdGd4e4wWI=
SHA256 (0ad-data-0.0.23b.tgz) = hDSAoCdjiClZfDrWSI7I6jElZ+bKprjc3geHXFigir4=
SHA256 (1oom-1.0.tgz) = P3qU/Ep395fhIBdhkUvh35nb5/sgsWjMIMM/aEtL+ww=
SHA256 (2048-cli-0.9.1.tgz) = B/g4FNnjaq8GvcA7jFMFU9tp1pUvcD8WQdqpi/IryEw=
SHA256 (2bwm-0.3.tgz) = sAQGyrJddPWQQyAUnwHvZ9yHHZFXqNn+tWwJirY8HA8=
(...)

/pub/OpenBSD/6.6/packages/amd64/SHA256.sig
https://cdn.openbsd.org/pub/OpenBSD/...d64/SHA256.sig

Code:

untrusted comment: verify with openbsd-66-pkg.pub
RWSS4lqHZ5ayOKb00PkyiEvhSmAO/sc4P2xuPedd2a2lrfsHTQqDsHvPeqSfEyWKTEYJYpXjYtUf9kqaqmgFdvuF5SURkuKL4w8=
SHA256 (0ad-0.0.23bp0.tgz) = LhD0l0aLeqPBybgDZAp1Fb5vTwmXDFoL3i2uNfQH33A=
SHA256 (0ad-data-0.0.23b.tgz) = BxhNq1Wyv6OSIaUnAN/LxbPLQKKnUzbUdN2T8FIroek=
SHA256 (1oom-1.0.tgz) = a5pv1TTnASXCplZUaNM+9YpQTwXRkcw1u9XkF+LfUys=
SHA256 (2048-cli-0.9.1.tgz) = UXJa6UZrIg5gA32MFF5ArBKT/k4n1XBHT0tepG3wYow=
SHA256 (2bwm-0.3.tgz) = STiKPdyYR+43FBZYKSC/LSKnK85/Z3piaATEJcgt99I=
(...)

[jggimi]

I spent about 10 minutes playing with pkg_add -D SIGNER= and could not get it to fail, so I extracted the signify message from the gzip comment header in the 6.6/i386 package for upobsd-1.1.tgz, confirming what you see in the package SHA256.sig file stored with the collection.

Code:

untrusted comment: verify with openbsd-65-pkg.pub
RWS5D4+188RI6tcXF+2EEvhE2KaknlwzHYIPEgqnls9+3BACLLxe4++D34iyxhYStsva7nrwylSh0yGGnAsJKypY8gJLsft0ZgQ=
date=2019-10-11T14:55:13Z
key=/etc/signify/openbsd-65-pkg.sec
algorithm=SHA512/256
blocksize=65536

You may wish to bring this to the attention of the Project via the ports@ mailing list.