You are not logged in.

#1 2019-07-04 02:14:15

jakbyte
Member
From: United States
Registered: 2019-07-04
Posts: 2

[Solved] tor-browser PGP sig can't be verified; gpg says it's too big

When I build tor-browser, everything runs just fine, but it finishes with:

==> Verifying source file signatures with gpg...
    tor-browser-linux64-8.5.3_en-US.tar.xz ... FAILED (unknown public key EB774491D9FF06E2)
==> ERROR: One or more PGP signatures could not be verified!
==> ERROR: Makepkg was unable to build tor-browser.

So I run:

gpg --recv-keys EB774491D9FF06E2

But that outputs:

gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 100310 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: error writing keyring '/home/jakbyte/.gnupg/pubring.kbx': Provided object is too large
gpg: key 4E2C6E8793298290: public key "[User ID not found]" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:           not imported: 1

Does anyone know a fix? I've searched a bit, but to no specific answer.
(Also, does this belong in AUR Issues?)

Last edited by jakbyte (2019-07-04 12:56:24)

Offline

#2 2019-07-04 02:41:15

loqs
Member
Registered: 2014-03-06
Posts: 11,047

Re: [Solved] tor-browser PGP sig can't be verified; gpg says it's too big

See https://bbs.archlinux.org/viewtopic.php?id=247406
Edit:
diff of PKGBUILD for gnupg (adds three patches that should allow the importing of a poisoned key)

diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index c023c41..3e506d9 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -21,14 +21,23 @@ validpgpkeys=('D8692123C4065DEA5E0F3AB5249B39D24F25E3B6'
               '46CC730865BB5C78EBABADCF04376F3EE0856959'
               '031EC2536E580D8EA286A9F22071B08A33BD3F06'
               '5B80C5754298F0CB55D8ED6ABCEF7E294B092E28')
-source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig})
+source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig}
+        "https://github.com/gpg/gnupg/commit/15a425a1dfe60bd976b17671aa8e3d9aed12e1c0.patch"
+        "https://github.com/gpg/gnupg/commit/adb120e663fc5e78f714976c6e42ae233c1990b0.patch"
+        "https://github.com/gpg/gnupg/commit/a1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800.patch")
 sha256sums=('6cbe8d454bf5dc204621eed3016d721b66298fa95363395bb8eeceb1d2fd14cb'
-            'SKIP')
+            'SKIP'
+            'cf6950719510d354cf161d69c92db30971a1f71b23ead392e35302c801692ddd'
+            'b4ed15161c2d75b760f1cb9ea82eba258fa456b2307ed99003e9410b39a8d86e'
+            '14ef75e124434fe52d137ad98b260692787a0f2edb9d4304eb27ee663ca88482')
 
 install=install
 
 prepare() {
        cd "${srcdir}/${pkgname}-${pkgver}"
+       patch -p1 -i ../15a425a1dfe60bd976b17671aa8e3d9aed12e1c0.patch
+       patch -p1 -i ../adb120e663fc5e78f714976c6e42ae233c1990b0.patch
+       patch -p1 -i ../a1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800.patch
        sed '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' -i tools/Makefile.in
 }
 

To delete the key if it is stuck in a broken state

gpg --delete-key EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

To clean the key

gpg --batch --quiet --edit-key EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 clean save quit

Edit:
You could also ask the tor-browser package maintainer to add a warning that the key has been poisoned.

Last edited by loqs (2019-07-04 11:50:53)

Offline

#3 2019-07-04 12:54:38

jakbyte
Member
From: United States
Registered: 2019-07-04
Posts: 2

Re: [Solved] tor-browser PGP sig can't be verified; gpg says it's too big

The maintainer has actually already acknowledged this and pinned a solution at https://aur.archlinux.org/packages/tor-browser/

grufo wrote:

Before running makepkg, you must do this (as normal user):
$ gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys 0x4E2C6E8793298290

Thanks anyways! smile

Offline

#4 2019-07-04 13:40:26

loqs
Member
Registered: 2014-03-06
Posts: 11,047

Re: [Solved] tor-browser PGP sig can't be verified; gpg says it's too big

That pinned comment is from nine months before the key was poisoned.
Did using that command work for you?
Edit:

$ gpg --no-default-keyring --keyring /tmp/broken.gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys 0x4E2C6E8793298290
gpg: keybox '/tmp/broken.gpg' created
gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 21292 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
$ ls -lah /tmp/broken.gpg
-rw-r--r--  1 test test 3.6M Jul  4 14:46 broken.gpg
$ rm /tmp/broken.gpg*
gpg --no-default-keyring --keyring /tmp/broken.gpg --recv-keys 0x4E2C6E8793298290
gpg: keybox '/tmp/broken_key.gpg' created
gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 100310 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: error writing keyring '/tmp/broken_key.gpg': Provided object is too large
gpg: key 4E2C6E8793298290: keyblock too large, retrying with self-sigs-only
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ ls -lah /tmp/broken.gpg
-rw-r--r-- 1 test test 11K Jul  4 14:48 /tmp/broken_key.gpg

Your method leaves 20000 signatures uncleaned and relies upon pgp.mit.edu never increasing that number to the 100000 the SKS server pool members have and provides no defense on the client.

Last edited by loqs (2019-07-04 15:00:18)

Offline

Board footer

Powered by FluxBB