-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'Invalid armor header' exception when verifying PGP-signature of org.antlr.runtime-3.2.0.v20220404-1927 #203
Comments
HOW do you mirror the content? Because Nexus is known to break this because it returns invalid XML:
Seems reasonable, but wondering what |
Just build a product and copy the p2-repo created by the
I'm not familiar enough with PGP to tell you what it should mean 😅 However manually removing the pgp.signature/publicKeys made the update work. |
Some (recent?) versions of |
Such format has been in the specification for long time: https://www.rfc-editor.org/rfc/rfc4880#section-6.2 I would have expected bouncy castle could always consume it, even older version. But testing the 2021-06 installer installing the Eierlegende Wollmilchsau 2022-12 I do see such errors
|
As mentioned by @HannesWell, the issue is more about how p2 "unnormalize" line breaks, sometimes incorrectly so the message that is passed to BouncyCastle is then incorrect. |
Yes, though generally, as you suggest, the content is written with encoded characters so I don't think it's actually coming in in a form that needs to be re-processed to make it correct. I get more the sense that BC didn't implement everything at that point yet. But I'd need to run under debug control to verify that... |
That's why I'm wondering who has produced the data? Is the source faulty or the transformation or ... |
@laeubi No, it works, it conforms to the specification, and is produced by BC. But apparently it just doesn't work (isn't consumable) by a really old version of BC. |
Yes that is what I suspect as well to be the root of this issue. As shown in my initial comment after the 'unnormalization' the header is split over multiple lines. And BC (correctly) complains about that invalid header.
As far as I can tell, are the keys encoded into the attributes so shouldn't it be possible to restore them as they were initially and thus making the whole unnormalization obsolete? Because in my debugging session everything looked correct until the unnormalization method was called. |
On my laptop (that I don't use often for coding), I just tried to updated my Oomph provisioned Eclipse Modelling Tools 2021-12 to 22-12 and got a similar error that I think is also caused by this:
|
Testing older installers, it seems anything before 2022-03 does not work well. I tested updating the 2022-03 modeling package to the latest, and that also works (but prompts from trusting bcpg because this older version didn't check for a PGP signature if the jar signature wasn't trusted). So yes, I think anything 2021-12 and older is not in good shape to handle updates. I haven't tested, but presumably they can be updated to something like 2022-03 and then can be updated to latest... |
In the early stage of PGP development, I was copy/pasting signatures and keys directly in artifacts.xml files. It was pretty convenient! |
Is there anything that needs to be done for this issue? |
I'm still not sure if you want something to be fixed or if something needs to be fixed.... |
Sorry for not replying before. I'm unsure. Lines 174 to 176 in 806b8b8
and because the PGP-keys are usually encoded in a p2-repos metadata and then decoded like in an ASCII-armored file, before being passed to this method. So it is fixed for the usual case, but maybe the following replacements should be enhanced to also match the other described cases, just in case the keys are not properly decoded for any scenario? But I cannot judge that well. |
A year almost has passed - should this one be closed? |
We had the described workaround in place and as also mentioned with the current implementation the problem does not occur anymore. I don't plan to work this at the moment and as time passes this probably becomes more and more irrelevant. |
@HannesWell @akurtakov @merks I sadly now encountered this problem also and it seems there is a |
@merks do you mean that 2022-03 including is not working? Or should it work for 2022-03 onwards? |
My comment was about updating finding keys not about invalid armor. |
Such artifact properties might look like this. The |
We have updated our product from the Eclipse 2021-06 to 2022-12 and now notice that product updates fail with the following message:
In the error log the following exception is associated to that error:
Because of the stack-trace I remote debugged at
p2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/pgp/PGPSignatureVerifier.java
Lines 117 to 125 in 343acf5
and noticed that in the context of
canonical: osgi.bundle,org.antlr.runtime,3.2.0.v20220404-1927
the signature in thepgp.publicKeys
property is converted inunnormalizedPGPProperty()
fromto (left out the equal inner part!)
And I assume that the header is afterwards malformed and therefore causing the exception.
Today the method looks like this and I assume the additional check is the reason that this does not occur if one updates from a more recent version:
p2/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/pgp/PGPSignatureVerifier.java
Lines 170 to 183 in 806b8b8
Should
PGPSignatureVerifier.unnormalizedPGPProperty()
also cover the-----BEGIN PGP MESSAGE-----
case?I searched the 2022-12 SimRel
artifacts.xml
and there indeed 84 hits for-----BEGIN PGP MESSAGE-----
.Does anybody has a good idea how to solve this in our case where we update from 2021-06 to 2022-12?
My only idea is to remove the offending signature from our p2-repo where we mirror parts of the SimRel. Luckily org.antlr.runtime,3.2.0.v20220404-1927 is the only one we mirror with such header.
The text was updated successfully, but these errors were encountered: