gpg failure if /root/.gnupg doesn't exist and /var/lib/smart is empty

Bug #562496 reported by Andreas Hasenack
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Client
Fix Released
Medium
Free Ekanayaka
Smart Package Manager
Fix Released
Undecided
Unassigned
landscape-client (Ubuntu)
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned

Bug Description

Steps to reproduce:

root@nsn2:~# rm -rf .gnupg/
root@nsn2:~# rm -rf /var/lib/smart/*

Notice how smart update fails for the first channel. I abort right afterwards:
root@nsn2:~# smart update
Updating cache... ################################################################################################################### [100%]

Fetching information for 'lucid - partner'...
-> http://archive.canonical.com/ubuntu/dists/lucid/Release.gpg
Release.gpg ################################################################################################################### [ 1%]
-> http://archive.canonical.com/ubuntu/dists/lucid/Release
Release ################################################################################################################### [ 3%]
error: Channel 'lucid - partner' signed with unknown key
                                                                                                                                                                                                         (...)

I now just run again, no other changes, and it works:

root@nsn2:~# smart update
Updating cache... ################################################################################################################### [100%]

Fetching information for 'lucid - partner'...
-> http://archive.canonical.com/ubuntu/dists/lucid/Release.gpg
Release.gpg ################################################################################################################### [ 1%]
-> http://archive.canonical.com/ubuntu/dists/lucid/Release
Release ################################################################################################################### [ 3%]
-> http://archive.canonical.com/ubuntu/dists/lucid/partner/binary-i386/Packages.bz2
Packages.bz2 ################################################################################################################### [ 5%]

(...)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.6 KiB)

This is how smart calls gpg:

root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --status-fd 1 --no-default-keyring --no-secmem-warning --batch --verify Release.gpg Release
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: fatal: /root/.gnupg: directory does not exist!
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768
root@nsn2:~# echo $?
2

If I drop "--no-default-keyring", then it seems to work:

root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --status-fd 1 --no-secmem-warning --batch --verify Release.gpg Release
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
gpg: /root/.gnupg/trustdb.gpg: trustdb created
[GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <email address hidden>"
[GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2010-04-13 1271161539 0 3 0 17 2 00 630239CC130E1A7FD81A27B140976EAF437D05B5
[GNUPG:] TRUST_UNDEFINED
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
root@nsn2:~# echo $?
0

With smart tweaked to not include --no-default-keyring:

root@nsn2:~# rm -rf .gnupg /var/lib/smart/*
root@nsn2:~# smart update
Updating cache... ################################################################################################################### [100%]

Fetching information for 'lucid - partner'...
-> http://archive.canonical.com/ubuntu/dists/lucid/Release.gpg
Release.gpg ################################################################################################################### [ 1%]
-> http://archive.canonical.com/ubuntu/dists/lucid/Release
Release ################################################################################################################### [ 3%]
-> http://archive.canonical....

Read more...

Changed in landscape-client:
assignee: nobody → Free Ekanayaka (free.ekanayaka)
status: New → In Progress
importance: Undecided → Medium
milestone: none → 1.5.1
Changed in landscape-client:
status: In Progress → Fix Committed
Revision history for this message
Anders F Björklund (afb) wrote :

The problem is that there are *two* files created:
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created

So even if the --keyring is set, it'll still try to create
the config directory unless setting --trustdb-name too:
gpg --keyring /etc/apt/trusted.gpg --no-default-keyring --trustdb-name /etc/apt/trustdb.gpg --verify Release.gpg Release

So it probably needs to grow another setting ?

i.e. apt-deb "trustdb", right next to the "keyring"

Revision history for this message
Anders F Björklund (afb) wrote :

Or work around it by "mkdir /root/.gnupg", sure... (above)
But it will still create a new empty trustdb.gpg in that case.

Revision history for this message
Free Ekanayaka (free.ekanayaka) wrote :

Hi Anders,

creating "/root/.gnupg" is indeed the workaround we opted for, while waiting for a better alternative. I'm not sure to understand your comment #2.. I'm wondering if this is actually a bug of gpg, that should create whatever directory is necessary to perform the requested operation. I'm on #smart whenever you feel like talking about it.

Revision history for this message
Anders F Björklund (afb) wrote :

Added some non-pseudo code in "trustdb" branch.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Anders, your suggestion sounds very sane. Did you try smart, or the full gnupg command line, with the added trustdb option? Does it work then the first time and without a /root/.gnupg directory?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I guess it does work:

root@nsn2:~# rm -rf .gnupg
root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg --no-default-keyring --status-fd 1 --no-secmem-warning --batch --verify Release.gpg Release
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
[GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <email address hidden>"
[GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2010-04-13 1271161539 0 3 0 17 2 00 630239CC130E1A7FD81A27B140976EAF437D05B5
[GNUPG:] TRUST_UNDEFINED
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
root@nsn2:~# ls -la .gnupg
ls: cannot access .gnupg: No such file or directory
root@nsn2:~#

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.10.04.0

---------------
landscape-client (1.5.0.1-0ubuntu0.10.04.0) lucid; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200

Changed in landscape-client (Ubuntu Lucid):
status: New → Fix Released
Changed in smart:
milestone: none → 1.4
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted landscape-client into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in landscape-client (Ubuntu Karmic):
status: New → Fix Committed
tags: added: verification-needed
Changed in landscape-client (Ubuntu Jaunty):
status: New → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted landscape-client into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: needs-testing
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.9.04.0

---------------
landscape-client (1.5.0.1-0ubuntu0.9.04.0) jaunty-proposed; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)

  * New upstream version (LP: #557244)
    - Fix package-changer running before smart-update has completed (LP: #542215)
    - Report the version of Eucalyptus used to generate topology data (LP: #554007)
    - Enable the Eucalyptus plugin by default, if supported (LP: #546531)
    - Use a whitelist of allowed filesystem types to instead of a blacklist (LP: #351927)
    - Report the update-manager logs to the server (LP: #503384)
    - Turn off Curl's DNS caching for requests. (LP: #522668)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200

Changed in landscape-client (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.9.10.0

---------------
landscape-client (1.5.0.1-0ubuntu0.9.10.0) karmic-proposed; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)

  * New upstream version (LP: #557244)
    - Fix package-changer running before smart-update has completed (LP: #542215)
    - Report the version of Eucalyptus used to generate topology data (LP: #554007)
    - Enable the Eucalyptus plugin by default, if supported (LP: #546531)
    - Use a whitelist of allowed filesystem types to instead of a blacklist (LP: #351927)
    - Report the update-manager logs to the server (LP: #503384)
    - Turn off Curl's DNS caching for requests. (LP: #522668)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200

Changed in landscape-client (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in smart:
status: New → Fix Committed
Changed in landscape-client:
status: Fix Committed → Fix Released
tags: removed: needs-testing verification-needed
Changed in smart:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.