gpg doesn't get the right proxy configuration

Bug #443404 reported by Eric Appleman on 2009-10-05
196
This bug affects 42 people
Affects Status Importance Assigned to Milestone
Software Properties
Fix Released
Medium
Unassigned
software-properties (Ubuntu)
Undecided
Unassigned

Bug Description

eric@kingfisher:~$ sudo add-apt-repository ppa:xorg-edgers
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv 165D673674A995B3E64BF0CF4F191A5A8844C542
gpg: requesting key 8844C542 from hkp server keyserver.ubuntu.com

ProblemType: Bug
Architecture: i386
CheckboxSubmission: b8398b21075a3a8723b2ba20478c4f9e
CheckboxSystem: 703a6ca1eefae989daaf40c6bb6aa94a
Date: Mon Oct 5 15:08:04 2009
DistroRelease: Ubuntu 9.10
Package: software-properties-gtk 0.75.4
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-11.38-genusername
SourcePackage: software-properties
Uname: Linux 2.6.31-11-generic i686

Eric Appleman (erappleman) wrote :
MattPie (piechota) wrote :

It looks like add-apt-repository doesn't seem to set the http_proxy variable for GPG, so if you're behind a proxy the keyserver is always 'down'. The process hangs and the only signal it seems to respond to is -9 (C-\).

MattPie (piechota) wrote :

Work-around for at least the proxy issue:
After you run add-apt-repository and it hangs, it's already set up the repo. I did let it sit for awhile and it will eventually time out, but it's several minutes at least.

So, if you cancel out and run 'sudo apt-get update'

Apt-get will complain that it could not find a GPG key for the PPA repo, but it will give you the key finger print.

Then, you can use the gpg command above to later get the key and apt will work properly. I had to add '--no-default-keyring' since gpg wrote the key into root's keyring (in /root/.gnupg). Or you could get the key some other way.

I am curious though, how did you get the verbose output from add-apt-repository?

joeclarkia (joeclark) wrote :

Sounds like this utility to make things easier doesn't really make it easier (at least from behind a proxy).

Dave Vree (hdave) wrote :

I ran into this issue myself, but I am not using a proxy, I believe the keyserver was just down. Perhaps a shorter timeout (5-10 seconds), a helpful error message that says something like "Cannot reach the keyserver at this time, please try again later. Note that the repository has been added anyway. You can still install software from the new repository, but you will receive warning messages until the key has been added to your keyring."

Or something like that....

vedavata (vedavrata) wrote :

'sudo add-apt-repository ppa:qutim/qutim.svn', 'sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com', etc do not work via proxy at my Ubuntu 10.04 as well...

Heiko Ettelbrück (hbrucky) wrote :

Try exporting the https_proxy environment variable in addition to http_proxy (without "s"). I found that suggestion in https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/516032 and it works fine for me:

export http_proxy=...
export https_proxy=...
add-apt-repository ppa:...

Uli Tillich (utillich) wrote :

Heikos workaround din't work for me.
I do have "http" _and_ "https" set though the gui anyway (check-box at "use same settings for all protocols").

Juan Simón (simonbcn) wrote :

Ubuntu 10.04

This is a serious problem with or without proxy. I don't use proxy but I suffer this problem often.
keyserver.ubuntu.com is down frequently but "add-apt-repository" isn't "smart" enough to seek the key in another server.
What's happens with keyserver.ubuntu.com lately? It fails too much.

Korny Sietsma (korny) wrote :

Clarification of Heiko's workaround:
- you need to set https_proxy
- you may need to set it to "http://my-proxy-host" not "https://my-proxy-host" (which is what Ubuntu sets it to by default)
- beware that 'sudo add-apt-repository' might load a new shell and overwrite the environment; use 'sudo bash' then set 'https_proxy' in the root shell

Carl Karsten (carlfk) wrote :

This seems worth noting:

/usr/lib/python2.6/dist-packages/softwareproperties/ppa.py

            # FIXME: this needs to go - elmo says the keyserver will not handle
            # the load
            res = subprocess.call(
                ["apt-key", "adv", "--keyserver", "keyserver.ubuntu.com",
                 "--recv", signing_key_fingerprint[0]])

Bruce Edge (bruce-edge) wrote :

I found that copying my http_proxy setting to https_proxy fixed the hang.

Kristian Kißling (kkissling) wrote :

It seems this problem also occurs, if you don't configure your firewall right. I allowed outgoing TCP/UDP connections on port 11371 and everything worked fine afterwards.

Martin Pool (mbp) wrote :

(from bug 712812) There are a few cases like bug 712666 and bug 710054 where users seem to need an http proxy, and they have it set up well enough that they can get to Launchpad, but it's not configured into gpg. It looks like in Maverick, gpg does always honor $http_proxy, but it might not be getting set correctly.

summary: - add-apt-repository insists on downloading GPG key even if keyserver is
- down. If keyserver is down, add-apt-repository can't proceed.
+ gpg doesn't get the right proxy configuration
Changed in software-properties:
status: New → Confirmed
importance: Undecided → Medium

To solve the problem I had to add the https_proxy settings in the root shell (not in the user shell) eg:

sudo -i
export https_proxy="http://proxy.....:port"

Gordon Hopper (gohopper) wrote :

Is this a duplicate of bug #516032 ? That was marked fixed on 02/11.

Martin Pool (mbp) wrote :

@Gordon I think probably it is a duplicate. I'm going to mark it as such; if people can still reproduce this in natty, please either undupe or open new bugs.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in software-properties (Ubuntu):
status: New → Confirmed
papukaija (papukaija) wrote :

The bug 516032 suggests that this would be fixed. Could someone pleae confirm if this is an issue in Precise (I don't use proxy so can't test it)? Thanks in advance.

Changed in software-properties (Ubuntu):
status: Confirmed → Incomplete
tags: added: likely-dup
papukaija (papukaija) wrote :

Just to add that this should be fixed since Natty.

tags: added: lucid
Kristian Kißling (kkissling) wrote :

@ #19: I don't have a proxy as far as I know. But I can solve this problem by allowing outgoing TCP/UDP connections on port 11371. Maybe its not the same issue...

David Pérez (sanete) wrote :

It fails me even I have set up correctly https_proxy under a root terminal.
I don't have permissions to reconfigure the firewall, so this isn't a good solution.

GPG works properly behind a proxy using recv-keys; as long as the http_proxy variable is set in the environment (and it is properly set automatically by GNOME when proxy settings are configured and "Apply system-wide").

Furthermore, software-properties' add-apt-repository now defaults to using keyserver.ubuntu.com over port 80; which should further reduce the cases where proxies are in use but don't allow the custom port 11371/tcp.

The environment isn't getting cleared when spawning gpg either (or actually, when spawning apt-key), so that would also be "fixed", if it was wrong.

Note that gpg *does* depend on the *http_proxy* variable; not https_proxy.

Closing as Fix Released.

Changed in software-properties (Ubuntu):
status: Incomplete → Fix Released
Changed in software-properties:
status: Confirmed → Fix Released
Simon Maina (simppo) wrote :

@papukaija (papukaija)
Yap this is still an issue in precise . I get this error whenever I try to add the repo

papukaija (papukaija) wrote :

This bug is fixed. Please open a new bug for your issue. Thanks.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers