Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macOS Big Sur: smimesign v0.1.0: Invalid Signatures #74

Closed
christopherincanada opened this issue Jan 12, 2021 · 20 comments
Closed

macOS Big Sur: smimesign v0.1.0: Invalid Signatures #74

christopherincanada opened this issue Jan 12, 2021 · 20 comments
Assignees

Comments

@christopherincanada
Copy link

smimesign v0.1.0 when installed via Homebrew for macOS Big Sur creates invalid/corrupt signatures. Specifically, this happens when smimesign is installed as follows on macOS Big Sur:

brew install smimesign

This causes the following bottle to be used: https://homebrew.bintray.com/bottles/smimesign-0.1.0.big_sur.bottle.tar.gz

Interestingly enough, these invalid signatures (signatures created with the smimesign binary for macOS Big Sur) can be verified successfully by the same smimesign binary that created them, but are (correctly) reported as invalid by all other smimesign binaries as well as the GitHub UI/API.

To workaround this issue, when installing smimesign on macOS Big Sur, you can explicitly request a bottle that does
not suffer from this issue. Specifically, the smimesign-0.1.0.catalina.bottle.tar.gz bottle (compiled for macOS
Catalina) does not suffer from the issue and works on macOS BigSur:

brew install https://homebrew.bintray.com/bottles/smimesign-0.1.0.catalina.bottle.tar.gz

If this workaround is not performed, corrupt git commit signatures will be produced. Any attempt to verify these
commits using a version of smimesign that does not suffer from the issue will result in the following failure:

[~/dev/test-repo]$ git log --show-signature -1
commit 982cca63826ab8e894fc48db2825dd7805d1f9ae (HEAD -> master, origin/master, origin/HEAD)
failed to verify signature: crypto/rsa: verification error
Merge: 59b2361 26ce50c
Author: Redacted User <redacted@redacted.com>
Date:   Fri Sep 18 19:07:50 2020 -0400

    #1: Test Issue
[~/dev/test-repo]$ git verify-commit HEAD
failed to verify signature: crypto/rsa: verification error
@matthewkrupnik
Copy link

Had the exact same issue. Everything exactly as described. Thanks so much for the workaround. Worked great for me. Hopefully whatever is broken in the brew package gets fixed soon.

@vcsjones
Copy link
Member

👋 Thanks for the issue. We've taken note of it so that it gets triaged.

@joevennix
Copy link

I tracked this issue down to github/ietf-cms#25, a bug that emerges when built on 1.15. AFAICT fixing that issue should suffice to fix the issue here as well.

@jai
Copy link

jai commented Apr 19, 2021

btw this has been an issue since v0.0.13 - has been driving me and my team crazy! So basically depending on what version of Go smimesign was built with, signatures may or may not be valid. We've been going in circles for months trying to figure out why this works for some of us and not others 😅

@poom @maetolay @theerasan @taninaim @AungThiha

@ddz
Copy link

ddz commented Jun 12, 2021

I believe that @bluestealth and I have fixed the underlying issue that causes this in github/ietf-cms#29.

@PatrickHeneise
Copy link

@btoews @vcsjones @lgarron would it be possible to create a new release with this fix? Can't install go 1.14 to build this myself at the moment.

@AlekSi
Copy link

AlekSi commented Jul 14, 2021

Everything worked for me by cloning the source, updating github/ietf-cms dependency to @main, and rebuilding with Go 1.16.5 on Big Sur.

Waiting for official release.

@PatrickHeneise
Copy link

Thanks @AlekSi, that worked for me as well and commits show as verified here on GitHub 🎉

@jvz
Copy link

jvz commented Jul 22, 2021

Same issue applies to the macOS binary available from the releases tab. I didn't even realize all my signed commits were useless up until now...

@andrewpong
Copy link

andrewpong commented Aug 14, 2021

This was a fun exercise to get a crash course in Go!

I did what @AlekSi did above: update smimesign@v0.1.0 to use ietf-cms@v0.1.1 and rebuild; it worked with go1.16.7 darwin/amd64.

What needs to happen for smimesign to be updated to the newer ietf-cms dependency?

@vcsjones
Copy link
Member

@andrewpong we'll be releasing a new version of smimesign with updated dependencies in the near future. Stay tuned!

@pstackle
Copy link

pstackle commented Sep 9, 2021

Is there an update on when this fix will be released?

@vcsjones
Copy link
Member

v0.1.1 was released which should address this issue. Please give it a try and let us know how it goes.

@ddz
Copy link

ddz commented Sep 25, 2021

I haven't tested this new release of smimesign, but it is still using v0.1.0 of ietf-cms, which does not include the fix for what I believe to be the underlying issue causing the invalid signatures:

github.com/github/ietf-cms v0.1.0

There needs to be a new release of ietf-cms that includes this merged PR and then smimesign needs to be bumped to pull in that new version.

@adricasti
Copy link

Indeed, this does not fix the problem described in the title and since bintray has shut down, @christopherincanada solution does not work anymore, do you know if it's still possible to install the old Catalina bottle?

@vcsjones
Copy link
Member

Sorry for the confusion y'all, we'll get a new build with the updated ietf-cms dependency as well out soon.

lgarron added a commit that referenced this issue Sep 28, 2021
Release notes:

- Update `github.com/github/ietf-cms` to address #74
lgarron added a commit that referenced this issue Sep 28, 2021
Release notes:

- Update `github.com/github/ietf-cms` to address #74
@lgarron
Copy link
Contributor

lgarron commented Sep 28, 2021

v0.1.2 is published; please let us know if that works for you!
https://github.com/github/smimesign/releases/tag/v0.1.2

@PatrickHeneise
Copy link

Worked for me, thanks!

@adricasti
Copy link

brew install smimesign installed the latest 0.1.2 version and now signatures are correctly verified in GitHub. Thanks a lot

@lgarron
Copy link
Contributor

lgarron commented Sep 28, 2021

Thanks, @patrickbenitez and @adricasti!

I'll take that as confirmation that this is resolved. If anyone is running into issues, please comment here and we can reopen!

@lgarron lgarron closed this as completed Sep 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests