Comment 8 for bug 1982534

Performing verification for Focal

I started three Bionic VMs and set up Ubuntu Pro like so:

- Bionic
- Bionic + fips
- Bionic + fips-updates

On each of these VMs I ran

$ sudo do-release-upgrade --proposed

This used ubuntu-release-upgrader 1:20.04.40 from --proposed, and started the
upgrade process.

The plain Bionic VM upgraded successfully. Upgrade log:

https://paste.ubuntu.com/p/j7V33YHHV8/

Looking at the fips related entries, we see:

2023-01-26 01:45:09,918 DEBUG _fipsLibgcryptDivert
2023-01-26 01:45:09,919 DEBUG System is not fips enabled, no dpkg-divert needed
...
2023-01-26 02:01:49,401 DEBUG _fipsLibgcryptHmacCleanup
2023-01-26 02:01:49,402 DEBUG System is not fips enabled, no need for hmac tidy

The Bionic + fips VM upgraded successfully. Upgrade log:

https://paste.ubuntu.com/p/Y3tqXtN97W/

Looking at the fips related entries, we see:

2023-01-26 01:56:58,731 DEBUG _fipsLibgcryptDivert
2023-01-26 01:56:58,732 DEBUG Broken libgcrypt20-hmac will be installed, likely due to using certified fips pocket instead of fips-updates. Installing dpkg-divert for incorrect placement of /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac to the correct /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
...
2023-01-26 02:17:27,649 DEBUG _fipsLibgcryptHmacCleanup
2023-01-26 02:17:27,649 DEBUG Removing old hmac file from Bionic version

Looking at the hmac file locations:

$ ll /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
ls: cannot access '/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac': No such file or directory
$ ll /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
-rw-r--r-- 1 root root 126 May 26 2021 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
$ dpkg-divert --list
...
local diversion of /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac to /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
$ apt-cache policy libgcrypt20-hmac | grep Installed
  Installed: 1.8.5-5ubuntu1.fips.1.4

The quirk worked as intended and the upgrade was successful.

The Bionic + fips-updates VM upgraded successfully. Upgrade log:

https://paste.ubuntu.com/p/cDVyPsFRKB/

2023-01-26 01:57:51,662 DEBUG _fipsLibgcryptDivert
2023-01-26 01:57:51,663 DEBUG Fixed libgcrypt20-hmac will be installed as part of upgrade process, no need for dpkg-divert
...
2023-01-26 03:23:16,764 DEBUG _fipsLibgcryptHmacCleanup
2023-01-26 03:23:16,764 DEBUG Fixed libgcrypt20-hmac was installed as part of upgrade process, no need for hmac file cleanup

$ ll /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
ls: cannot access '/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac': No such file or directory
$ ll /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
-rw-r--r-- 1 root root 126 Apr 15 2022 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
$ dpkg-divert --list
...
$ apt-cache policy libgcrypt20-hmac | grep Installed
  Installed: 1.8.5-5ubuntu1.fips.1.7

The quirk noticed the fixed libgcrypt20-hmac package was installed during the upgrade, and did not set up any unnecessary dpkg-diverts.

In all cases, the quirk functioned as intended, and the upgrades from Bionic to Focal were successful. The ubuntu-release-upgrader package 1:20.04.40 from --proposed fixes the issue, happy to mark verified for Focal.