Bug 1180721

Summary: Zypper incorrectly reports bad repomd.xml signature when it can only verify some signatures
Product: [openSUSE] openSUSE Distribution Reporter: Eric Dand <edand>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: bzeller, dcermak, dimstar, fbui, fcrozat, liamh, lnussel, luc14n0, ma, mls, ngompa13, security-team, zmarano
Version: Leap 15.3   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Eric Dand 2021-01-08 21:31:18 UTC 
I've found a bug in how Zypper (really, libzypp) interacts with `gpg` in order to verify the signature on a software repository. It appears that when a `repomd.xml.asc` file contains multiple signatures, all must be valid in order for Zypper to consider them so. If one of the signatures cannot be verified (e.g. if Zypper does not have access to a matching public key), then it reports incorrectly:

    Warning: This file was modified after it has been signed. This may have been a malicious change,
    so it might not be trustworthy anymore! You should not continue unless you know it's safe.

This message is untrue and misleading.

This can be demonstrated by trying to use the Google Cloud Monitoring Agent Repository (found at https://packages.cloud.google.com/yum/repos/google-cloud-monitoring-sles15-x86_64-all) currently. The repository is signed with three keys, one of which is retired and outdated, and thus no longer distributed. A fresh SLES 15 instance reports the above message even when it has copies of two of the three signing keys. 

To demonstrate what's going on between Zypper and its child GPG process, see the following (abbreviated) strace:

20388 20:59:44.763597 write(8, "[GNUPG:] GOODSIG 8B57C5C2836F4BEB gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>\n", 221) = 221
20354 20:59:44.763634 read(7, "[GNUPG:] GOODSIG 8B57C5C2836F4BEB gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>\n", 1024) = 221
20388 20:59:44.763672 write(10, "gpg: Good signature from \"gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>\" [unknown", 222) = 222
20354 20:59:44.763709 read(9, "gpg: Good signature from \"gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <glinux-team@google.com>\" [unknown", 4096) = 222
20388 20:59:44.763740 write(10, "]\n", 2)     = 2
20354 20:59:44.763776 read(9, "]\n", 4096)    = 2
20388 20:59:44.763819 write(8, "[GNUPG:] VALIDSIG 59FE0256827269DC81578F928B57C5C2836F4BEB 2021-01-08 1610139162 0 4 0 1 8 01 59FE0256827269DC81578F928B57C5C2836F4BEB\n", 135) = 135
20354 20:59:44.763856 read(7, "[GNUPG:] VALIDSIG 59FE0256827269DC81578F928B57C5C2836F4BEB 2021-01-08 1610139162 0 4 0 1 8 01 59FE0256827269DC81578F928B57C5C2836F4BEB\n", 1024) = 135
20388 20:59:44.763909 read(4, "\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 40) = 40
20388 20:59:44.763932 write(8, "[GNUPG:] TRUST_UNDEFINED 0 pgp\n", 31) = 31
20354 20:59:44.763966 read(7, "[GNUPG:] TRUST_UNDEFINED 0 pgp\n", 1024) = 31
20388 20:59:44.763998 write(10, "gpg: ", 5)   = 5
20354 20:59:44.764064 read(9, "gpg: ", 4096)  = 5
20388 20:59:44.764098 write(10, "WARNING: This key is not certified with a trusted signature!\n", 61) = 61
20354 20:59:44.764135 read(9, "WARNING: This key is not certified with a trusted signature!\n", 4096) = 61
20388 20:59:44.764171 write(10, "gpg: ", 5)   = 5
20354 20:59:44.764207 read(9, "gpg: ", 4096)  = 5
20388 20:59:44.764236 write(10, "         There is no indication that the signature belongs to the owner.\n", 73) = 73
20354 20:59:44.764271 read(9, "         There is no indication that the signature belongs to the owner.\n", 4096) = 73
20388 20:59:44.764308 write(10, "Primary key fingerprint: 59FE 0256 8272 69DC 8157  8F92 8B57 C5C2 836F 4BEB", 75) = 75
20354 20:59:44.764344 read(9, "Primary key fingerprint: 59FE 0256 8272 69DC 8157  8F92 8B57 C5C2 836F 4BEB", 4096) = 75
20388 20:59:44.764373 write(10, "\n", 1)      = 1
20354 20:59:44.764409 read(9, "\n", 4096)     = 1
20388 20:59:44.764446 write(8, "[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23\n", 41) = 41
20354 20:59:44.764483 read(7, "[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23\n", 1024) = 41
20354 20:59:44.764745 read(9, "", 4096)       = 0
20354 20:59:44.764804 read(7, "", 1024)       = 0
20354 20:59:44.764928 write(3, "2021-01-08 20:59:44 <2> edand-sles-15-tester(20354) [zypp::gpg] KeyManager.cc(readSignaturesFprsOptVerify):207 Failed signature check: /var/tmp/AP_0xBDenJq/repodata/repomd.xml <Unspecified source> No public key\n", 211) = 211
20354 20:59:44.765129 write(3, "2021-01-08 20:59:44 <1> edand-sles-15-tester(20354) [zypp::KeyRing] KeyRing.cc(dumpPublicKeyToTmp):395 Going to export key [8B57C5C2836F4BEB] from /var/tmp/zypp.mEV4mz/zypp-trusted-krRoWE6M to /var/tmp/zypp.mEV4mz/pubkey-8B57C5C2836F4BEB-UXGCAZ\n", 245) = 245
20354 20:59:44.765214 write(3, "2021-01-08 20:59:44 <1> edand-sles-15-tester(20354) [zypp::gpg++] KeyManager.cc(createForOpenPGP):239 createForOpenPGP(/var/tmp/zypp.mEV4mz/zypp-trusted-krRoWE6M)\n", 163) = 163
20388 20:59:44.765497 +++ exited with 2 +++
20389 20:59:44.766173 +++ exited with 0 +++
20354 20:59:44.766217 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=20389, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
...
20354 20:59:44.786790 write(2, "\33[22;27;31;49mSignature verification failed for file 'repomd.xml' from repository 'Google Cloud Monitoring Agent Repository'.", 125) = 125
20354 20:59:44.786903 write(2, "\33[0m", 4)   = 4
20354 20:59:44.786947 write(2, "\n", 1)       = 1
20354 20:59:44.787013 write(1, "\n", 1)       = 1
20354 20:59:44.787104 write(1, "\33[22;27;39;49m    \33[22;27;36;49mNote:\33[22;27;39;49m Signing data enables the recipient to verify that no modifications occurred after the data\n    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system\n", 242) = 242
20354 20:59:44.787160 write(1, "    and in extreme cases even to a system compromise.\33[0m\n", 58) = 58
20354 20:59:44.787210 write(1, "\n", 1)       = 1
20354 20:59:44.787271 write(1, "\33[22;27;39;49m    \33[22;27;36;49mNote:\33[22;27;39;49m File 'repomd.xml' is the repositories master index file. It ensures the integrity of the\n", 141) = 141
20354 20:59:44.787318 write(1, "    whole repo.\33[0m\n", 20) = 20
20354 20:59:44.787367 write(1, "\n", 1)       = 1
20354 20:59:44.787436 write(1, "\33[22;27;39;49m    \33[22;27;35;49mWarning:\33[22;27;39;49m This file was modified after it has been signed. This may have been a malicious change,\n", 143) = 143
20354 20:59:44.787479 write(1, "    so it might not be trustworthy anymore! You should not continue unless you know it's safe.\33[0m\n", 99) = 99
20354 20:59:44.787526 write(1, "\n", 1)       = 1
20354 20:59:44.787601 write(1, "\33[2K\r\33[1;39;49mSignature verification failed for file 'repomd.xml' from repository 'Google Cloud Monitoring Agent Repository'. Continue? \33[1;39;49m[yes\33[1;39;49m/no\33[1;39;49m] (no\33[1;39;49m)\33[0m\33[1;39;49m: \33[0m\33[0m\33[0m\33[0m\33[0m", 226) = 226
```

From the trace above, it is clear that the signature is successfully verified ("GOODSIG"), but then later the repository is reported as not properly signed.

I believe the issue to be in https://github.com/openSUSE/libzypp/blob/master/zypp/KeyManager.cc, where it handles the output from the `gpgme` library it uses to launch and interact with GPG.
Comment 1 Neal Gompa 2021-01-09 10:13:00 UTC 
While this is a *very* serious bug, it is unrelated to the Zypper bugs on file triggers.
Comment 2 Michael Andres 2021-01-09 15:31:58 UTC 
It looks like the behavior of gpg2/libgpgme11 has changed.

Your gpg2 seems to report an error (exit 2) despite the valid signature:
> 20388 ..."[GNUPG:] VALIDSIG 59FE0256827269DC81578F928B57C5C2836F4BEB ...
> 20388 20:59:44.765497 +++ exited with 2 +++

While older gpg2 versions exit 0.
> 30347 ..."[GNUPG:] VALIDSIG 59FE0256827269DC81578F928B57C5C2836F4BEB ...
> 30347 +++ exited with 0 +++

I'll have a closer look at it. If libgpgme11 now forwards this as an error, our handling is indeed to strict. We tolerate just an expired key. If the new gpg2 behaviour is intended, we have to adapt our code.
Comment 5 Michael Andres 2021-01-12 20:06:11 UTC 
fixed in libzypp-17.25.6
Comment 7 Swamp Workflow Management 2021-01-19 20:17:00 UTC 
SUSE-RU-2021:0169-1: An update that has four recommended fixes and contains one feature can now be installed.

Category: recommended (moderate)
Bug References: 1179816,1180077,1180663,1180721
CVE References: 
JIRA References: SLE-8482
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    libsolv-0.7.16-3.13.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libsolv-0.7.16-3.13.1, libzypp-17.25.6-3.28.2, zypper-1.14.42-3.17.1
SUSE Linux Enterprise Installer 15-SP2 (src):    libsolv-0.7.16-3.13.1, libzypp-17.25.6-3.28.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-01-23 11:16:19 UTC 
openSUSE-RU-2021:0143-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1179816,1180077,1180663,1180721
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libsolv-0.7.16-lp152.2.13.1, libzypp-17.25.6-lp152.2.19.2, zypper-1.14.42-lp152.2.15.1
Comment 12 Swamp Workflow Management 2021-03-25 23:18:44 UTC 
SUSE-SU-2021:0956-1: An update that solves one vulnerability, contains one feature and has 18 fixes is now available.

Category: security (moderate)
Bug References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629
CVE References: CVE-2017-9271
JIRA References: SLE-8482
Sources used:
SUSE Manager Server 4.0 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Manager Retail Branch Server 4.0 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Manager Proxy 4.0 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise Installer 15-SP1 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE Enterprise Storage 6 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1
SUSE CaaS Platform 4.0 (src):    libsigc++2-2.10.0-3.7.1, libsolv-0.7.17-3.32.1, libyui-ncurses-pkg-2.48.9-7.7.1, libyui-ncurses-pkg-doc-2.48.9-7.7.1, libyui-qt-pkg-2.45.28-3.10.1, libyui-qt-pkg-doc-2.45.28-3.10.1, libzypp-17.25.8-3.48.1, yast2-pkg-bindings-4.1.3-3.10.3, zypper-1.14.43-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.