Changed ubuntu-keyring paths breaks upgrade to focal.

Bug #1903776 reported by Simon Poirier
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Client
High
Simon Poirier
landscape-client (Ubuntu)
Undecided
Simon Poirier
Bionic
Undecided
Simon Poirier
Focal
Undecided
Simon Poirier
Groovy
Undecided
Simon Poirier
Hirsute
Undecided
Simon Poirier

Bug Description

[Impact]

 * When launching an Ubuntu release-upgrade through landscape-client, the
   upgrade-tool fails GPG verification due to trusted apt key having changed
   location as of 18.04 LTS.

 * The proposed patch extends gpg lookup path to include all
   /etc/apt/trusted.gpg.d/*.gpg files in addition to /etc/apt/trusted.gpg
   when verifying the upgrade-tool signature.

[Test Case]

 * Install and register the landscape-client against a landscape-server
   on a series supporting an upgrade.

 * Wait for it to sync up packages.

 * On the computer packages page, there is a link at the bottom to request a
   release upgrade of that machine, if a supported version is available.

 * The upgrade fails and /var/log/landscape/release-upgrader.log will indicate
   a failed gpg verification.

[Where problems could occur]

 * One thing which has been considered in this fix is how someone could have
   worked around the issue by re-creating the old key path. The fix covers
   such a case by still reading the deprecated trusted.gpg file.

 * Although some care has been taken to only load valid gpg keys from apt
   trusted keychain, there could be unforeseen scenarios where invalid data
   gets read from the keychain. In such a case, the strict nature of gpg would
   reject the signature verification, thus being no worse than without the fix.

 * The affected callsite is used for verifying the release-upgrader code prior
   to running it. One bad thing which we could imagine with this code path is
   falsely accepting an invalid file signature, which may create a security
   issue. This would likely take shape of injecting a gpg key, without
   having root access, in the search path.

[Other Info]

 * There is no way to directly verify this issue on 20.10 Groovy and later
   (without faking a release) due to the lack of upgrade path to a supported
   LTS. The ubuntu-keyring package having the same file layout, the same
   validation failure is however to be expected if left unpatched.

[Original description]

Since bionic, ubuntu-keyring removed `/etc/apt/trusted.gpg` in favor of `/etc/apt/trusted.gpg.d/`

This breaks signature verification for the upgrade-tool.
Trying to release-upgrade through landscape yields a failure on signature check:

2020-11-10 15:47:51,019 WARNING [MainThread] Invalid signature for upgrade-tool tarball: /usr/bin/gpg failed (out='', err='gpg: keybox '/etc/apt/trusted.gpg' created
gpg: Signature made Fri Oct 16 03:28:09 2020 UTC
gpg: using RSA key 3B4FE6ACC0B21F32
gpg: Can't check signature: No public key

Related branches

Simon Poirier (simpoir)
Changed in landscape-client:
status: New → Confirmed
importance: Undecided → Critical
importance: Critical → High
assignee: nobody → Simon Poirier (simpoir)
Simon Poirier (simpoir)
Changed in landscape-client:
status: Confirmed → In Progress
Revision history for this message
Simon Poirier (simpoir) wrote :
Simon Poirier (simpoir)
Changed in landscape-client:
status: In Progress → Fix Committed
Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu):
status: New → Confirmed
Changed in landscape-client (Ubuntu Hirsute):
status: Confirmed → New
Simon Poirier (simpoir)
description: updated
Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Hirsute):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Groovy):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Focal):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Bionic):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Hirsute):
status: New → In Progress
Changed in landscape-client (Ubuntu Groovy):
status: New → In Progress
Changed in landscape-client (Ubuntu Focal):
status: New → In Progress
Changed in landscape-client (Ubuntu Bionic):
status: New → In Progress
Revision history for this message
John Lewis (jlewis-johnlewis) wrote :

The customer is asking if there's an update?

Revision history for this message
John Lewis (jlewis-johnlewis) wrote :

Customer has asked again for a further update.

Revision history for this message
Albourne Software (asoftware) wrote :

Hi , Do you have any updates ?

Revision history for this message
Brian Murray (brian-murray) wrote :

The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release

Changed in landscape-client (Ubuntu Groovy):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers