-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"gpg: BAD signature": The new hash calculation is possibly incorrect? #194
Comments
You may understand that I'll need some example data to reproduce your bug... |
Ok, the following example for testing: The GPG key from here Imported using: An outdated AppImage from this mirror The appimageupdatetool AppImage
Output of an "old" appimageupdatetool:
|
I've tried to update the AppImage you linked to. My local build does not extract a key from Edit: |
I don't understand now, that worked in the past.
|
Well define "past". There must be a key in For years, the official AppImageKit appimagetool has embedded the key used for signing into the AppImage, allowing AppImageUpdate to validate signatures, and establish a chain of trust (if we trust the old AppImage and it has been signed properly, we can trust the new AppImage if it has been signed properly with the exactly same key). AppImageUpdate even creates a temporary GPG keyring into which it extracts the keys from both the old and new AppImage which is used for validating the signatures. I don't know how OBS works there and what outdated tools it uses. I've just verified that AppImages built with the official appimagetool still have an ELF section called Your use case, as you describe it, was the initial poor state of signature support within AppImageUpdate. As said, shipping signatures without shipping the keys has never made any sense at all, hence we started to embed the pubkeys. Your use case has not been supported since, and I am not sure why GPG would even check your home keyring at all, given we pass Regarding the hash calculation, you seem to be right, something is broken there. I'll have a look. However, I won't be using your AppImage for testing, since your use case uses some undefined behavior. I'd strongly(!) recommend you to make sure your AppImages contain a |
I've re-read the man page:
I didn't realize that the keyring was added to the list, i.e., the home keyring may be used as a fallback. Still, OBS should embed the keys. Please report this bug to them. |
Thanks for your effort and help, I will check the implementation in OBS regarding this. |
The hashing bugs have been fixed on |
@TheAssassin works now. thx. |
I always get a "gpg: BAD signature" here since the new
calculateHash()
insrc/appimage.h
.With the "old"
hashAppImage()
insrc/updater.cpp
it works.In local builds and tests I noticed that the generated
new-digest
andold-digest
files differ between the tested commits, hence probably the "gpg: BAD signature" error.I tested commit ce0edcb with 59329dc on openSUSE Tumbleweed.
The text was updated successfully, but these errors were encountered: