Ubuntu
torbrowser-launcher package

[SRU] torbrowser-launcher has missing gnupg dependency

  1. Focal (20.04)
  2. Bug #1897306
Bug #1897306 reported by AsciiWolf
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
torbrowser-launcher (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Thomas Ward

Bug Description

[Impact]

torbrowser-launcher, on some Ubuntu flavors, will not run unless gnupg/gnupg2 is available on the system. This is due to the package making signature verification checks to validate the tarballs obtained from the Tor project.

As such, we require gnupg/gnupg2 to be installed as a dependency.

Further, we also require to use the actual /usr/bin/gnupg binary as there are cases where /usr/bin/gnupg2 does *not* symlink back to the gnupg binary.

[Test Case]
(1) Use a clean installation (not an upgrade from 18.04) of Ubuntu 20.04 where torbrowser-launcher was not installed and configured before.
(2) Install torbrowser-launcher.
(3) Run torbrowser-launcher from a terminal.
(4) torbrowser-launcher will crash during signature verification:

$ torbrowser-launcher
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.3.2
https://github.com/micahflee/torbrowser-launcher
Creating GnuPG homedir /home/user/.local/share/torbrowser/gnupg_homedir
Downloading Tor Browser for the first time.
Downloading https://aus1.torproject.org/torbrowser/update_3/release/Linux_x86_64-gcc3/x/en-US
Latest version: 9.5.4
Downloading https://dist.torproject.org/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz.asc
Downloading https://dist.torproject.org/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz
Verifying Signature
Refreshing local keyring...
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 589, in verify
    c.verify(signature=sig, signed_data=signed)
  File "/usr/lib/python3/dist-packages/gpg/core.py", line 559, in verify
    raise errors.BadSignatures(results[1], results=results)
gpg.errors.BadSignatures: 110775B5D101FB36BC6C911BEB774491D9FF06E2: Key expired

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 600, in run
    verify()
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 594, in verify
    raise Exception
Exception

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 603, in run
    self.common.refresh_keyring()
  File "/usr/lib/python3/dist-packages/torbrowser_launcher/common.py", line 209, in refresh_keyring
    '--refresh-keys'], stderr=subprocess.PIPE)
  File "/usr/lib/python3.7/subprocess.py", line 775, in __init__
    restore_signals, start_new_session)
  File "/usr/lib/python3.7/subprocess.py", line 1522, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/gpg2': '/usr/bin/gpg2'
Aborted

[Regression Potential]
Limited regression potential - requiring gnupg is not insane here, and using the non-symlinked binary is also a sane change.

[racb] We're changing the binary name used to call gpg, so users with unusual system configurations who don't have a valid /usr/bin/gpg, or have wrapped the old name or similar may be affected.

[Original Bug Description]

The torbrowser-launcher package does not depend on gnupg/gnupg2 on Ubuntu 20.04. This results in torbrowser-launcher not working on some Ubuntu flavors that do not have gnupg installed by-default. Also, torbrowser-launcher calls /usr/bin/gpg2 instead of /usr/bin/gpg. The /usr/bin/gpg2 is just a symlink to /usr/bin/gpg on Debian/Ubuntu, provided by gnupg2 package that is not installed by-default on some Ubuntu-based systems (including Linux Mint), even if they have gnupg installed out-of-box.

The following patch and debian/control update fix the issue:
https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/f83349ae954a888a7913ac64c98dbb53a284932f
https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/68908ebd6567fad56642c57d2fb1f75dad6efe4a

The first link contain a patch that replaces /usr/bin/gpg2 with /usr/bin/gpg in torbrowser-launcher code.
The second link contain a change adding gnupg as torbrowser-launcher dependency to debian/control.

It is already fixed in Groovy.

See original description
AsciiWolf (asciiwolf)
description: updated
Thomas Ward (teward)
Changed in torbrowser-launcher (Ubuntu):
status: New → Confirmed
status: Confirmed → Fix Released
Changed in torbrowser-launcher (Ubuntu Focal):
status: New → In Progress
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward)
summary: - torbrowser-launcher has missing gnupg dependency
+ [SRU] torbrowser-launcher has missing gnupg dependency
description: updated
Revision history for this message
Thomas Ward (teward) wrote :

In discussion with SRU team, we've determined this si a Mint only issue. Therefore "Ubuntu Flavors" does not apply as we do not have any affiliation or official recognition of Mint as an Ubuntu flavor.

This part of the SRU will be Won't Fix, and won't be addressed here. Mint can fix their own issues introduced by this not being available on their own repositories.

Changed in torbrowser-launcher (Ubuntu Focal):
status: In Progress → Won't Fix
Revision history for this message
AsciiWolf (asciiwolf) wrote :

Sorry, but I strongly disagree here. This is *not* a Linux Mint only issue. This issue happens on all custom (for example installed by netinst with custom package set) Ubuntu systems. Basically on any system where gnupg (along with the gnupg2 dummy package) is not preinstalled. There are actually two problems here:

1. The torbrowser-launcher package does not depend on gnupg although gnupg is used by torbrowser-launcher. This is *wrong*! Since gnupg is being used by torbrowser-launcher, it *should* be in the torbrowser-launcher package dependencies.
2. The torbrowser-launcher uses /usr/bin/gpg2, however this is just a symlink provided by a gnupg2 package that is a "dummy transitional package".

Not fixing this issue is a really bad decision, at least in my opinion. Please, if you do not want to add the patch to replace /usr/bin/gpg2 with /usr/bin/gpg, at least consider adding "gnupg2" as a torbrowser-launcher dependency (instead of gnupg).

Revision history for this message
Thomas Ward (teward) wrote :

Looks like Xubuntu is going to run into this.

However, instead of adding a runtime dependency, we only need the patch to use /usr/bin/gpg instead of /usr/bin/gpg2 - that's a patchable fix.

Changed in torbrowser-launcher (Ubuntu Focal):
status: Won't Fix → In Progress
Revision history for this message
AsciiWolf (asciiwolf) wrote :

As discussed on IRC (#ubuntu-motu), the "gnupg2" package is also missing on Ubuntu Desktop 20.04.1, although I previously incorrectly stated that it is preinstalled there and missing only on some Ubuntu flavours. This causes torbrowser-launcher to not work, because gpg is a core part, used to verify the Tor Browser package there.

To fix this, the patch to replace /usr/bin/gpg2 with /usr/bin/gpg in torbrowser-launcher common.py file needs to be applied. Adding "gnupg" to torbrowser-launcher dependencies is not necessary because this package is preinstalled on most Ubuntu flavours since it is used by apt and other system tools.

I will update the SRU Bug Description to reflect this.

Revision history for this message
AsciiWolf (asciiwolf) wrote :

Exceptions are upgrades from previous Ubuntu releases to 20.04. In these cases, the gnupg2 package can be found installed on such systems. However, it is not installed on new, clean installations of Ubuntu 20.04.1 (or its official flavours).

Revision history for this message
AsciiWolf (asciiwolf) wrote :

I have updated the test case.

description: updated
Revision history for this message
AsciiWolf (asciiwolf) wrote :

The issue is easy to reproduce now using the provided test case and is fixed by using the patch replacing /usr/bin/gpg2 with /usr/bin/gpg in torbrowser-launcher code.

Revision history for this message
AsciiWolf (asciiwolf) wrote :

Feel free to let me know if there is anything else needed from my side.

Robie Basak (racb)
description: updated
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello AsciiWolf, or anyone else affected,

Accepted torbrowser-launcher into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/torbrowser-launcher/0.3.2-9ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in torbrowser-launcher (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
AsciiWolf (asciiwolf) wrote :

I have tested the provided torbrowser-launcher 0.3.2-9ubuntu1 build from focal-proposed on fully-updated Ubuntu 20.04 system. I am no longer able to reproduce the issue and torbrowser-launcher now works properly.

tags: added: verification-done-focal
removed: verification-needed-focal
Thomas Ward (teward)
tags: removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package torbrowser-launcher - 0.3.2-9ubuntu1

---------------
torbrowser-launcher (0.3.2-9ubuntu1) focal; urgency=medium

  * This is a bug-fix only upload to address several significant bugs
    found in the Tor Browser launcher package.
  * Patches backported from Debian Unstable release and Debian Salsa git
    repository for the package into the Focal package to fix issues.
    The following patches were added in d/patches and added to the quilt
    series file in the stated order:
    - 0023-Update-Tor-Browser-Developers-public-key-481.patch: Fixes issue
      with signature verification of tor browser tarball, due to changed
      upstream developers key. (LP: #1856895)
    - 0030-Use-gpg-instead-of-gpg2.patch: Use /usr/bin/gpg instead of the
      /usr/bin/gpg2 symlink due to gnupg2 transitional package not being
      part of default installations. (LP: #1897306)
    - 0031-Use-better-version-string-comparison.patch: Properly handle the
      version string comparison between Tor Browser versions, so that the
      launcher supports version 10+ and can properly validate.
      (LP: #1896752)
    - 0032-apparmor-allow-Browser-to-memory-map-libstdc.patch: Allow
      apparmor profile to access and memory map libstdc, due to AppArmor
      default DENY on access causing issues. (LP: #1897302)

 -- Thomas Ward <email address hidden> Sun, 27 Sep 2020 14:34:53 -0400

Changed in torbrowser-launcher (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for torbrowser-launcher has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.