smimesign: macOS Big Sur: smimesign v0.1.0: Invalid Signatures
smimesign v0.1.0 when installed via Homebrew for macOS Big Sur creates invalid/corrupt signatures. Specifically, this happens when smimesign is installed as follows on macOS Big Sur:
brew install smimesign
This causes the following bottle to be used: https://homebrew.bintray.com/bottles/smimesign-0.1.0.big_sur.bottle.tar.gz
Interestingly enough, these invalid signatures (signatures created with the smimesign binary for macOS Big Sur) can be verified successfully by the same smimesign binary that created them, but are (correctly) reported as invalid by all other smimesign binaries as well as the GitHub UI/API.
To workaround this issue, when installing smimesign on macOS Big Sur, you can explicitly request a bottle that does not suffer from this issue. Specifically, the smimesign-0.1.0.catalina.bottle.tar.gz bottle (compiled for macOS Catalina) does not suffer from the issue and works on macOS BigSur:
brew install https://homebrew.bintray.com/bottles/smimesign-0.1.0.catalina.bottle.tar.gz
If this workaround is not performed, corrupt git commit signatures will be produced. Any attempt to verify these commits using a version of smimesign that does not suffer from the issue will result in the following failure:
[~/dev/test-repo]$ git log --show-signature -1
commit 982cca63826ab8e894fc48db2825dd7805d1f9ae (HEAD -> master, origin/master, origin/HEAD)
failed to verify signature: crypto/rsa: verification error
Merge: 59b2361 26ce50c
Author: Redacted User <redacted@redacted.com>
Date: Fri Sep 18 19:07:50 2020 -0400
#1: Test Issue
[~/dev/test-repo]$ git verify-commit HEAD
failed to verify signature: crypto/rsa: verification error
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 12
- Comments: 20 (6 by maintainers)
Commits related to this issue
- v0.1.2 Release notes: - Update `github.com/github/ietf-cms` to address https://github.com/github/smimesign/issues/74 — committed to github/smimesign by lgarron 3 years ago
- v0.1.2 Release notes: - Update `github.com/github/ietf-cms` to address https://github.com/github/smimesign/issues/74 — committed to github/smimesign by lgarron 3 years ago
@btoews @vcsjones @lgarron would it be possible to create a new release with this fix? Can’t install go 1.14 to build this myself at the moment.
Sorry for the confusion y’all, we’ll get a new build with the updated
ietf-cmsdependency as well out soon.Everything worked for me by cloning the source, updating github/ietf-cms dependency to
@main, and rebuilding with Go 1.16.5 on Big Sur.Waiting for official release.
I believe that @bluestealth and I have fixed the underlying issue that causes this in github/ietf-cms#29.
brew install smimesigninstalled the latest 0.1.2 version and now signatures are correctly verified in GitHub. Thanks a lotWorked for me, thanks!
v0.1.2is published; please let us know if that works for you! https://github.com/github/smimesign/releases/tag/v0.1.2Is there an update on when this fix will be released?
@andrewpong we’ll be releasing a new version of smimesign with updated dependencies in the near future. Stay tuned!
btw this has been an issue since v0.0.13 - has been driving me and my team crazy! So basically depending on what version of Go smimesign was built with, signatures may or may not be valid. We’ve been going in circles for months trying to figure out why this works for some of us and not others 😅
@poom @maetolay @theerasan @taninaim @AungThiha
👋 Thanks for the issue. We’ve taken note of it so that it gets triaged.