feat: update protonmail/crypto

[caarlos0]

As expected, this breaks signing for centos 8.
Not expected: it also broke it for centos 9.

Fedora seems to still work though.

Not sure what, if anything, we can do about this? Should we revert back to the main go/crypto package which supposedly still works?

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Pages

Latest commit:	8caff64
Status:	✅  Deploy successful!
Preview URL:	https://295ab7c6.nfpm.pages.dev
Branch Preview URL:	https://crypto.nfpm.pages.dev

View logs

[djgilcrease]

I am unsure why this would break contos, we are using sha256 for signing nor sha1 which GopenPGP still supports

[caarlos0]

I am unsure why this would break contos, we are using sha256 for signing nor sha1 which GopenPGP still supports

as far as I gathered, centos still uses an old version of the signature, which is supported by golang/x/crypto/openpgp, but not by the protonmail fork (because it is very old)

sassoftware/go-rpmutils#21 (comment)

[codecov]

Codecov Report

Merging #680 (8caff64) into main (d8d067c) will increase coverage by 0.04%.
The diff coverage is 92.85%.

@@            Coverage Diff             @@
##             main     #680      +/-   ##
==========================================
+ Coverage   75.81%   75.86%   +0.04%     
==========================================
  Files          14       14              
  Lines        2956     2962       +6     
==========================================
+ Hits         2241     2247       +6     
  Misses        506      506              
  Partials      209      209              

Impacted Files	Coverage Δ
internal/sign/pgp.go	65.71% <88.88%> (+0.39%)	⬆️
rpm/rpm.go	70.39% <100.00%> (+0.43%)	⬆️

[djgilcrease]

I am unsure why this would break contos, we are using sha256 for signing nor sha1 which GopenPGP still supports

as far as I gathered, centos still uses an old version of the signature, which is supported by golang/x/crypto/openpgp, but not by the protonmail fork (because it is very old)

sassoftware/go-rpmutils#21 (comment)

ProtonMail/go-crypto#164 maybe try replace github.com/ProtonMail/go-crypto => github.com/pgpkeys-eu/go-crypto v0.0.0-20230506215654-16de0cc09494

[caarlos0]

hmmm still getting

#11 0.562 /tmp/foo.rpm: digests SIGNATURES NOT OK

so maybe there is something else wrong

[caarlos0]

Okay, for reference:

❯ docker run -it --rm quay.io/centos/centos:stream9-minimal rpm --version
RPM version 4.16.1.3

❯ docker run -it --rm quay.io/centos/centos:stream8 rpm --version
RPM version 4.14.3

❯ docker run -it --rm fedora:34 rpm --version
RPM version 4.16.1.3

❯ docker run -it --rm fedora:35 rpm --version
RPM version 4.17.1

❯ docker run -it --rm fedora:36 rpm --version
RPM version 4.17.1

❯ docker run -it --rm fedora:37 rpm --version
RPM version 4.18.1

❯ docker run -it --rm fedora:38 rpm --version
RPM version 4.18.1

RPM 4.18 seems to work, the older versions don't.

[caarlos0]

4.18 changelog: https://rpm.org/wiki/Releases/4.18.0

there's a lot of signature and openpgp related changes and fixes.

I'm leaning towards supporting RPM 4.18+ for signed packages for now on, and that's it 🤔

[caarlos0]

so it seems rpm 4.17+ is OK 🤔

[caarlos0]

okay, so, porting back to the deprecated crypto package works, as long as you don't need to set the signing key id, because apparently there is no way of setting it in that lib

soo... I made a compromise:

• if the user set the signing key id, it'll use protonmail's fork and resulting packages will not work on old rpms
• if the user don't set it, it uses the deprecated version, which works

which I think is pretty confusing... and not sure if whether or not is a good idea at all

eager to hear what you all think @djgilcrease @erikgeiser

[caarlos0]

PS: the very same tests pass in my machine 🤔 Fake news

[caarlos0]

interesting... rpm-software-management/rpm#2351

so, basically, the old package breaks new RPMs, the new version breaks old RPMs... so is just a matter of choosing which ones to break?

:pain:

[caarlos0]

another alternative (that honestly I almost think is better) is to copy the needed code from the versions that work to our codebase 🤔

[caarlos0]

continuing my investigation:

• ProtonMail/go-crypto@c05353c: passes on 4.14+
• ProtonMail/go-crypto@cc34b1f: passes on 4.18+
• ProtonMail/go-crypto@317b217: passes on 4.18+
• ProtonMail/go-crypto@5ea50bd: passes on 4.18+
• ProtonMail/go-crypto@428f8ea: passes on 4.18+
• ProtonMail/go-crypto@a4f6767: passes on 4.17+
• ProtonMail/go-crypto@f2de896: passes on 4.17+
• ProtonMail/go-crypto@3fbb1f1: (latest) passes on 4.17+

So, I think we can presume that's something related to the critical bit of the
signatures, right?

[caarlos0]

okay, this will do the trick: ProtonMail/go-crypto#175