ClamTk

Problems verifying signature of .deb for 6.13 release on Ubuntu

Asked by thefrenchchef

 I recently installed the version 6.13.deb of clamtk on ubuntu 18.04 from:

    https://github.com/dave-theunsub/clamtk/releases/download/v6.13/clamtk_6.13-1_all.deb

Prior to installation, I checked the sha256, and it was fine. I subsequently learned about signatures, so I went to recheck my download.

I followed the instructions at https://gitlab.com/dave_m/clamtk/-/wikis/ClamTk-Hashes
Code:

dpkg-sig --verify clamtk_6.13-1_all.deb clamtk_6.13-1_amd64.changes
Processing clamtk_6.13-1_all.deb...
NOSIG

As such, I'm concerned about the integrity of the package I installed, although I realize I may just be making a mistake or the instructions are lacking in verifying the .sig. The sha256 matched a fresh download, and clamav and virustotal had no problems with the file.

Is this something to be concerned about re system security?

Question information

Language:
English Edit question
Status:
Solved
For:
ClamTk Edit question
Assignee:
No assignee Edit question
Solved by:
thefrenchchef
Solved:
Last query:
Last reply:
Revision history for this message
thefrenchchef (thefrenchchef) said : 		#1

I also just checked 6.14, GOODSIG is returned.

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#2

Would it be helpful to send my download of 6.13 to verify it's authenticity? Or perhaps if the NOSIG issue can be reproduced on your side.

Revision history for this message
Dave M (dave-nerd) said : 		#3

Hi Peter,

Does "gpg --list-keys" show my key installed?

Dave M

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#4

Hi Dave,

Yes, it does.

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#5

I can also confirm that in addition to 6.14, clamtk_6.12-1_all.deb has GOODSIG.

Seems 6.13 (that I already installed), is the only one with NOSIG.

Revision history for this message
Dave M (dave-nerd) said : 		#6

Hi Peter,

That's strange. I just went and tried the 6.13 version:

dave@ubuntu:~/clamtk-6.13$ dpkg-sig --verify *.deb *.changes
Processing clamtk_6.13-1_all.deb...
GOODSIG _gpgbuilder 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1625663001
GOODSIG _gpgbuilder0 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1625663001
--- Processing changes file clamtk_6.13-1_amd64.changes:
Processing ./clamtk_6.13-1_all.deb...
GOODSIG _gpgbuilder 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1625663001
GOODSIG _gpgbuilder0 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1625663001

You said your sha256 matched? And md5sum?

Revision history for this message
thefrenchchef (thefrenchchef) said (last edit ): 		#7

Hi Dave, that's correct.

$ md5sum clamtk_6.13-1_all.deb
4d6c2a39a9d6f7d3a863406f3ee6897f clamtk_6.13-1_all.deb

$ sha256sum clamtk_6.13-1_all.deb
a0cf7a6306015300c805ba8f793f2b8ba2cd66b818c50d15ffeaf1a726181ede clamtk_6.13-1_all.deb

Which match the 6.13 ones at: https://gitlab.com/dave_m/clamtk/-/wikis/ClamTk-Hashes/diff?version_id=7dd8fca3cfda326593484e1c0d726b6032967711

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#8

For example:
$ dpkg-sig --verify clamtk_6.13-1_all.deb clamtk_6.13-1_amd64.changes
Processing clamtk_6.13-1_all.deb...
NOSIG

$ dpkg-sig --verify clamtk_6.14-1_all.deb clamtk_6.14-1_amd64.changes
Processing clamtk_6.14-1_all.deb...
GOODSIG _gpgbuilder 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1637412566
GOODSIG _gpgbuilder0 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1637412567
--- Processing changes file clamtk_6.14-1_amd64.changes:
Processing ./clamtk_6.14-1_all.deb...
GOODSIG _gpgbuilder 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1637412566
GOODSIG _gpgbuilder0 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1637412567

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#9

This might also help:

$ ar -t clamtk_6.13-1_all.deb
debian-binary
control.tar.xz
data.tar.xz

$ ar -t clamtk_6.14-1_all.deb
debian-binary
control.tar.xz
data.tar.xz
_gpgbuilder
_gpgbuilder0

Revision history for this message
Dave M (dave-nerd) said : 		#10

Oops, I copied the wrong output.

Processing clamtk_6.13-1_all.deb...
GOODSIG _gpgbuilder 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1625663001
GOODSIG _gpgbuilder0 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1625663001
--- Processing changes file clamtk_6.13-1_amd64.changes:
Processing ./clamtk_6.13-1_all.deb...
GOODSIG _gpgbuilder 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1625663001
GOODSIG _gpgbuilder0 5DD47B3B121EE5C354A20305F51D19546ADA59DE 1625663001

And then:

dave@ubuntu:~/clamtk-6.13$ ar -t clamtk_6.13-1_all.deb
debian-binary
control.tar.xz
data.tar.xz
_gpgbuilder
_gpgbuilder0

I'm not sure yet, but I'm leaning toward not panicking since the sha256sum matches.

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#11

Are you able to post your sha256sum.md5sum form your copy? Thanks.

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#12

In addition, are you computing the hash/sig from a local copy or a fresh download link as I posted above?

Revision history for this message
Dave M (dave-nerd) said : 		#13

I downloaded a fresh copy, and I get the same hash for that and the one I already had:

a0cf7a6306015300c805ba8f793f2b8ba2cd66b818c50d15ffeaf1a726181ede

4d6c2a39a9d6f7d3a863406f3ee6897f

Is that what you get?

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#14

Hi Dave, yep that's what I get as I posted above.

It's quite odd then that ar -t doesn't list the _gpgbuilder and _gpgbuilder0 fields for my .deb. (It does for 6.12 and 6.14). Perhaps it's some subtlety in the versions of the signing/verification tooling that only applies to 6.13?

Do we think about bit diff'ing our .debs at this point? Is there an easy way to share?

Revision history for this message
thefrenchchef (thefrenchchef) said (last edit ): 		#15
Revision history for this message
thefrenchchef (thefrenchchef) said : 		#16

Hi Dave, do you have any updates/further thoughts re my above reply? Thanks!

Revision history for this message
Dave M (dave-nerd) said : 		#17

Still thinking about it. :)

I might not have time to work on it until the weekend, though. Feel free to post ideas in the meanwhile.

Revision history for this message
Dave M (dave-nerd) said : 		#18

Hi,

Ok, I'm open to any ideas. Let me know how you want to proceed.

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#19

Hi Dave, just to recap, we have the same sha256 and md5sum for 6.13, however, the _gpg* fields are missing from my .deb. Hence the no sig. I can verify your sig on 6.12 and 6.14.

I'm confused how we can have the same sha256 yet apparently different .debs.

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#20

The situation is the same on two 6.13s downloaded three weeks apart.

Did your redownloaded 6.13 have a sig?

Do you think a bit diff would be constructive at this point?

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#21

A bit diff should settle if the .deb is actually the same or not.

If not, then the binary and zips onside can be bit diffed also.

Revision history for this message
Dave M (dave-nerd) said : 		#22

Ok, I started over. Downloaded the file again and checked my local copy (from my Ubuntu VM) for comparison.

Downloaded: a0cf7a6306015300c805ba8f793f2b8ba2cd66b818c50d15ffeaf1a726181ede
Sig : Missing

Local copy: a297d3a4fa734255b8b7ee40cf2f3eef61ddf6988b42f06ba2df34e5f6c359c7
Sig : Yes

I wonder if I uploaded to Github a deb that I hadn't signed. Then I went back, signed it, but forgot to upload.

Going to do a closer look.

Revision history for this message
Dave M (dave-nerd) said : 		#23

Also, in case I run out of time, I've uploaded the signed deb to Github.

https://github.com/dave-theunsub/clamtk/releases/tag/v6.13

Revision history for this message
Dave M (dave-nerd) said : 		#24

I extracted both debs. The sha256sums for the data.tar.xz, debian-binary, and control.tar.xz match. It appears my guess was right - the only difference is the digital signature.

[me@host downloaded]$ sha256sum *.xz debian-binary
e665cf533b7f54fbb773cfc11c063ee5a76f7b716322357d881fa488fd6fbef4 control.tar.xz
f9ab2c6c9275b13fe758e55bb86d9c628113597bf72b0d9e672bb4c10f2df7f9 data.tar.xz
d526eb4e878a23ef26ae190031b4efd2d58ed66789ac049ea3dbaf74c9df7402 debian-binary

[me@host local]$ sha256sum *.xz debian-binary _gpgbuilder*
e665cf533b7f54fbb773cfc11c063ee5a76f7b716322357d881fa488fd6fbef4 control.tar.xz
f9ab2c6c9275b13fe758e55bb86d9c628113597bf72b0d9e672bb4c10f2df7f9 data.tar.xz
d526eb4e878a23ef26ae190031b4efd2d58ed66789ac049ea3dbaf74c9df7402 debian-binary
d2497872519365bf241dd2525d58cf2293be10e585e8c39ea45ba3b7c7f07ab7 _gpgbuilder
2e8f9c2af3ff3c04a27ca922abf9f5a255377899cd2a997a130910ceebaa4fa0 _gpgbuilder0

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#25

Thanks for the follow up. I have the same sha256sum values for the contents of the unsigned release.

I think this all makes sense now. Especially since your post #22 confirms post #13 is incorrect.

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#26

Re https://gitlab.com/dave_m/clamtk/-/wikis/ClamTk-Hashes?version_id=7dd8fca3cfda326593484e1c0d726b6032967711.

I think what likely happened is you uploaded the unsigned and the corresponding sha256sum and md5sum.

Then you updated only part of the page with the signature notes.

Revision history for this message
Dave M (dave-nerd) said : 		#27

Great. Is there anything else we need to do with this one?

And thanks for notifying me about this.

Revision history for this message
thefrenchchef (thefrenchchef) said : 		#28

I think we're good to close it.

Thanks for your support and analysis!