Daniel Kahn Gillmor · Daniel Kahn Gillmor · 7fc9c071 · 7fc9c071 · 7fc9c071 · 7fc9c071
--- a/debian/changelog
+++ b/debian/changelog
+monkeysphere (0.43-3) unstable; urgency=medium
+
+  * fix monkeysphere-host import-key (Closes: #909700)
+  * update GnuPG dependency
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 10 May 2019 16:55:04 -0400
+
 monkeysphere (0.43-2) unstable; urgency=medium

  * Autopkgtest should cover Ed25519 as well

--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Build-Depends:
 cpio,
 debhelper-compat (= 12),
 dpkg-dev (>= 1.17.14),
- gnupg (>= 2.1.11) <!nocheck>,
+ gnupg (>= 2.1.17) <!nocheck>,
 gnupg-agent <!nocheck>,
 libassuan-dev,
 libcrypt-openssl-rsa-perl <!nocheck>,
@@ -31,7 +31,7 @@ Package: monkeysphere
 Architecture: all
 Depends:
 adduser,
- gnupg (>= 2.1.11),
+ gnupg (>= 2.1.17),
 libcrypt-openssl-rsa-perl,
 libdigest-sha-perl,
 lockfile-progs | procmail,

--- a/debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
+++ b/debian/patches/0004-tests-basic-ensure-functionality-with-output-of-stan.patch
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 10 May 2019 12:15:00 -0400
+Subject: tests/basic: ensure functionality with output of standard OpenSSH
+ keygen
+
+Our "fix" to https://bugs.debian.org/909700 in
+d8fc9f284fc9a128a174b16ad19e866f1c00bc27 just avoided testing the
+actual typical default output of ssh-keygen.
+
+While this was fair to do in tests/keytrans, where it is exercised on
+pem2openpgp (which is explicitly defined as only accepting PEM input),
+this is inappropriate for testing monkeysphere in general.
+
+So now, the test suite breaks again, but we need to provide a proper
+fix.
+---
+ tests/basic | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/basic b/tests/basic
+index d5c4692..72a79a6 100755
+--- a/tests/basic
+++ b/tests/basic
+@@ -275,7 +275,7 @@ fi
+ echo
+ echo "##################################################"
+ echo "### import host key..."
+-ssh-keygen -m PEM -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
+ssh-keygen -b 3072 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
+ monkeysphere-host import-key "$TEMPDIR"/ssh_host_rsa_key ssh://testhost.example
+ 
+ echo
--- a/debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
+++ b/debian/patches/0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 10 May 2019 16:18:28 -0400
+Subject: Use gpg's reworked --quick-* interface for adding/revoking uids
+
+This interface stabilized in GnuPG 2.1.17, so we increase our
+versioned dependency.
+---
+ README                   |  2 +-
+ src/share/mh/add_name    |  5 +----
+ src/share/mh/revoke_name | 10 +---------
+ 3 files changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/README b/README
+index b47a9bf..33f5a0d 100644
+--- a/README
+++ b/README
+@@ -19,7 +19,7 @@ Dependencies
+ 
+ Monkeysphere depends on:
+ 
+- * GnuPG >= 2.1.11
+ * GnuPG >= 2.1.17
+  * Perl
+  * Perl's Crypt::OpenSSL::RSA module
+  * lockfile-progs or procmail's lockfile
+diff --git a/src/share/mh/add_name b/src/share/mh/add_name
+index f37d9df..6357284 100644
+--- a/src/share/mh/add_name
+++ b/src/share/mh/add_name
+@@ -50,10 +50,7 @@ else
+ fi
+ 
+ # execute edit-key script
+-if gpg_host --export-secret-keys "$keyID" | \
+-    PEM2OPENPGP_USAGE_FLAGS=authenticate \
+-    "$SYSSHAREDIR/keytrans" adduserid "$keyID" "$serviceName" \
+-    | gpg_host --import ; then
+if gpg_host --quick-add-uid "$keyID" "$serviceName" ; then
+ 
+     gpg_host --check-trustdb
+ 
+diff --git a/src/share/mh/revoke_name b/src/share/mh/revoke_name
+index d807ac1..4e8d666 100644
+--- a/src/share/mh/revoke_name
+++ b/src/share/mh/revoke_name
+@@ -46,15 +46,7 @@ else
+ fi
+ 
+ # actually revoke:
+-
+-# the gpg secring might not contain the host key we are trying to
+-# revoke (let alone any selfsig over that host key), but the plain
+-# --export won't contain the secret key.  "keytrans revokeuserid"
+-# needs access to both pieces, so we feed it both of them.
+-
+-if gpg_host --export-secret-keys "$keyID" \
+-    | "$SYSSHAREDIR/keytrans" revokeuserid "$keyID" "$serviceName" \
+-    | gpg_host --import ; then
+if gpg_host --quick-revoke-uid "$keyID" "$serviceName" ; then
+ 
+     gpg_host --check-trustdb
+ 
--- a/debian/patches/0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch
+++ b/debian/patches/0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 10 May 2019 16:30:11 -0400
+Subject: mh import-key: use ssh-add and gpg-agent for import (Closes:
+ #909700)
+
+This directly fixes the problem that monkeysphere-host was failing to
+import the style of SSH host key that was generated by default by
+ssh-keygen.
+
+As a side effect, we can now support all the host key algorithms that
+are supported by both gpg-agent (in its ssh-agent implementation) and
+ssh-add.
+
+The lockfile and the dancing around the gpg-agent run in
+$GNUPGHOME_HOST is a bit awkward.  It would be nicer to use an
+ephemeral GnuPG homedir as recommended in the "Unattended Usage"
+section of the gnupg info pages, but to do that we'd need to be able
+to extract the secret key, which is blocked by
+https://dev.gnupg.org/T4490
+---
+ man/man8/monkeysphere-host.8 |  7 ++--
+ src/share/mh/import_key      | 82 ++++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 79 insertions(+), 10 deletions(-)
+
+diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
+index 3e37057..6ae30ed 100644
+--- a/man/man8/monkeysphere-host.8
+++ b/man/man8/monkeysphere-host.8
+@@ -27,9 +27,10 @@ be omitted, and \fBmonkeysphere\-host\fP will operate on it.
+ \fBmonkeysphere\-host\fP takes various subcommands:
+ .TP
+ .B import\-key FILE SCHEME://HOSTNAME[:PORT]
+-Import a PEM\-encoded host secret key from file FILE.  If FILE is
+-`\-', then the key will be imported from stdin.  Only RSA keys are
+-supported at the moment.  SCHEME://HOSTNAME[:PORT] is used to specify
+Import an SSH host secret key from file FILE.  If FILE is
+`\-', then the key will be imported from stdin, and must be an
+RSA key in PEM\-encoded format.
+SCHEME://HOSTNAME[:PORT] is used to specify
+ the scheme (e.g. ssh or https), fully\-qualified hostname (and port)
+ used in the user ID of the new OpenPGP key (e.g. ssh://example.net or
+ https://www.example.net).  If PORT is not specified, then no port is
+diff --git a/src/share/mh/import_key b/src/share/mh/import_key
+index 0f362b8..ebe2cc3 100644
+--- a/src/share/mh/import_key
+++ b/src/share/mh/import_key
+@@ -18,7 +18,7 @@ local serviceName="$2"
+ 
+ # check that key file specified
+ if [ -z "$keyFile" ] ; then
+-    failure "Must specify PEM-encoded key file to import, or specify '-' for stdin."
+    failure "Must specify key file to import, or specify '-' for PEM-encoded RSA key on stdin."
+ fi
+ 
+ # fail if hostname not specified
+@@ -37,16 +37,84 @@ mkdir -p "${MHDATADIR}"
+ mkdir -p "${GNUPGHOME_HOST}"
+ chmod 700 "${GNUPGHOME_HOST}"
+ 
+-# import pem-encoded key to an OpenPGP private key
+key_type_from_file() {
+    # translates from OpenSSH's pubkey format string to GnuPG's
+    # Key-Type parameter:
+    local keyType
+    if keyType=$(ssh-keygen -y -f "$keyFile" | awk '{ print $1 }'); then
+        case "$keyType" in
+            ssh-dss)
+                echo DSA
+                ;;
+            ecdsa-sha2-nistp256)
+                echo ECDSA
+                ;;
+            ssh-ed25519)
+                echo EDDSA
+                ;;
+            ssh-rsa)
+                echo RSA
+                ;;
+            *)
+                log error "unknown key type '$keyType' from file '$keyFile'"
+                return 1
+                ;;
+        esac
+    else
+        log error "ssh-keygen could not interpret '$keyFile'"
+        return 1
+    fi
+    return 0
+}
+
+
+ if [ "$keyFile" = '-' ] ; then
+-    log verbose "importing key from stdin..."
+    # import PEM-encoded RSA stdin to an OpenPGP private key
+    log verbose "importing PEM-encoded RSA key from stdin..."
+     PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+ 	| gpg_host --import
+ else
+-    log verbose "importing key from file '$keyFile'..."
+-    PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+-	<"$keyFile" \
+-	| gpg_host --import
+    # import some sort of file that OpenSSH's keygen can handle
+    if keyType=$(key_type_from_file "$keyFile"); then
+        # we lock to avoid concurrent interactions with gpg-agent and
+        # the sshcontrol file would be dubious
+        lock create "$GNUPGHOME_HOST/importlock"
+        if test -e "$GNUPGHOME_HOST/sshcontrol" && grep -q '^[0-9A-F]' "$GNUPGHOME_HOST/sshcontrol"; then
+            backupSshControl=$(mktemp "$GNUPGHOME_HOST/sshcontrol.XXXXXXXX")
+            log error "$GNUPGHOME_HOST/sshcontrol already contained a key, backing up to $backupSshControl"
+            mv -f "$GNUPGHOME_HOST/sshcontrol" "$backupSshControl"
+        fi
+        
+        log verbose "importing $keyType key from file '$keyFile'..."
+        if ! { test -e "$GNUPGHOME_HOST/gpg-agent.conf" && grep -Fxq batch "$GNUPGHOME_HOST/gpg-agent.conf" ; }; then
+            echo batch >> "$GNUPGHOME_HOST/gpg-agent.conf"
+            GNUPGHOME="$GNUPGHOME_HOST" gpgconf --reload gpg-agent
+            GNUPGHOME="$GNUPGHOME_HOST" gpgconf --launch gpg-agent
+        fi
+        SSH_AUTH_SOCK=$(GNUPGHOME="$GNUPGHOME_HOST" gpgconf --list-dirs agent-ssh-socket) ssh-add "$keyFile"
+        if keyGrip=$(awk '/^[0-9A-F]/{print $1}' < "$GNUPGHOME_HOST/sshcontrol") &&
+           test -n "$keyGrip" && [ $(wc -l <<<"$keyGrip") -eq 1 ] ; then
+            gpg_host --batch --full-generate-key <<EOF
+Key-Type: $keyType
+Key-Grip: $keyGrip
+Key-Usage: auth
+Name-Real: $serviceName
+%no-protection
+%commit
+EOF
+        else
+            rm -f "$GNUPGHOME_HOST/sshcontrol"
+            lock remove "$GNUPGHOME_HOST/importlock"
+            failure "did not find a single keygrip in $GNUPGHOME_HOST/sshcontrol during import"
+        fi
+        rm -f "$GNUPGHOME_HOST/sshcontrol"
+        lock remove "$GNUPGHOME_HOST/importlock"
+    else
+        log error "falling back to pem2openpgp (which will probably still fail)..."
+        PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$serviceName" \
+	                       <"$keyFile" \
+	    | gpg_host --import
+    fi
+ fi
+ 
+ # export to OpenPGP public key to file
--- a/debian/patches/series
+++ b/debian/patches/series
 0001-Expose-sshd-logs-when-ssh-test-fails.patch
 0002-Ensure-that-make-test-ed25519-works-when-no-tty-is-p.patch
 0003-Dump-remaining-jobs-during-test-cleanup.patch
+0004-tests-basic-ensure-functionality-with-output-of-stan.patch
+0005-Use-gpg-s-reworked-quick-interface-for-adding-revoki.patch
+0006-mh-import-key-use-ssh-add-and-gpg-agent-for-import-C.patch