test regression with recent gnupg patches from upstream: "public key not found" reported where expecting other errors

[smcv]

Originally reported in Debian as https://bugs.debian.org/1098951.

Recently some patches were cherry-picked from the upstream stable branch of gpg, apparently to fix a denial of service (I'm sorry, I do not fully understand the situation or what these patches are aiming to prevent). https://salsa.debian.org/debian/gnupg2/-/commit/62d8d2f024d5e5c3289d5bf7892013dc18eac4b0 is believed to be the change that triggers this.

After that change, several tests in libostree fail. libostree is aiming to set up various situations in which a signing key or signature has become invalid, and it looks like in all cases signature verification does still fail, but it now fails in a different way that does not match the test's expectations:

• /gpg-verify-result/valid-signature, /gpg-verify-result/missing-key, /gpg-verify-result/expired-signature still have their expected results

• in /gpg-verify-result/expired-key, we expect key_expired, but what we actually now get is key_missing

  • similarly in /gpg-verify-result/require-valid-signature-expired-key we expect an expired key but get error message Can't check signature: public key not found

• in /gpg-verify-result/revoked-key, similarly, we get key_missing

  • similarly in /gpg-verify-result/require-valid-signature-revoked-key we get Can't check signature: public key not found

• and similarly /gpg-verify-result/require-valid-signature-expired-missing-key gets Can't check signature: public key not found, twice

Sorry, I don't know gpg well enough to know whether it is working as designed, or whether the patches contain a regression.

[smcv]

See also https://dev.gnupg.org/T7527.

[smcv]

I'm pretty sure this is not a correct patch, but it illustrates which parts of the test fail, and is enough to make the test run successfully.

Sorry, I have no idea why this is happening (and I don't understand the gpg codebase), so I don't know whether this is a regression in gpg, or whether libostree is using it incorrectly (in a way that is only detected by the most recent versions), or something else.

index c2ceca7b..68065f9b 100644
--- a/tests/test-gpg-verify-result.c
+++ b/tests/test-gpg-verify-result.c
@@ -306,6 +306,17 @@ test_expired_key (TestFixture *fixture, gconstpointer user_data)
                   key_exp_timestamp);
 
   g_assert_false (valid);
+
+  if (key_missing)
+    {
+      /* After https://dev.gnupg.org/T7527 was fixed, our key shows as
+       * missing rather than expired */
+      g_assert_false (sig_expired);
+      g_assert_false (key_revoked);
+      g_assert_true (key_missing);
+      return;
+    }
+
   g_assert_false (sig_expired);
   g_assert_true (key_expired);
   g_assert_false (key_revoked);
@@ -341,6 +352,17 @@ test_revoked_key (TestFixture *fixture, gconstpointer user_data)
                   key_missing ? 'y' : 'n',
                   key_exp_timestamp);
 
+  if (key_missing)
+    {
+      /* After https://dev.gnupg.org/T7527 was fixed, our key shows as
+       * missing rather than expired */
+      g_assert_false (sig_expired);
+      g_assert_false (key_expired);
+      g_assert_true (key_missing);
+      g_assert_cmpint (key_exp_timestamp, ==, 0);
+      return;
+    }
+
   g_assert_false (valid);
   g_assert_false (sig_expired);
   g_assert_false (key_expired);
@@ -438,6 +460,12 @@ test_require_valid_signature_expired_key (TestFixture *fixture, gconstpointer us
   g_assert_false (res);
   g_test_message ("Expected expired key, got: %s %d %s",
                   g_quark_to_string (error->domain), error->code, error->message);
+
+  /* After https://dev.gnupg.org/T7527 was fixed, our key shows as missing
+   * rather than expired */
+  if (g_error_matches (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_MISSING_KEY))
+    return;
+
   g_assert_error (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_EXPIRED_KEY);
   assert_str_contains (error->message, "Key expired");
 }
@@ -450,6 +478,12 @@ test_require_valid_signature_revoked_key (TestFixture *fixture, gconstpointer us
   g_assert_false (res);
   g_test_message ("Expected revoked key, got: %s %d %s",
                   g_quark_to_string (error->domain), error->code, error->message);
+
+  /* After https://dev.gnupg.org/T7527 was fixed, our key shows as missing
+   * rather than expired */
+  if (g_error_matches (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_MISSING_KEY))
+    return;
+
   g_assert_error (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_REVOKED_KEY);
   assert_str_contains (error->message, "Key revoked");
 }
@@ -488,7 +522,11 @@ test_require_valid_signature_expired_missing_key (TestFixture *fixture, gconstpo
    * the message should show both issues.
    */
   g_assert_error (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_MISSING_KEY);
+#if 0
+  /* After https://dev.gnupg.org/T7527 was fixed, our key shows as missing
+   * (twice) rather than expired */
   assert_str_contains (error->message, "Key expired");
+#endif
   assert_str_contains (error->message, "public key not found");
 }
 

[smcv]

Some of the shell-script-based tests are also failing with the new gpg, with symptoms that look similar ("public key not found" reported where it was not expected, and "Key expired" not reported where it was expected). So the changes to the C code above are not a complete answer to this.