new dist-upgrader tarballs necessary so they are signed with 4k key

Bug #1645906 reported by Brian Murray on 2016-11-29
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-release-upgrader (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Brian Murray
Xenial
Undecided
Brian Murray
Yakkety
Undecided
Brian Murray
update-manager (Ubuntu)
Precise
Undecided
Brian Murray

Bug Description

With the ubuntu-archive-publishing change in https://code.launchpad.net/~xnox/ubuntu-archive-publishing/migrate-dist-upgrade-to-4k/+merge/311181 the signing process for the dist-upgrader tarball has been changed. This change should be tested now, rather than doing an ubuntu-release-upgrader change months from now and wondering why things aren't working (if they are broken).

Due to the way the gpg signature is generated we can't just remove it and have it regenerated as the timestamp for the signature will not change, so the change will not propogate to the mirrors. Hence the need for a mostly no change (mirrors and demotions may change) upload of ubuntu-release-upgrader.

Test Case
---------
1) run do-release-upgrade -p --frontend DistUpgradeViewText
2) ensure the tarball for the next release e.g. xenial.tar.gz is downloaded and the signature verification passes

Regression Potential
--------------------
It's possible the signing is wrong and the verification of the signature will fail thereby causing release upgrades to be impossible.

Changed in ubuntu-release-upgrader (Ubuntu Yakkety):
status: New → In Progress
assignee: nobody → Brian Murray (brian-murray)

Hello Brian, or anyone else affected,

Accepted ubuntu-release-upgrader into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-release-upgrader/1:16.10.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubuntu-release-upgrader (Ubuntu Yakkety):
status: In Progress → Fix Committed
tags: added: verification-needed
Brian Murray (brian-murray) wrote :

This looks good to me for yakkety.

bdmurray@clean-xenial-amd64:~$ do-release-upgrade -p --frontend DistUpgradeViewText
Checking for a new Ubuntu release
Get:1 Upgrade tool signature [836 B]
Get:2 Upgrade tool [1,258 kB]
Fetched 1,259 kB in 0s (0 B/s)
authenticate 'yakkety.tar.gz' against 'yakkety.tar.gz.gpg'
extracting 'yakkety.tar.gz'
[screen is terminating]

bdmurray@clean-xenial-amd64:/tmp/ubuntu-release-upgrader-3n2e_3cn$ gpg --list-packets yakkety.tar.gz.gpg
gpg: keyring `/home/bdmurray/.gnupg/secring.gpg' created
gpg: keyring `/home/bdmurray/.gnupg/pubring.gpg' created
:signature packet: algo 1, keyid 3B4FE6ACC0B21F32
        version 4, created 1480470386, md5len 0, sigclass 0x00
        digest algo 10, begin of digest 76 73
        hashed subpkt 2 len 4 (sig created 2016-11-30)
        subpkt 16 len 8 (issuer key ID 3B4FE6ACC0B21F32)
        data: [4093 bits]

tags: added: verification-done-yakkety
removed: verification-needed
Changed in ubuntu-release-upgrader (Ubuntu Xenial):
assignee: nobody → Brian Murray (brian-murray)
status: New → In Progress
Changed in ubuntu-release-upgrader (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Brian Murray (brian-murray)
Brian Murray (brian-murray) wrote :

I've uploaded an update to ubuntu-release-upgrader to zesty, but its autopkgtest is failing because it can't verify the xenial tarball. Once the xenial update is released, we should rerun the zesty autopkgtests.

Changed in ubuntu-release-upgrader (Ubuntu Precise):
status: New → Invalid
Changed in update-manager (Ubuntu):
status: New → Invalid
Changed in update-manager (Ubuntu Precise):
assignee: nobody → Brian Murray (brian-murray)
status: New → In Progress
Changed in update-manager (Ubuntu Trusty):
status: New → Invalid
Changed in update-manager (Ubuntu Xenial):
status: New → Invalid
Changed in update-manager (Ubuntu Yakkety):
status: New → Invalid
Brian Murray (brian-murray) wrote :

Hello Brian, or anyone else affected,

Accepted ubuntu-release-upgrader into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-release-upgrader/1:16.04.19 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubuntu-release-upgrader (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in ubuntu-release-upgrader (Ubuntu Trusty):
status: In Progress → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Brian, or anyone else affected,

Accepted ubuntu-release-upgrader into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-release-upgrader/1:0.220.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Brian Murray (brian-murray) wrote :

Looks good for xenial too:

bdmurray@upgrade-trusty-amd64:~$ do-release-upgrade -p --frontend DistUpgradeViewText
Checking for a new Ubuntu release
Get:1 Upgrade tool signature [836 B]
Get:2 Upgrade tool [1,266 kB]
Fetched 1,267 kB in 0s (0 B/s)
authenticate 'xenial.tar.gz' against 'xenial.tar.gz.gpg'
extracting 'xenial.tar.gz'
[screen is terminating]
bdmurray@upgrade-trusty-amd64:~$ gpg --list-packets /tmp/ubuntu-release-upgrader-xbbg9wzd/xenial.tar.gz.gpg
gpg: directory `/home/bdmurray/.gnupg' created
gpg: new configuration file `/home/bdmurray/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/bdmurray/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/bdmurray/.gnupg/secring.gpg' created
gpg: keyring `/home/bdmurray/.gnupg/pubring.gpg' created
:signature packet: algo 1, keyid 3B4FE6ACC0B21F32
        version 4, created 1480546800, md5len 0, sigclass 0x00
        digest algo 10, begin of digest bb e2
        hashed subpkt 2 len 4 (sig created 2016-11-30)
        subpkt 16 len 8 (issuer key ID 3B4FE6ACC0B21F32)
        data: [4095 bits]

Brian Murray (brian-murray) wrote :

I think that's correct for precise.

(precise2-amd64)root@impulse:/home/bdmurray/source-trees/update-notifier/trunk# do-release-upgrade -p --frontend DistUpgradeViewText
Checking for a new Ubuntu release
Get:1 Upgrade tool signature [198 B]
Get:2 Upgrade tool [1156 kB]
Fetched 1156 kB in 0s (0 B/s)
authenticate 'trusty.tar.gz' against 'trusty.tar.gz.gpg'
extracting 'trusty.tar.gz'

(precise2-amd64)root@impulse:/home/bdmurray/source-trees/update-notifier/trunk# gpg --list-packets /tmp/update-manager-uZ3x6f/trusty.tar.gz.gpg
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 4, created 1443628514, md5len 0, sigclass 0x00
        digest algo 2, begin of digest d0 f7
        hashed subpkt 2 len 4 (sig created 2015-09-30)
        subpkt 16 len 8 (issuer key ID 40976EAF437D05B5)
        data: [160 bits]
        data: [160 bits]

tags: added: verification-done-xenial
Changed in update-manager (Ubuntu Precise):
status: In Progress → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Brian, or anyone else affected,

Accepted update-manager into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update-manager/1:0.156.14.21 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Brian Murray (brian-murray) wrote :

Ah, for precise the key signing date was wrong. Tried it again with the same results.

(precise2-amd64)root@impulse:/home/bdmurray/source-trees/ubuntu-archive-tools/upstream# gpg --list-packets /tmp/update-manager-TEgnXk/trusty.tar.gz.gpg
:signature packet: algo 17, keyid 40976EAF437D05B5
        version 4, created 1480546800, md5len 0, sigclass 0x00
        digest algo 2, begin of digest 3b 37
        hashed subpkt 2 len 4 (sig created 2016-11-30)
        subpkt 16 len 8 (issuer key ID 40976EAF437D05B5)
        data: [158 bits]
        data: [159 bits]

Dimitri John Ledkov (xnox) wrote :

zesty, yakkety, xenial are correctly signed with 4k, sha512.
trusty, precise are correctly signed with 1k, sha1.

Everything is as expected.

tags: added: verification-done-trusty
no longer affects: ubuntu-release-upgrader (Ubuntu Precise)

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of ubuntu-release-upgrader from xenial-proposed was performed and bug 1647014 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1647014 (not this bug). Thanks!

tags: added: verification-failed
Brian Murray (brian-murray) wrote :

Bug 1647014 is not a regression related to the key signing, I'll remove the tag.

tags: removed: verification-failed
tags: added: verification-done-precise
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:16.10.9

---------------
ubuntu-release-upgrader (1:16.10.9) yakkety-proposed; urgency=medium

  * No change rebuild so the dist-upgrader tarball will be signed with the new
    method. (LP: #1645906)

 -- Brian Murray <email address hidden> Tue, 29 Nov 2016 14:59:34 -0800

Changed in ubuntu-release-upgrader (Ubuntu Yakkety):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for ubuntu-release-upgrader has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:16.04.19

---------------
ubuntu-release-upgrader (1:16.04.19) xenial; urgency=medium

  * No change rebuild so the dist-upgrader tarball will be signed with the new
    method. (LP: #1645906)

 -- Brian Murray <email address hidden> Wed, 30 Nov 2016 08:26:54 -0800

Changed in ubuntu-release-upgrader (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:0.220.9

---------------
ubuntu-release-upgrader (1:0.220.9) trusty-proposed; urgency=medium

  * No change rebuild so the dist-upgrader tarball will be signed with the new
    method. (LP: #1645906)

 -- Brian Murray <email address hidden> Wed, 30 Nov 2016 09:53:35 -0800

Changed in ubuntu-release-upgrader (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:0.156.14.21

---------------
update-manager (1:0.156.14.21) precise-proposed; urgency=medium

  * No change rebuild so the dist-upgrader tarball will be signed with the new
    method. (LP: #1645906)

 -- Brian Murray <email address hidden> Wed, 30 Nov 2016 10:54:24 -0800

Changed in update-manager (Ubuntu Precise):
status: Fix Committed → Fix Released
no longer affects: update-manager (Ubuntu)
no longer affects: update-manager (Ubuntu Trusty)
no longer affects: update-manager (Ubuntu Xenial)
no longer affects: update-manager (Ubuntu Yakkety)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers