Failed signature verification while hacking

zyga 2017-07-14 12:29:12 UTC #1

So I’m hacking on master today, with snapd running from the tree and suddenly I noticed it spews those messages every few minutes:

2017/07/14 14:21:35.783883 snapmgr.go:418: Cannot prepare auto-refresh change: cannot add some assertions to the system database:

failed signature verification: openpgp: invalid signature: hash tag doesn’t match
2017/07/14 14:21:35.783961 stateengine.go:98: state ensure error: cannot add some assertions to the system database:

failed signature verification: openpgp: invalid signature: hash tag doesn’t match

Any ideas?

niemeyer 2017-07-14 13:50:58 UTC #2

Clearly some of the assertions currently in your system are not being validated with the root keys from your compiled binary.

Can you please dig in further and verify why?

Potential causes:

The key is missing
The key is expired
The signature is corrupted

zyga 2017-07-14 16:35:19 UTC #3

I’m looking at this right now, what I know so far:

my time and date is valid
out of all the assertions on my system only ony has since field and it says 2016-04-01T00:00:00.0Z
out of all the assertions on my system none have timestamps from the future
the error message comes from golang.org/x/crypto/openpgp/packet/public_key.go

I patched my copy to print out the mismatching hashes:

- failed signature verification: openpgp: invalid signature: hash tag doesn't match "\xbfx^\xae\xd4\xe1ci\x94\x8cY-\xae\x13Yx{6\x91\xe4\"\"\n\x06\xfa\x87\x92\xc3D\xaa\xb5\xe0\xbc\xe9\xe7!\x8b\xbfz\x81\a\x9c\x8f\xbf<\x05\xed\"\x94\xbaO<\x801\xe3X>\xb4\xea\xf1\xb0Ղ\xe4" vs "\xd9~"

EDIT: ^ the 2nd string is the hash in the signature

I’ll keep digging.

zyga 2017-08-14 14:39:05 UTC #4

I think this was the bug where we did double utf-8 encoding on the store. The issue is solved now.