initial support for sequoia-sq

This commit is contained in:
Fabrizio Tarizzo 2024-12-21 15:41:14 +01:00
parent cff57cd73a
commit a028c9e36c
26 changed files with 533 additions and 22 deletions

1
.gitignore vendored
View file

@ -3,3 +3,4 @@
/pgpcontrol-*.tar.xz* /pgpcontrol-*.tar.xz*
/pgpverify.8 /pgpverify.8
/staging/ /staging/
/tests/tmp/

63
README.sequoia.md Normal file
View file

@ -0,0 +1,63 @@
**Experimental** support for [Sequoia PGP](https://sequoia-pgp.org/) in authentication of Usenet control messages.
Usage in production is not recommended, especially for verification.
Code reviews, comments and feedback from hierarchy admins and news server admins
are welcome.
Developed with `sequoia-sq` 1.0.0 installed with `cargo` on Debian "trixie".
If you are new to Sequoia PGP command line, please see [user guide](https://sequoia-pgp.gitlab.io/user-documentation/about_sequoia.html)
and [manpages](https://sequoia-pgp.gitlab.io/sequoia-sq/man/sq.1.html).
# Using sequoia for signing
Import (`sq key import`) your secret signing key in the sequoia keystore.
Old PGP 2.x keys are not supported, if you still use such a key please upgrade to
a modern key.
Then, edit `signcontrol` as follows
```
my $pgpsigner = 'INSERT_YOUR_FINGERPRINT_OR_USERID';
# Path to sequoia-sq executable.
# A version that supports CLI 1.0.0 is required
# The program name needs to end in sq
my $pgp = "/usr/local/bin/sq";
# set other configuration variables as usual
```
# Using sequoia for verification
Import (`sq cert import`), verify and trust (`sq pki link add`) hierarchy admins
public signing keys in the sequoia certificate store (see [PGPKEYS](https://ftp.isc.org/pub/pgpcontrol/PGPKEYS)
in the ISC ftp site).
Please note that many hierarchy admins still use old PGP 2.x keys. These keys
have been deprecated since 2007 (RFC 4880) and are not supported by Sequoia or
other modern OpenPGP implementations. We urge hierarchy administrators to update
their signing keys.
Then, edit `pgpverify` as follows
```
# Path to sequoia binary.
# A version that supports CLI 1.0.0 is required
$sq = '/usr/local/bin/sq';
# Set this if you want to support old signatures with
# MD5 or SHA-1 digest algorithms and/or RSA < 2048 bits
# See the `sq config inspect policy' command and the
# `--policy-as-of' flag in the sq manpage
# Please note that sequoia DOES NOT support old PGP 2.x
# keys.
# $sq_policy_as_of = '19970101';
# comment $gpg, $gpgv and $pgp lines
# Set the absolute path to your sequoia home directory
# (see the --home flag in sq manpage)
$keyring = '/path/to/your/sq/home';
# set other configuration variables as usual
```

View file

@ -6,6 +6,9 @@
# Currently maintained by Russ Allbery <eagle@eyrie.org> # Currently maintained by Russ Allbery <eagle@eyrie.org>
# Version 1.30, 2018-01-21 # Version 1.30, 2018-01-21
# #
# sequoia-sq support written in December 2024 by
# Fabrizio Tarizzo <fabrizio@fabriziotarizzo.org>
#
# NOTICE TO INN MAINTAINERS: The version that is shipped with INN is the # NOTICE TO INN MAINTAINERS: The version that is shipped with INN is the
# same as the version that I make available to the rest of the world # same as the version that I make available to the rest of the world
# (including non-INN sites), so please make all changes through me. # (including non-INN sites), so please make all changes through me.
@ -138,6 +141,16 @@
# -- Checks to ensure that the temporary file is really a file, and # -- Checks to ensure that the temporary file is really a file, and
# not a link or some other weirdness. # not a link or some other weirdness.
# Path to sequoia binary. Requires a version that supports CLI 1.0.0
# $sq = '/usr/local/bin/sq';
# Set this if you want to support old signatures with MD5 and SHA-1
# digest algorithms and/or RSA < 2048 bits.
# See the `sq config inspect policy' command and the `--policy-as-of'
# flag in the sq manpage
# Please note that sequoia DOES NOT support PGP 2.x keys.
# $sq_policy_as_of = '19970101';
# Path to the GnuPG gpg binary, if you have GnuPG and don't want to use # Path to the GnuPG gpg binary, if you have GnuPG and don't want to use
# gpgv. This will be used in preference to gpgv and PGP. If you have INN # gpgv. This will be used in preference to gpgv and PGP. If you have INN
# and the script is able to successfully include your INN::Config module, # and the script is able to successfully include your INN::Config module,
@ -156,7 +169,7 @@
# Path to pgp binary; for PGP 5.0, set the path to the pgpv binary. If # Path to pgp binary; for PGP 5.0, set the path to the pgpv binary. If
# you have INN and the script is able to successfully include your # you have INN and the script is able to successfully include your
# INN::Config module, the value of $INN::Config::pgp will override this. # INN::Config module, the value of $INN::Config::pgp will override this.
$pgp = '/usr/local/bin/pgp'; # $pgp = '/usr/local/bin/pgp';
# If you keep your keyring somewhere that is not the default used by pgp, # If you keep your keyring somewhere that is not the default used by pgp,
# uncomment the next line and set appropriately. If you have INN and the # uncomment the next line and set appropriately. If you have INN and the
@ -164,6 +177,9 @@ $pgp = '/usr/local/bin/pgp';
# will be set to $INN::Config::newsetc/pgp if that directory exists unless # will be set to $INN::Config::newsetc/pgp if that directory exists unless
# you set it explicitly. GnuPG will use a file named pubring.gpg in this # you set it explicitly. GnuPG will use a file named pubring.gpg in this
# directory. # directory.
# With sequoia, you can use a single keyring file or the absolute path
# to the sequoia home directory. See `--home' and `--signer-file' flags
# in sequoia man pages.
# $keyring = '/path/to/your/pgp/config'; # $keyring = '/path/to/your/pgp/config';
# If you have INN and the script is able to successfully include your # If you have INN and the script is able to successfully include your
@ -220,7 +236,7 @@ $log_date = -t STDOUT; # Do it if STDOUT is to a terminal.
require 5; require 5;
use strict; use strict;
use vars qw($gpg $gpgv $pgp $keyring $tmp $tmpdir $lockdir $syslog_method use vars qw($sq $sq_policy_as_of $gpg $gpgv $pgp $keyring $tmp $tmpdir $lockdir $syslog_method
$syslog_facility $syslog_level $log_date $findid $test $messageid); $syslog_facility $syslog_level $log_date $findid $test $messageid);
use Fcntl qw(O_WRONLY O_CREAT O_EXCL); use Fcntl qw(O_WRONLY O_CREAT O_EXCL);
@ -239,6 +255,7 @@ GetOptions(
) or die "Usage: $0 [--findid='string'] [--test] < message\n"; ) or die "Usage: $0 [--findid='string'] [--test] < message\n";
# Grab various defaults from INN::Config if running inside INN. # Grab various defaults from INN::Config if running inside INN.
$sq = $INN::Config::sq if $INN::Config::sq;
$pgp = $INN::Config::pgp $pgp = $INN::Config::pgp
if $INN::Config::pgp && $INN::Config::pgp ne "no-pgp-found-during-configure"; if $INN::Config::pgp && $INN::Config::pgp ne "no-pgp-found-during-configure";
$gpgv = $INN::Config::gpgv if $INN::Config::gpgv; $gpgv = $INN::Config::gpgv if $INN::Config::gpgv;
@ -254,7 +271,11 @@ if (! $keyring && $INN::Config::newsetc) {
$0 =~ s%^.*/%%; $0 =~ s%^.*/%%;
# Make sure that the signature verification program can be executed. # Make sure that the signature verification program can be executed.
if ($gpg) { if ($sq) {
if (! -x $sq) {
&fail("$0: $sq: " . (-e _ ? "cannot execute" : "no such file") . "\n");
}
} elsif ($gpg) {
if (! -x $gpg) { if (! -x $gpg) {
&fail("$0: $gpg: " . (-e _ ? "cannot execute" : "no such file") . "\n"); &fail("$0: $gpg: " . (-e _ ? "cannot execute" : "no such file") . "\n");
} }
@ -281,7 +302,7 @@ if ($test) {
# should, and the consequences of a multiprocess conflict is failure to # should, and the consequences of a multiprocess conflict is failure to
# verify. # verify.
my $lock; my $lock;
unless ($gpg or $gpgv) { unless ($sq or $gpg or $gpgv) {
$lock = "$lockdir/LOCK.$0"; $lock = "$lockdir/LOCK.$0";
until (&shlock($lock) > 0) { until (&shlock($lock) > 0) {
sleep(2); sleep(2);
@ -290,7 +311,7 @@ unless ($gpg or $gpgv) {
# Verify the message. # Verify the message.
my ($ok, $signer) = pgp_verify($signature, $version, $message); my ($ok, $signer) = pgp_verify($signature, $version, $message);
unless ($gpg or $gpgv) { unless ($sq or $gpg or $gpgv) {
unlink ($lock) or &errmsg("$0: unlink $lock: $!\n"); unlink ($lock) or &errmsg("$0: unlink $lock: $!\n");
} }
print "$signer\n" if $signer; print "$signer\n" if $signer;
@ -411,7 +432,7 @@ sub pgp_verify {
local $SIG{PIPE} = 'IGNORE'; local $SIG{PIPE} = 'IGNORE';
# Set the PGP style based on whether $gpg or $gpgv is set. # Set the PGP style based on whether $gpg or $gpgv is set.
my $pgpstyle = ($gpg || $gpgv ? 'GPG' : 'PGP2'); my $pgpstyle = ($sq || $gpg || $gpgv ? 'GPG' : 'PGP2');
# Because this is a detached signature, we actually need to save both # Because this is a detached signature, we actually need to save both
# the signature and the data to files and then run PGP on the signature # the signature and the data to files and then run PGP on the signature
@ -460,7 +481,9 @@ sub pgp_verify {
# Figure out what command line we'll be using. # Figure out what command line we'll be using.
my @command; my @command;
if ($pgpstyle eq 'GPG') { if ($sq) {
@command = ($sq, qw/verify --quiet/);
} elsif ($pgpstyle eq 'GPG') {
if ($gpg) { if ($gpg) {
@command = ($gpg, qw/--verify --allow-weak-digest-algos/); @command = ($gpg, qw/--verify --allow-weak-digest-algos/);
push (@command, qw/--quiet --status-fd=1 --logger-fd=1/); push (@command, qw/--quiet --status-fd=1 --logger-fd=1/);
@ -482,6 +505,22 @@ sub pgp_verify {
# definitely not the logic that I would use if writing this from # definitely not the logic that I would use if writing this from
# scratch, but it has the most backward compatibility. # scratch, but it has the most backward compatibility.
local $ENV{PGPPATH} = $keyring if ($keyring && $pgpstyle ne 'GPG'); local $ENV{PGPPATH} = $keyring if ($keyring && $pgpstyle ne 'GPG');
if ($sq) {
if ($keyring) {
if (-f $keyring) {
push (@command, "--signer-file=$keyring");
} elsif (-d $keyring) {
push (@command, "--home=$keyring");
}
}
if ($sq_policy_as_of) {
push (@command, "--policy-as-of=$sq_policy_as_of");
}
push (@command, "--signature-file=$filename.asc");
push (@command, $filename);
} else {
if ($pgpstyle eq 'GPG') { if ($pgpstyle eq 'GPG') {
if ($keyring) { if ($keyring) {
push (@command, "--keyring=$keyring/pubring.gpg"); push (@command, "--keyring=$keyring/pubring.gpg");
@ -495,6 +534,7 @@ sub pgp_verify {
} }
push (@command, "$filename.asc"); push (@command, "$filename.asc");
push (@command, $filename); push (@command, $filename);
}
my $input = new FileHandle; my $input = new FileHandle;
my $output = new FileHandle; my $output = new FileHandle;
my $pid = eval { open3 ($input, $output, $output, @command) }; my $pid = eval { open3 ($input, $output, $output, @command) };
@ -519,6 +559,8 @@ sub pgp_verify {
# Good signature made 1999-02-10 03:29 GMT by key: # Good signature made 1999-02-10 03:29 GMT by key:
# 1024 bits, Key ID 0AFC7476, Created 1999-02-10 # 1024 bits, Key ID 0AFC7476, Created 1999-02-10
# "Russ Allbery <rra@stanford.edu>" # "Russ Allbery <rra@stanford.edu>"
# sequoia 1.0.0:
# Authenticated signature made by KEY_FINGERPRINT (USER_ID (authenticated))
# #
# Also, PGP v2 prints out "Bad signature" while PGP v5 uses "BAD # Also, PGP v2 prints out "Bad signature" while PGP v5 uses "BAD
# signature", and PGP v6 reverts back to "Bad signature". # signature", and PGP v6 reverts back to "Bad signature".
@ -528,7 +570,19 @@ sub pgp_verify {
my $ok = 255; my $ok = 255;
while (<$output>) { while (<$output>) {
print if $test; print if $test;
if ($pgpstyle eq 'GPG') { if ($sq) {
if (/Authenticated signature made by (\S+) \((.+)\s+.+\)/) {
$ok = 0;
$signer = $2;
} elsif (/missing certificate/) {
$ok = 2;
last;
} elsif (/Error/) {
# TODO check various error and edge cases
$ok = 3;
last;
}
} elsif ($pgpstyle eq 'GPG') {
if (/\[GNUPG:\]\s+GOODSIG\s+\S+\s+(\S+)/) { if (/\[GNUPG:\]\s+GOODSIG\s+\S+\s+(\S+)/) {
$ok = 0; $ok = 0;
$signer = $1; $signer = $1;

View file

@ -3,6 +3,9 @@
# Currently maintained by Russ Allbery <eagle@eyrie.org> # Currently maintained by Russ Allbery <eagle@eyrie.org>
# Version 1.9, 2016-10-17 # Version 1.9, 2016-10-17
# #
# sequoia-sq support written in December 2024 by
# Fabrizio Tarizzo <fabrizio@fabriziotarizzo.org>
#
# Changes from 1.8 -> 1.9 # Changes from 1.8 -> 1.9
# -- Add use strict and explicitly import LOCK_EX. # -- Add use strict and explicitly import LOCK_EX.
# -- Fix error reporting around lock files with PGP. # -- Fix error reporting around lock files with PGP.
@ -51,6 +54,8 @@ use strict;
# #
# $pgp can be set to the path to GnuPG to use GnuPG instead. The program # $pgp can be set to the path to GnuPG to use GnuPG instead. The program
# name needs to end in gpg so that signcontrol knows GnuPG is being used. # name needs to end in gpg so that signcontrol knows GnuPG is being used.
# $pgp can be set to the path to sq to use sequoia. The program name needs
# to end in sq so that signcontrol knows sequoia is being used.
# #
# STORING YOUR PASSPHRASE IN A FILE IS A POTENTIAL SECURITY HOLE. # STORING YOUR PASSPHRASE IN A FILE IS A POTENTIAL SECURITY HOLE.
# Make sure you know what you're doing if you do it. # Make sure you know what you're doing if you do it.
@ -58,6 +63,7 @@ use strict;
# If you DO use $pgppassfile, it is possible that someone could steal # If you DO use $pgppassfile, it is possible that someone could steal
# your passphrase either by gaining access to the file or by seeing # your passphrase either by gaining access to the file or by seeing
# the environment of a running pgpverify program. # the environment of a running pgpverify program.
# $pgppassfile IS NOT currently supported by sequoia
# #
# $pgplock is used because pgp does not guard itself against concurrent # $pgplock is used because pgp does not guard itself against concurrent
# read/write access to its randseed.bin file. A writable file is needed; # read/write access to its randseed.bin file. A writable file is needed;
@ -68,7 +74,7 @@ use strict;
# this. # this.
my $pgpsigner = 'INSERT_YOUR_PGP_USERID'; my $pgpsigner = 'INSERT_YOUR_PGP_USERID';
my $pgppassfile = ''; # file with pass phrase for $pgpsigner my $pgppassfile = ''; # file with pass phrase for $pgpsigner
my $pgp = "/usr/local/bin/pgp"; my $pgp = "/usr/local/bin/sq";
my $pgpheader = "X-PGP-Sig"; my $pgpheader = "X-PGP-Sig";
my $pgplock = (getpwuid($<))[7] . '/.pgp/config.txt'; my $pgplock = (getpwuid($<))[7] . '/.pgp/config.txt';
@ -182,7 +188,7 @@ die "Usage: $0 < message\n" if @ARGV > 0;
my $LOCK; my $LOCK;
umask(0022); # flock needs a writable file, if we create it umask(0022); # flock needs a writable file, if we create it
if ($pgp !~ /gpg$/) { if ($pgp !~ /gpg$/ && $pgp !~ /sq$/) {
open ($LOCK, '>>', $pgplock) || die "$0: open $pgplock: $!, exiting\n"; open ($LOCK, '>>', $pgplock) || die "$0: open $pgplock: $!, exiting\n";
flock ($LOCK, LOCK_EX); # block until locked flock ($LOCK, LOCK_EX); # block until locked
} }
@ -212,7 +218,7 @@ if ($die) {
signit(); signit();
if ($pgp !~ /gpg$/) { if ($pgp !~ /gpg$/ && $pgp !~ /sq$/) {
close ($LOCK) || warn "$0: close $pgplock: $!\n"; close ($LOCK) || warn "$0: close $pgplock: $!\n";
} }
exit 0; exit 0;
@ -413,13 +419,33 @@ sub pgp_sign {
my $pgpstyle = 'PGP2'; my $pgpstyle = 'PGP2';
if ($pgp =~ /pgps$/) { $pgpstyle = 'PGP5' } if ($pgp =~ /pgps$/) { $pgpstyle = 'PGP5' }
elsif ($pgp =~ /gpg$/) { $pgpstyle = 'GPG' } elsif ($pgp =~ /gpg$/) { $pgpstyle = 'GPG' }
elsif ($pgp =~ /sq$/) { $pgpstyle = 'SEQUOIA' }
# Figure out what command line we'll be using. PGP v6 and PGP v2 use # Figure out what command line we'll be using. PGP v6 and PGP v2 use
# compatible syntaxes for what we're trying to do. PGP v5 would have, # compatible syntaxes for what we're trying to do. PGP v5 would have,
# except that the -s option isn't valid when you call pgps. *sigh* # except that the -s option isn't valid when you call pgps. *sigh*
my @command; my @command;
my $versioncommand;
if ($pgpstyle eq 'PGP5') { if ($pgpstyle eq 'PGP5') {
@command = ($pgp, qw/-baft -u/, $keyid); @command = ($pgp, qw/-baft -u/, $keyid);
} elsif ($pgpstyle eq 'SEQUOIA') {
@command = ($pgp, "sign");
# Check if $keyid looks like a long Key ID (16 hex digits)
# or a key fingerprint (40 hex digits for RFC 4880 keys and
# 64 hex digits for RFC 9580 keys)
# Short (8 hex digits) Key IDs are deprecated and not supported
my $len = length($keyid);
if ($keyid =~ /^[0-9A-F]+$/ and grep /^$len$/, qw(16 40 64)) {
push (@command, "--signer=$keyid");
} else {
# otherwise treat it as a User ID
push (@command, "--signer-userid=$keyid");
}
push (@command, "--signature-file=-");
$versioncommand = "$pgp version";
} elsif ($pgpstyle eq 'GPG') { } elsif ($pgpstyle eq 'GPG') {
@command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid, @command = ($pgp, qw/--detach-sign --armor --textmode -u/, $keyid,
qw/--force-v3-sigs --pgp2/); qw/--force-v3-sigs --pgp2/);
@ -449,6 +475,8 @@ sub pgp_sign {
close $writefh; close $writefh;
if ($pgpstyle eq 'GPG') { if ($pgpstyle eq 'GPG') {
push (@command, '--batch', '--passphrase-fd', $passfh->fileno); push (@command, '--batch', '--passphrase-fd', $passfh->fileno);
} elsif ($pgpstyle eq 'SEQUOIA') {
# Currently unsupported
} else { } else {
push (@command, '+batchmode'); push (@command, '+batchmode');
$ENV{PGPPASSFD} = $passfh->fileno; $ENV{PGPPASSFD} = $passfh->fileno;
@ -501,6 +529,16 @@ sub pgp_sign {
while ($signature[0] ne "\n" && @signature) { while ($signature[0] ne "\n" && @signature) {
$version = $1 if ((shift @signature) =~ /^Version:\s+(.*?)\s*$/); $version = $1 if ((shift @signature) =~ /^Version:\s+(.*?)\s*$/);
} }
# sequoia does not add the Version header in armored output,
# as per RFC 9580 section 6.2.2.1
if ($pgpstyle eq 'SEQUOIA') {
my @version = qx/$versioncommand 2>&1/;
$version = shift @version;
chomp $version;
$version =~ s/\s+/_/;
}
shift @signature; shift @signature;
pop @signature; pop @signature;
$signature = join '', @signature; $signature = join '', @signature;

View file

@ -1,2 +1,4 @@
trustdb.gpg trustdb.gpg
random_seed random_seed
tofu.db
*.gpg~

4
tests/keyring/.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
trustdb.gpg
random_seed
tofu.db
*.gpg~

Binary file not shown.

View file

@ -0,0 +1,66 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGBOQfEBEAC+5dKbl6Vh+JeBx34xyRlmqJzIPIYJdcXbna6Pk6stnfa5J8UH
4ChMYdgCtM9/h33DH7dWX8/zKcABfRAC1784+ZlPFc+W8anEJoMZHeBdNfoY1qxP
D1ojC7jqaRiKt+Oc4vSl4fSRjPHAaZEIvhybduXWCTV5exbOnsDOnLLJ7d2sd08R
sIeQpNyCSKNcwDyHLH/UHdpHvYwuIlkjTSt0N9ghXArVWAgcFFaaihTpzGlp1+II
wn4n/zETzvVlFeXrzV+s/IqZ0oB2GzZaFOYlNa11vnIaCcrfEsHBig/PUDdwoIqB
YTVlE2KUIggf97bFUpLmat5kZpgbd7/n/tGWLD7HLcMwU/mjfsSG0w8BLjYZqIpV
JwbwEpioIbKKsH4qZBAMBq1c7p52wXJ2fZf+v7GRDMlIl5Lmt7A8HZgbVuMYxM/d
uAa6eGCMD2RKmHhInanTyYUgXYw8VRcW7NKOtSckHlBlIgsCa3R53lR+xQ/Ld8av
fA1zQD+82YehxSlmSqNteHDqxkN9pqqIGVaY0ajrHrjnVkGVxo7j9eT8u2ju0icy
Nf0te0OM8g/DfcpSqlDZPRgr5GZ0iN/yS1QACFudwLrmhpSrtZ8CWiK8UUmIpSBn
23w59WC4ZjkdRX2fR17shIjPl4UL02D1qe9OsbVn6aE0fUmVbfSi/6a9cwARAQAB
tBduZXdzLmFubm91bmNlLm5ld2dyb3Vwc4kCTgQTAQoAOBYhBI4YG+8L5jiWLBpc
mPr+e1UMGMi3BQJgTkHxAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEPr+
e1UMGMi38YUP/RPrPfxiCAbzVzoPiMWA/aUzZVrAMCEH38r6N/QWyXgXye+6iUr5
DEELI0vQuZiayFKyooQIdXZfubqCZSuNx/OG2w4nK23K6hiLBFebmDoIX/oB/g1T
xp1nxwDW9jM3X2sxD6b8cf0zTzLvO3L8WThR2Hf94zIFiQtbrF3E+6eJNFb25JG0
NPzXhytqLrOCpmBQh2JbO5KYi/NVX34NmZPdd7YNlrhrUVG5pvv7AqrWY9v2J9ry
onugYYwEVnmwephjOaxFfb52R+qa7dDWpWzbV8fDMUu6N/e0nVRK8WgK+okE6st8
r9CdxDDX29iztP+kXh7xS/sVPgTzUyju8Zs9/cKBjdxtMvvXB3HAps6pNVb0sGJJ
h8grIAx1wJnejaR18tU6te8qFjgo5We4WNT6jBV2CMN2vxuTFrp+KNLSONlfHw2D
3CcX1azNAaYu5MHDylXZ8+KEiwZyKlHPVIfXOg9t3e1e+X7oOAcqX3O+DRDO9sGY
g4WYShOEJVVlKVC7bVgmAesDUN0WmmBWqQVjg6X0QVcyUwl8S/dgpDM7vQnaomPT
yARxUmJUQ7DvRmJpzZ+oXZ2pR7l+G/kR5WNVSLa9hjRfsRxhz+k4nHTWBzZrdXB8
7IMJ+b7Mi+JIB4KxQwTXZ8SBm8vUPYLWhv8az3MW3CRdIG8fRewmfZ/biJwEEAEI
AAYFAmBOSsQACgkQwl0607iNqcFN9wP/SMRzCWNe2o1MtNrqhBrC/c0XOhvn40Vm
ZnVMbHyzRuxxvbLpyGGn0qovOa47tSDwo8/KK/pCPyaN2YYYAHt+41+u0CK8fnu8
5R0VToARvlHefTTEo7yPv37+2t3ZOSCurR7eIHaLxBXFkSrUxsaMnqK095c11MlW
CIrXS50tJQ6JAjMEEAEKAB0WIQTnhDZOjd57s3D72erRXTE4ggBBcwUCYE5KmAAK
CRDRXTE4ggBBc330D/9PyuPL2JfEWuGCtmuyhrEpXVsU/Rr6ZZCcuIa6UnfmAoi+
9HOt0ae5dcTNNBybYq1c8nmMmzO+SP0zMprYTvP8O0VxnAZfoOi1TXScyO4GY18/
RknS1/5jxG5D+OJ5gIZ000d87Lil/ucJic2MbYZ+a6Zh/R+uC5fK0taPx0XdlgY5
7BEfdKMPa53I4QS32fVoznkoFAAeH0x2n22x1Kai7Lf4DOFoMg8d/pG8juoXex5H
Vs+LI52dsUAuNfNHLzMedccxlxSG2PVHDuL79ctxCSazC+VzMAUhBrhhal8H9YBP
pnse4LGA5eHB3j6ZpS+lGHwFt6fAyYXFcTnEXIjuBhveoVBHWC5g/YN3Amm9pwUE
yGxV13StEjoocsxnlrdpi6vAebRqJZGZTl0S1dlT/zBTo6oX0sLqSyzUzbi/YaoX
Xy2FV6onbVlTCrZW8wdirH5erveB5/cUatOxFfQFJx9Q3DnibZ06fOWfR5VImo8B
8kGgmsoRzZLswAyHysgTh65yTsGReLodwEH2I+SmH23TSgVinGQTD4kowJ1DWqtG
Oy09ycQgqp0aqe70DCmuAPBhP8+cTY5csYNhfvClD9q5lSClGq4tf2pTcFxXj6lr
vYQp+W5WDMo9m8XqhDEuW7lJsc7SZPAGzdomO+fSk66tWgh0uITGsu91fnNmNrkC
DQRgTkHxARAAuhdAV5qq2COAwxHLnVfwppToGvkIgYneHSrkUdXlKYj2hYAoS6YM
EIs3fr6LAAo94oiLFkxP530UuD5N02DOtzsK1XmoNCiEn2sSIk1+tSdh60EnUhGZ
GV65b4Gv4Zk2ReVoMyn6BtZR50vWeUy0wBvLWVg2hbpHLsHi02cD7/kZUov+pFk0
g5R++yR5Iabshcb+dboB0NCNZ/STg06K7lL5gragW37/bKif/1mBv3oqCzX31VLj
C4esx54AneIwVAflpE2p5o2zPlixxA9yDkJm2sFISbK5z8u8bFpZJWYaN0cX4E+2
S+eyhjQ+3/p1645jTD1E9ZDPtGHXwF4jeeZmCfN497g/qFezd1aAoKrR17Id4Hzd
2Mtlml4S8utYq54Sh0z74Sq+YGKWZ0eA4jsuULW0p7mK4Y5oqPeEebbWL/5rPDME
4JfWJzz8xhew9fw69sSTLsg9lc8srB6T3W5mGqDzxXlWhxIqinE/IH8o3WkMCQP1
KfHg1pEubfSn0KCwpwuj2pRmxBJcQCJG+ptuaxYHzPrDmUj7gNTnuvUm8fgmLw/o
yo7RzmF368HKszCvRsqccxvaZti1W5g2YikVUoIYLKOqsU6qz1m8U1Nn3OoRfmFU
ZqjTDJ/qoPhqy0zabQRjxHJDqEtzK9MU6WVHDHM/bZ8CPs8PczI9TgUAEQEAAYkC
NgQYAQoAIBYhBI4YG+8L5jiWLBpcmPr+e1UMGMi3BQJgTkHxAhsMAAoJEPr+e1UM
GMi3V2QQAKmqhyRWDuVdurOBX6CFy588RxJX0oH5v0Vcdb9TBWxtU9dScG86DB1u
7yqObli0yyIKko4HlaDCjcrJJRXAJsA/IddSyPT3zwPAQcn1guBiB+zsE/BM0u4A
1f2rgHEKR2RkXlHpFh/xtDTbgCY2h+DTvapD6975OzHQi9Jl/mLJeJyOOxHx52c1
SjCvsVPx0D9cagCN4hRmU7ka3LxFa4OrEhVY5qxWYfVTaQyTsZhAiXVGV93Jw/mm
HQRfUtdINGpYc6O+6ZwHbGENZ9YhHs2mciosbULnI/416220DnJA3FkcPDCcQc2d
IdwF5afWLnl0eDpj/f5vmDV0LZL05wltoSQ5KuBYKYG/LtHn5Uvqb3wwPJ1XHC1D
j6r0eDZZzhiWzR0u3nye24hAQaotoPlrSQ573Ytz+VB6Si2CD0iT8NvuwAD9fJGC
xn15AsOkdBbD8PY+BBZdt7UwPKT3ebOC2e8vbqOJGlDGEiZmYSkSm2Vl5Nhp+Le7
FzM9FfmqhjXV7ZrY/yk+a+ebQqaDCfd+sV+U3waEde6ysoMHQHfZlLS29sKSuapV
apT2NWMkcwFRpPE39lj8ESEVd039Tuvk87Er+fSzd3NAH01d7CaFoUgvvBR9MRAG
IFfp1dQnPMA8W5K/smDEmfGKnSoMZSH9pIR4360pReB5Jf1sCJJu
=oDzt
-----END PGP PUBLIC KEY BLOCK-----

Binary file not shown.

View file

@ -0,0 +1,13 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Revocation certificate for
Comment: 4C5E C64E 1D6F AD6C E2CE 417B 1118 3ACF 87D8 7F73
Comment: testing.sq
xjMEZ2XGvBYJKwYBBAHaRw8BAQdABPRDA8MB8vnczQ9O1bF4D8bWXnBRkGUYVCtJ
IewW5UfCwAsEIBYKAH0FgmdlxrwJEBEYOs+H2H9zRxQAAAAAAB4AIHNhbHRAbm90
YXRpb25zLnNlcXVvaWEtcGdwLm9yZxtwDQ7X27b4KkX75l/HvAesAAG9BsVnloc6
aIsvZy1PDR0AVW5zcGVjaWZpZWQWIQRMXsZOHW+tbOLOQXsRGDrPh9h/cwAAIcwB
AN1vmQTw5KzVGfnNi/ZnuU6F9YkVDvDvbUOCNaJG59VbAQDF1Yy6i87tnSrfP41S
wOh2uhVNDSiZEiYeHQSYZHlcBg==
=Nx89
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -0,0 +1 @@
testing

View file

@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEZ2XGvBYJKwYBBAHaRw8BAQdABPRDA8MB8vnczQ9O1bF4D8bWXnBRkGUYVCtJ
IewW5UfCwAsEHxYKAH0FgmdlxrwDCwkHCRARGDrPh9h/c0cUAAAAAAAeACBzYWx0
QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeF1xwMrlzXh3unYC/hze7aNLSmoIIz
9ShPD68V1i4azAMVCggCmwECHgEWIQRMXsZOHW+tbOLOQXsRGDrPh9h/cwAAOBwB
AOgHwyBu28L963UdswAaRRatBz0wdG6zpFT0G7od3RVvAQCWHVCU2AFMRkGFfD4U
dm46hLThiXntrTDXsdx12eOGB80KdGVzdGluZy5zccLADgQTFgoAgAWCZ2XGvAML
CQcJEBEYOs+H2H9zRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdw
Lm9yZ6zdefq40SPGB8RvYhZ0+7wA50WPuTc+1lA3qSdIfcubAxUKCAKZAQKbAQIe
ARYhBExexk4db61s4s5BexEYOs+H2H9zAACKeQD/SehQU+t1WOR+Gs3lQHT+UD2C
2ZGFfbLBELSE+cYsMgoBAK+T8Qdx6CEK07zUtfJXslqR1S3HvYZuQGiA/d5UsEwN
zjMEZ2XGvBYJKwYBBAHaRw8BAQdARYzhpGcUffzURCk8XfMdtqr/p/fGD0NHbNZo
ZEMRdYDCwL8EGBYKATEFgmdlxrwJEBEYOs+H2H9zRxQAAAAAAB4AIHNhbHRAbm90
YXRpb25zLnNlcXVvaWEtcGdwLm9yZ3wLL4vyWIYOLLbgJozwq3Rf57mla5BLBVAX
8Mw/0PLHApsCvqAEGRYKAG8FgmdlxrwJEAqBASI4QwmGRxQAAAAAAB4AIHNhbHRA
bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZyFklqyDpRDbJ47ArbCUrEJOlR6jRu2Y
rPBnqKJMDByqFiEEOWYN7+uB2H6FXwUdCoEBIjhDCYYAAOxLAP96sDjqESfEZVAi
IzinBRxvpJN9bAtEx+0lUsVppN+xCgEAqpG38iIRXw718AVaTZzGGBjAH6eGbUyU
iFOWeSFxywoWIQRMXsZOHW+tbOLOQXsRGDrPh9h/cwAAnsEBAIrdznoudNPXvanj
/BMd7uXLt0zPxQqSW+VY9x39gIM4AQDqSQBtI5syYdvzLFuIneBu+mKUo2lJ7VNk
WhwMSLEnAM44BGdlxrwSCisGAQQBl1UBBQEBB0DnHwWDChPdDLmSAGSoi9PQCY3W
IqPmgwN8AOt0mXDLewMBCAfCwAAEGBYKAHIFgmdlxrwJEBEYOs+H2H9zRxQAAAAA
AB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+XVxtgFzdgHDLSXNAd5
XPrRmViNruVrTkt1bw0tVHWZApsMFiEETF7GTh1vrWzizkF7ERg6z4fYf3MAAN0B
AP9QiCpKYdf7yxxeLYybmLg66i5MxkV05qs/9SNyR9dgNwD/UC5IjShHr3t201Op
d12Q+13lrJ8vczSrMXy6cDKLJgo=
=aHt9
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -0,0 +1,40 @@
Path: news.eyrie.org!bounce-back
From: group-admin@isc.org
Newsgroups: comp.lang.go
Subject: cmsg newgroup comp.lang.go
Control: newgroup comp.lang.go
Approved: group-admin@isc.org
Date: Thu, 09 Nov 2023 13:00:02 -0800
Message-ID: <cmsg-20231109210002$29ef@isc.org>
X-Info: https://www.big-8.org/
https://www.eyrie.org/~eagle/big-8/
X-PGP-Sig: GnuPG Subject,Control,Message-ID,Date,From,Sender
iQIzBAEBCgAdFiEEjhgb7wvmOJYsGlyY+v57VQwYyLcFAmVNSFMACgkQ+v57VQwY
yLdG4g//bjHd8neeT+TV/wnJSaKRYHybfkrtzMtEOY9FrlXcMt/AjQLC2oJ0aS9u
l6TM04hfVuVCNYKyflOEYCpW0/9ei0yxr0JEATBsFdLN8fppEYzn5ziCxkLgDokN
JFt1oiAok4YbJ7H/4YXM4R8RcHThPVtpWhMI4pMzBwF4pOsgb6hYmiPwJBux0Bgd
pi74e5pFlrDB8tMoZetGvSSlH2qQTTUbZjd7qJJr6HqMFfIlSGWmw61rWMSehcQp
YCNW3ibbkJ4zPlfs+Q/5KbGobbyZ9fWl/sgHvZ3p8qJZHzqCtjeHyXNP3Q2BIiaj
kgdmJ6ZggQNNEEU/pupRIR4WpEjGZTRFDBGBa+5J1yQsV0FWSDyMpmvCkjlCoOhh
RMVs+YroSiEQxAYsYE7zFZok763MSiKQw00uvKR0gwd/Ov4QbC53AGZHKmW2Q8O+
m80AmKWa6YOaVFPgaou4TI+1qrTe0Hb/+72wT+Ep730JSuiJYQ+XZ/nZqsjegvV7
qPr2SpnWH43cSNi2MNBCPcWNGqVRUYxXfD2bouoS+9VACx9jkIgK8I8MleryXCwa
A6hs0T/+i/FqcNlwC/ZBxiKwjSzg8Vj90cteSjY+5ovTZOb5xCNtEbp4Pm3hbgeT
Qjtl738/hxyZUmgTEVzBv2CBahJ1ICkiYgzFa19WaIhAsDm4Mns=
=qThC
Xref: news.eyrie.org control.newgroup:100
*CORRUPTED*
The Last Call for Comments (LCC) on 2023-09-25 initiated a five-day
period for final comments. Following this comment period, the Big-8
Management Board voted to create the unmoderated newsgroup comp.lang.go.
The vote was 2 in favour and 0 opposed. One member did not vote.
For your newsgroups file:
comp.lang.go The Go programming language (Golang).
CHARTER:
comp.lang.go will be a unmoderated group where people interested in the
Go programming language can share ideas and topics, help each other, and
keep up with interesting projects.

View file

@ -0,0 +1,39 @@
Path: news.eyrie.org!bounce-back
From: group-admin@isc.org
Newsgroups: comp.lang.go
Subject: cmsg newgroup comp.lang.go
Control: newgroup comp.lang.go
Approved: group-admin@isc.org
Date: Thu, 09 Nov 2023 13:00:02 -0800
Message-ID: <cmsg-20231109210002$29ef@isc.org>
X-Info: https://www.big-8.org/
https://www.eyrie.org/~eagle/big-8/
X-PGP-Sig: GnuPG Subject,Control,Message-ID,Date,From,Sender
iQIzBAEBCgAdFiEEjhgb7wvmOJYsGlyY+v57VQwYyLcFAmVNSFMACgkQ+v57VQwY
yLdG4g//bjHd8neeT+TV/wnJSaKRYHybfkrtzMtEOY9FrlXcMt/AjQLC2oJ0aS9u
l6TM04hfVuVCNYKyflOEYCpW0/9ei0yxr0JEATBsFdLN8fppEYzn5ziCxkLgDokN
JFt1oiAok4YbJ7H/4YXM4R8RcHThPVtpWhMI4pMzBwF4pOsgb6hYmiPwJBux0Bgd
pi74e5pFlrDB8tMoZetGvSSlH2qQTTUbZjd7qJJr6HqMFfIlSGWmw61rWMSehcQp
YCNW3ibbkJ4zPlfs+Q/5KbGobbyZ9fWl/sgHvZ3p8qJZHzqCtjeHyXNP3Q2BIiaj
kgdmJ6ZggQNNEEU/pupRIR4WpEjGZTRFDBGBa+5J1yQsV0FWSDyMpmvCkjlCoOhh
RMVs+YroSiEQxAYsYE7zFZok763MSiKQw00uvKR0gwd/Ov4QbC53AGZHKmW2Q8O+
m80AmKWa6YOaVFPgaou4TI+1qrTe0Hb/+72wT+Ep730JSuiJYQ+XZ/nZqsjegvV7
qPr2SpnWH43cSNi2MNBCPcWNGqVRUYxXfD2bouoS+9VACx9jkIgK8I8MleryXCwa
A6hs0T/+i/FqcNlwC/ZBxiKwjSzg8Vj90cteSjY+5ovTZOb5xCNtEbp4Pm3hbgeT
Qjtl738/hxyZUmgTEVzBv2CBahJ1ICkiYgzFa19WaIhAsDm4Mns=
=qThC
Xref: news.eyrie.org control.newgroup:100
The Last Call for Comments (LCC) on 2023-09-25 initiated a five-day
period for final comments. Following this comment period, the Big-8
Management Board voted to create the unmoderated newsgroup comp.lang.go.
The vote was 2 in favour and 0 opposed. One member did not vote.
For your newsgroups file:
comp.lang.go The Go programming language (Golang).
CHARTER:
comp.lang.go will be a unmoderated group where people interested in the
Go programming language can share ideas and topics, help each other, and
keep up with interesting projects.

153
tests/sequoia-tests.pl Executable file
View file

@ -0,0 +1,153 @@
#! /usr/bin/perl -w
use constant VERIFY_OK => 0;
use constant VERIFY_BADDATA => 1;
use constant VERIFY_NOCERT => 2;
use constant VERIFY_BADSIG => 3;
my $sq = '/usr/local/bin/sq';
my $gpg = '/usr/bin/gpg';
my $sq_home = "$ENV{'PWD'}/keyring/sq/home/";
$ENV{SEQUOIA_HOME} = $sq_home;
my $failed = 0;
my $tests = 0;
sub pgpverify {
my ($file, $expected) = @_;
my $signer = `./tmp/pgpverify < $file`;
chomp $signer;
if ($? == VERIFY_OK && $signer eq $expected) {
return VERIFY_OK;
} else {
print "pgpverify exited with status ", ($? >> 8), "\n" if $? != VERIFY_OK;
print "pgpverify said the signer was $signer\n" if $signer;
return $? >> 8;
}
}
sub fix_pgpverify {
my ($path, $keyring) = @_;
open (BASIC, "../pgpverify") or die "Can't open ../pgpverify: $!\n";
open (FIXED, "> tmp/pgpverify") or die "Can't create pgpverify: $!\n";
while (<BASIC>) {
s%^\# \$sq = \'.*%\$sq = '$path';% if $path =~ /sq$/;
s%^\# \$sq_policy_as_of = \'.*%\$sq_policy_as_of = '19970101';% if $path =~ /sq$/;
s%^\# \$gpg = \'.*%\$gpg = '$path';% if $path =~ /gpg$/;
s%^\# \$keyring = \'.*%\$keyring = '$keyring';% if $keyring;
s%^\$syslog_method = \'.*%\$syslog_method = '';%;
print FIXED;
}
close BASIC;
close FIXED;
chmod (0755, 'tmp/pgpverify');
}
sub fix_signcontrol {
my ($path, $signer) = @_;
open (BASIC, "../signcontrol") or die "Can't open ../signcontrol: $!\n";
open (FIXED, "> tmp/signcontrol") or die "Can't create signcontrol: $!\n";
while (<BASIC>) {
s/INSERT_YOUR_PGP_USERID/$signer/;
s/^my \$pgp = \".*/my \$pgp = '$path';/;
s/YOUR_ADDRESS_AND_NAME/Test Signer <test\@example.com>/;
s/ADDRESS_FOR_Approved_HEADER/test\@example.com/;
s/FULL_HOST_NAME/example.com/;
s/HIERARCHIES/example/;
print FIXED;
}
close BASIC;
close FIXED;
chmod (0755, 'tmp/signcontrol');
}
sub sign_verify_roundtrip_test {
my ($testname, $sign_exec, $verify_exec, $signer) = @_;
my $signedfile = "./tmp/signed_$testname";
fix_signcontrol ($sign_exec, $signer);
my $status = system ("./tmp/signcontrol < ./messages/newgroup > $signedfile");
if ($? == 0) {
print "PASS: $testname (sign)\n";
} else {
print "signcontrol exited with status ", ($? >> 8), "\n";
print "FAIL: $testname (sign)\n";
$failed++;
}
$tests++;
fix_pgpverify ($verify_exec);
if (pgpverify ($signedfile, 'testing.sq') == VERIFY_OK) {
print "PASS: $testname (verify)\n";
} else {
print "FAIL: $testname (verify)\n";
$failed++;
}
$tests++;
}
fix_pgpverify ($sq);
if (pgpverify ('./messages/comp.lang.go.newgroup', 'news.announce.newgroups') == VERIFY_OK) {
print "PASS: big8 newgroup (verify from default cert store)\n";
} else {
print "FAIL: big8 newgroup (verify from default cert store)\n";
$failed++;
}
$tests++;
fix_pgpverify ($sq, './keyring/sq/big8-cert.asc');
if (pgpverify ('./messages/comp.lang.go.newgroup', 'news.announce.newgroups') == VERIFY_OK) {
print "PASS: big8 newgroup (verify from cert file)\n";
} else {
print "FAIL: big8 newgroup (verify from cert file)\n";
$failed++;
}
$tests++;
fix_pgpverify ($sq, $sq_home);
if (pgpverify ('./messages/comp.lang.go.newgroup', 'news.announce.newgroups') == VERIFY_OK) {
print "PASS: big8 newgroup (verify from custom cert store)\n";
} else {
print "FAIL: big8 newgroup (verify from custom cert store)\n";
$failed++;
}
$tests++;
# Corrupted message, should fail with status VERIFY_BADSIG
fix_pgpverify ($sq);
if (pgpverify ('./messages/comp.lang.go-corrupted.newgroup', 'news.announce.newgroups') == VERIFY_BADSIG) {
print "PASS: BAD big8 newgroup (verify)\n";
} else {
print "FAIL: BAD big8 newgroup (verify)\n";
$failed++;
}
$tests++;
# Unknown signer, should fail with status VERIFY_NOCERT
fix_pgpverify ($sq);
if (pgpverify ('./messages/gnu', 'usenet@gnu.org') == VERIFY_NOCERT) {
print "PASS: Unknown signer (verify)\n";
} else {
print "FAIL: Unknown signer (verify)\n";
$failed++;
}
$tests++;
sign_verify_roundtrip_test ('signcontrol-sq-fingerprint', $sq, $sq, '4C5EC64E1D6FAD6CE2CE417B11183ACF87D87F73');
sign_verify_roundtrip_test ('signcontrol-sq-userid', $sq, $sq, 'testing.sq');
# Interoperability test - verify with GnuPG the message signed
# with sq
fix_pgpverify ($gpg, './keyring/');
if (pgpverify ('./tmp/signed_signcontrol-sq-userid', 'testing.sq') == VERIFY_OK) {
print "PASS: Sign with sq, verify with gpg\n";
} else {
print "FAIL: Sign with sq, verify with gpg\n";
$failed++;
}
$tests++;
print "\nTOTAL: Tests $tests Failed $failed\n";

8
tests/sequoia-tests.sh Executable file
View file

@ -0,0 +1,8 @@
#!/bin/bash
if [ -d tests/tmp ]; then
rm -fR tests/tmp
fi
echo -e "Please insert $(cat tests/keyring/sq/passphrase) as passphrase when required\n"
cd tests && mkdir tmp && ./sequoia-tests.pl