[SOLVED] makepkg fails to verify clearsign signatures

Haplo2 · 2024-04-26 13:27:32

I have a problem with makepkg failing to verify PGP signatures, because the signature is embedded into the file (what is called a clearsigned document [0]).

First the context: I'm trying to update the PKGBUILD for asgardex-appimage [1]. Before they used two have a detached PGP signature of the SHA256 file, but recently they moved their SHA256 sums file to a clearsigned one. See this release [2] for example.

This is my updated PKGBUILD:

_upkgname=asgardex
_pkgname=ASGARDEX
pkgname=asgardex-appimage
pkgver=1.21.6
msgver=(${pkgver//./})
pkgrel=1
pkgdesc="Thorchain wallet desktop app"
arch=('x86_64')
url="https://github.com/asgardex/asgardex-desktop/releases"
license=('MIT')
makedepends=('p7zip')
depends=('fuse')
validpgpkeys=('F98400561D4636B4A92F07CE5BA40B710C7240C4'
              '9A6461A8CAAAA0AEB8EFDDA8C5334FE4FD04D709')
source=("$url/download/v$pkgver/$_pkgname-$pkgver-linux.AppImage"
        "$url/download/v$pkgver/msg$msgver.asc")
noextract=("$_pkgname-$pkgver.AppImage")
options=('!strip')
sha256sums=('62fb845615bb96e046d21a18f8b9b40e61852311bc799522e92edddcfe494c5c' 'SKIP')

prepare() {
    cd "${srcdir}"
    7z x "${srcdir}/$_pkgname-$pkgver-linux.AppImage" $_upkgname.desktop usr/share/icons/hicolor/512x512/apps/$_upkgname.png LICENSE.electron.txt LICENSES.chromium.html
    sed -i "s/Exec=AppRun/Exec=\/usr\/bin\/$_upkgname/" $_upkgname.desktop
}

package() {
    cd "${srcdir}"
    install -Dm755 "$_pkgname-${pkgver}-linux.AppImage"                   "${pkgdir}/opt/$_upkgname/$_upkgname.AppImage"
    install -Dm644 "$_upkgname.desktop"                                         "${pkgdir}/usr/share/applications/$_upkgname.desktop"
    install -Dm644 "usr/share/icons/hicolor/512x512/apps/$_upkgname.png"            "${pkgdir}/usr/share/icons/hicolor/512x512/apps/$_upkgname.png"
    mkdir "${pkgdir}/usr/bin"
    ln -s "/opt/$_upkgname/$_upkgname.AppImage" "${pkgdir}/usr/bin/$_upkgname"
    install -Dm644 LICENSE.electron.txt                                         "$pkgdir/usr/share/licenses/$pkgname/LICENSE.electron.txt"
    install -Dm644 LICENSES.chromium.html                                       "$pkgdir/usr/share/licenses/$pkgname/LICENSES.chromium.html"
}

When attempting to `makepkg` it fails because it detects the `msg1216.asc` source file and attempts to verify a `msg1216` file that doesn't exist:

$ makepkg
==> Making package: asgardex-appimage 1.21.6-1 (Fri 26 Apr 2024 02:19:38 PM WEST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found ASGARDEX-1.21.6-linux.AppImage
-> Found msg1216.asc
==> Validating source files with sha256sums...
ASGARDEX-1.21.6-linux.AppImage ... Passed
msg1216.asc ... Skipped
==> Verifying source file signatures with gpg...
msg1216 ... SIGNATURE NOT FOUND
FAILED
==> ERROR: One or more PGP signatures could not be verified!

Is there some trick I can use to get it to work? Is the only way to have a custom `verify()` function?

Should I open an issue with `makepkg`? I think it should be able to handle these cases.

[0] https://www.gnupg.org/gph/en/manual/x135.html
[1] https://aur.archlinux.org/packages/asgardex-appimage
[2] https://github.com/asgardex/asgardex-de … ag/v1.21.6

Last edited by Haplo2 (2024-04-27 09:49:00)

progandy · 2024-04-26 13:41:26

Even if the verifying the embedded signature of the sha256 file would work, it does not suffice. It only makes sense to download this file and verify its signature if you also use the contained sha256sum to verify the appimage file. You need a custom verify() function at least for that part.

Haplo2 · 2024-04-26 15:45:55

progandy wrote:

Even if the verifying the embedded signature of the sha256 file would work, it does not suffice. It only makes sense to download this file and verify its signature if you also use the contained sha256sum to verify the appimage file. You need a custom verify() function at least for that part.

Thank you for the reply @progandy. I see what you mean and you are right. However I'm left thinking that it'd be nice if it were possible to specify a source file for the integrity check.

The current (outdated) version of the PKGBUILD of asgardex-appimage downloads the sha256sums file and extracts the SHA256 for the AppImage, but at least makepkg was handling the downloading of the PGP keys and verifying the signatures. This is the relevant bit:

url="https://github.com/thorchain/asgardex-electron/releases"
validpgpkeys=('0F1342110E1A10DCAFA7194DABB32D7C24F80F1D' '9A6461A8CAAAA0AEB8EFDDA8C5334FE4FD04D709')
source=("$url/download/v$pkgver/$_pkgname-$pkgver-linux.AppImage" "$url/download/v$pkgver/msg-v$msgver"{,.asc} )
shasumappimage=$(curl -sL $url/download/v$pkgver/msg-v$msgver | grep $_pkgname-$pkgver-linux.AppImage | cut -c1-64)
sha256sums=($shasumappimage 'SKIP' 'SKIP')

I will go the verify() route for now, but I want to think that this workflow is common enough that it'd be worth to automate. Would such an improvement be welcome in makepkg, or is it out of scope?

Allan · 2024-04-26 22:28:05

It is really not common enough. Hence the verify() function is the correct solution.

Haplo2 · 2024-04-27 09:48:24

Allan wrote:

It is really not common enough. Hence the verify() function is the correct solution.

Thank you for chiming in, good to know this is the right approach.

Arch Linux

#1 2024-04-26 13:27:32

[SOLVED] makepkg fails to verify clearsign signatures

#2 2024-04-26 13:41:26

Re: [SOLVED] makepkg fails to verify clearsign signatures

#3 2024-04-26 15:45:55

Re: [SOLVED] makepkg fails to verify clearsign signatures

#4 2024-04-26 22:28:05

Re: [SOLVED] makepkg fails to verify clearsign signatures

#5 2024-04-27 09:48:24

Re: [SOLVED] makepkg fails to verify clearsign signatures

Board footer