GPG upload of newly-changed key fails because we cache the old key

Bug #3052 reported by Christian Reis
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Launchpad itself

Bug Description

The upload of a newly-changed GPG key fails and keeps failing for a long time after we update the key. James H. has provided us with a good hypothesis:

The GPGHandler.retrieveKey() code does the following:

1. try to get key from local keyring

2. if that fails, grab it from our keyserver

So if someone tries to add a sign-only key we'll cache that key in the app server's $GNUPGHOME. If the user adds an encryption key, waits for the keyserver to synchronise and tries to add it again, LP will still get the old cached version unless one of the following holds:

 * they hit a different app server
 * the app server process has been restarted (which creates a new $GNUPGHOME)

These two variables could indicate why the problem appears to be intermittent.

The solution may involve writing code to invalidate the cache, and always invalidating when the end-user is uploading a key -- it is still useful for other situations, of course.

Dafydd Harries (daf)
Changed in launchpad:
status: New → Accepted
Revision history for this message
Dafydd Harries (daf) wrote :

Assigning James H for the time being.

Changed in launchpad:
assignee: nobody → jamesh
Revision history for this message
Manish Chakravarty (monzie) wrote :

The same problem is occuring with me..

I will reproduce what i did, if that helps you

1) I had previously registered with Key ID : 995D6B13
and email address <email address hidden> [worked]

2) i then changed my email id to <email address hidden> [worked]

3) I wanted to change my PGP key as i had lost my earlier one
i tried two
a) fingerprint: 191B CFBF 5C87 B0A5 BA7B 2A1A 8BE4 F7F7 7019 9A55
ID: 70199A55
b) 3E47 9345 7436 E11E B6EC 6D15 A84E E67E 9D53 6D7B
ID: 9D536D7B

The first one has <email address hidden> as email and the second on has <email address hidden>

screenshot :

Revision history for this message
Diogo Matsubara (matsubara) wrote :

Hi James,

Does your gpg backend address those cache issues? We had an user who was unable to revalidate his key and I thought it could be caused by the caching.
You can see here:
the steps we took to try to import his key into launchpad. So far we had no sucess.

Revision history for this message
James Henstridge (jamesh) wrote :

I don't think this is fixed yet. The pygpgme integration work I did didn't change this aspect of

Curtis Hovey (sinzui)
Changed in launchpad-foundations:
assignee: jamesh → nobody
Revision history for this message
Siegfried Gevatter (rainct) wrote :
Revision history for this message
Curtis Hovey (sinzui) wrote :

This will consider fixing this as a part of a larger effort to improve Launchpad's integration of pygpgme

Changed in launchpad-registry:
importance: Medium → Low
status: Confirmed → Triaged
Revision history for this message
Celso Providelo (cprov) wrote :

Note that this is a side-effect of having a permanent GNUPGHOME in appservers, this problem doesn't happen with the cronjobs (which creates a new GNUPGHOME every run).

My impression is that we could simply modify IGPGHandler.retrieveKey() to accept a 'force' argument which would force it to import the key from the keyserver even if it is already present in the local keyring, and obviously use that for sensible operations like validating keys.

We may find out that we need to re-import keys in many places in order to always use up-to-date keys. In this case we have to investigate the impacts of the extra requests on the internal keyserver (which is single-threaded).

Curtis Hovey (sinzui)
tags: added: gpg
Revision history for this message
Todd Vierling (duh) wrote :

Still an issue, three years since the last comment. There's a bunch of documentation talking about how to upload an updated key after changing expiration -- and it will show up on the keyserver -- but there's no way to update the cached key.

Since gpg is perfectly happy importing a key that already exists, and will update the key in-place when doing so, how about simply removing the sanity check triggering the "key exists" warning, and simply import a fingerprint _always_? This wouldn't require extra switches at all.

Colin Watson (cjwatson)
no longer affects: ubuntu
Revision history for this message
Tobias Schlemmer (keinstein-junior) wrote :

Today I had the same problem. I extended the key lifetime, but I can't reactivate the key as the server always complains that the key is expired. Additionally the key has a revoked email address due to discontinuing service by Berlios.

Revision history for this message
Taihsiang Ho (taihsiangho) wrote :

Same as the comment#9. I renew my public key but Launchpad always complains my key has been expired. My key fingerprint 2BB2 0A20 01E3 26F8 37E8 2FEF D371 FA62 B582 92C2

Revision history for this message
Colin Watson (cjwatson) wrote : doesn't quite fix this, but I think it will deal with situations related to uploading to PPAs using a renewed key, and it should make it easier to fix the rest of it.

Revision history for this message
Tobias Kronthaler (kronthto) wrote :

How often do the app-server(s) restart ? Is it only a few hours/days and thus acceptable to just wait for ?

(same issue with F2F0E746E8CF632E9A7E5EAFFEE8E662276132D0 which I renew yearly)

As Todd said, gpg can merge 2 key versions just fine, so allowing updates (even with a throttle if necessary) imo would be a good thing.

Revision history for this message
Colin Watson (cjwatson) wrote :

At present they're restarted any time we do a code deployment, which is usually once or twice a week at the moment.

Revision history for this message
Tobias Kronthaler (kronthto) wrote :

I still cannot link the key. Does it take it from ? I noticed that the mainkey [SC] 0x276132D0 there in fact does not include the latest signature that would still be valid.
I published that key to several keyserver, on all others I've checked it is up to date, but not on Ubuntu.

When I try to reupload it (the bundle with the latest sig) on I get that it was ignored:


What could be the reason for that / is there a issuetracker for the keyserver site too?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Related questions