gpg failure if /root/.gnupg doesn't exist and /var/lib/smart is empty

Bug #562496 reported by Andreas Hasenack on 2010-04-13
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Client
Medium
Free Ekanayaka
Smart Package Manager
Undecided
Unassigned
landscape-client (Ubuntu)
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned

Bug Description

Steps to reproduce:

root@nsn2:~# rm -rf .gnupg/
root@nsn2:~# rm -rf /var/lib/smart/*

Notice how smart update fails for the first channel. I abort right afterwards:
root@nsn2:~# smart update
Updating cache... ################################################################################################################### [100%]

Fetching information for 'lucid - partner'...
-> http://archive.canonical.com/ubuntu/dists/lucid/Release.gpg
Release.gpg ################################################################################################################### [ 1%]
-> http://archive.canonical.com/ubuntu/dists/lucid/Release
Release ################################################################################################################### [ 3%]
error: Channel 'lucid - partner' signed with unknown key
                                                                                                                                                                                                         (...)

I now just run again, no other changes, and it works:

root@nsn2:~# smart update
Updating cache... ################################################################################################################### [100%]

Fetching information for 'lucid - partner'...
-> http://archive.canonical.com/ubuntu/dists/lucid/Release.gpg
Release.gpg ################################################################################################################### [ 1%]
-> http://archive.canonical.com/ubuntu/dists/lucid/Release
Release ################################################################################################################### [ 3%]
-> http://archive.canonical.com/ubuntu/dists/lucid/partner/binary-i386/Packages.bz2
Packages.bz2 ################################################################################################################### [ 5%]

(...)

Andreas Hasenack (ahasenack) wrote :
Download full text (3.6 KiB)

This is how smart calls gpg:

root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --status-fd 1 --no-default-keyring --no-secmem-warning --batch --verify Release.gpg Release
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: fatal: /root/.gnupg: directory does not exist!
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768
root@nsn2:~# echo $?
2

If I drop "--no-default-keyring", then it seems to work:

root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --status-fd 1 --no-secmem-warning --batch --verify Release.gpg Release
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
gpg: /root/.gnupg/trustdb.gpg: trustdb created
[GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <email address hidden>"
[GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2010-04-13 1271161539 0 3 0 17 2 00 630239CC130E1A7FD81A27B140976EAF437D05B5
[GNUPG:] TRUST_UNDEFINED
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
root@nsn2:~# echo $?
0

With smart tweaked to not include --no-default-keyring:

root@nsn2:~# rm -rf .gnupg /var/lib/smart/*
root@nsn2:~# smart update
Updating cache... ################################################################################################################### [100%]

Fetching information for 'lucid - partner'...
-> http://archive.canonical.com/ubuntu/dists/lucid/Release.gpg
Release.gpg ################################################################################################################### [ 1%]
-> http://archive.canonical.com/ubuntu/dists/lucid/Release
Release ################################################################################################################### [ 3%]
-> http://archive.canonical....

Read more...

Changed in landscape-client:
assignee: nobody → Free Ekanayaka (free.ekanayaka)
status: New → In Progress
importance: Undecided → Medium
milestone: none → 1.5.1
Changed in landscape-client:
status: In Progress → Fix Committed
Anders F Björklund (afb) wrote :

The problem is that there are *two* files created:
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created

So even if the --keyring is set, it'll still try to create
the config directory unless setting --trustdb-name too:
gpg --keyring /etc/apt/trusted.gpg --no-default-keyring --trustdb-name /etc/apt/trustdb.gpg --verify Release.gpg Release

So it probably needs to grow another setting ?

i.e. apt-deb "trustdb", right next to the "keyring"

Anders F Björklund (afb) wrote :

Or work around it by "mkdir /root/.gnupg", sure... (above)
But it will still create a new empty trustdb.gpg in that case.

Free Ekanayaka (free.ekanayaka) wrote :

Hi Anders,

creating "/root/.gnupg" is indeed the workaround we opted for, while waiting for a better alternative. I'm not sure to understand your comment #2.. I'm wondering if this is actually a bug of gpg, that should create whatever directory is necessary to perform the requested operation. I'm on #smart whenever you feel like talking about it.

Anders F Björklund (afb) wrote :

Added some non-pseudo code in "trustdb" branch.

Andreas Hasenack (ahasenack) wrote :

Anders, your suggestion sounds very sane. Did you try smart, or the full gnupg command line, with the added trustdb option? Does it work then the first time and without a /root/.gnupg directory?

Andreas Hasenack (ahasenack) wrote :

I guess it does work:

root@nsn2:~# rm -rf .gnupg
root@nsn2:~# gpg --keyring /etc/apt/trusted.gpg --trustdb /etc/apt/trustdb.gpg --no-default-keyring --status-fd 1 --no-secmem-warning --batch --verify Release.gpg Release
gpg: Signature made Tue 13 Apr 2010 09:25:39 AM BRT using DSA key ID 437D05B5
[GNUPG:] SIG_ID mIKaw5+pk677fzgzZBFIUb9ehSs 2010-04-13 1271161539
[GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key <email address hidden>
gpg: Good signature from "Ubuntu Archive Automatic Signing Key <email address hidden>"
[GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2010-04-13 1271161539 0 3 0 17 2 00 630239CC130E1A7FD81A27B140976EAF437D05B5
[GNUPG:] TRUST_UNDEFINED
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6302 39CC 130E 1A7F D81A 27B1 4097 6EAF 437D 05B5
root@nsn2:~# ls -la .gnupg
ls: cannot access .gnupg: No such file or directory
root@nsn2:~#

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.10.04.0

---------------
landscape-client (1.5.0.1-0ubuntu0.10.04.0) lucid; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200

Changed in landscape-client (Ubuntu Lucid):
status: New → Fix Released
Changed in smart:
milestone: none → 1.4

Accepted landscape-client into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in landscape-client (Ubuntu Karmic):
status: New → Fix Committed
tags: added: verification-needed
Changed in landscape-client (Ubuntu Jaunty):
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Accepted landscape-client into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: needs-testing
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.9.04.0

---------------
landscape-client (1.5.0.1-0ubuntu0.9.04.0) jaunty-proposed; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)

  * New upstream version (LP: #557244)
    - Fix package-changer running before smart-update has completed (LP: #542215)
    - Report the version of Eucalyptus used to generate topology data (LP: #554007)
    - Enable the Eucalyptus plugin by default, if supported (LP: #546531)
    - Use a whitelist of allowed filesystem types to instead of a blacklist (LP: #351927)
    - Report the update-manager logs to the server (LP: #503384)
    - Turn off Curl's DNS caching for requests. (LP: #522668)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200

Changed in landscape-client (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 1.5.0.1-0ubuntu0.9.10.0

---------------
landscape-client (1.5.0.1-0ubuntu0.9.10.0) karmic-proposed; urgency=low

  * New upstream version
    - Fix smart-update failing its very first run (LP: #562496)
    - Depend on pythonX.Y-dbus and pythonX.Y-pycurl (LP: #563063)
    - Make only one request at a time to retrieve EC2 instances (LP: #567515)

  * New upstream version (LP: #557244)
    - Fix package-changer running before smart-update has completed (LP: #542215)
    - Report the version of Eucalyptus used to generate topology data (LP: #554007)
    - Enable the Eucalyptus plugin by default, if supported (LP: #546531)
    - Use a whitelist of allowed filesystem types to instead of a blacklist (LP: #351927)
    - Report the update-manager logs to the server (LP: #503384)
    - Turn off Curl's DNS caching for requests. (LP: #522668)
 -- Free Ekanayaka <email address hidden> Wed, 21 Apr 2010 12:31:28 +0200

Changed in landscape-client (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in smart:
status: New → Fix Committed
Changed in landscape-client:
status: Fix Committed → Fix Released
tags: removed: needs-testing verification-needed
Changed in smart:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers