Your message dated Thu, 28 Apr 2022 03:03:55 +0000 with message-id <e1njurf-0006id...@fasolo.debian.org> and subject line Bug#1010171: fixed in gnupg2 2.2.35-1 has caused the Debian Bug report #1010171, regarding sbuild's "unshare" test fails with gpg-agent 2.2.34-1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010171: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010171 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: sbuild Version: 0.83.0 Control: affects -1 + gpg-agent Control: tags -1 + patch When trying to upgrade to gnupg2 from version 2.2.27-1 to version 2.2.34-1, we see a failure in the unshare-qemuwrapper test: https://ci.debian.net/data/autopkgtest/testing/amd64/s/sbuild/21152998/log.gz + ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no -i /tmp/autopkgtest-lxc.29hmt_yk/downtmp/autopkgtest_tmp/id_rsa -T -p 10022 root@localhost env --chdir=/build/ AUTOPKGTEST_TMP=/tmp runuser -u user -- ./debian/tests/unshare Warning: Permanently added '[localhost]:10022' (ED25519) to the list of known hosts. gpg: keybox '/tmp/gpghome/pubring.kbx' created gpg: /tmp/gpghome/trustdb.gpg: trustdb created gpg: key F08FF84541F5A0C0: public key "sbuild fake uploader <fake-uploa...@debian.org>" imported gpg: key F08FF84541F5A0C0/F08FF84541F5A0C0: error sending to agent: Invalid argument gpg: key F08FF84541F5A0C0/A4179B1DD69E01DD: error sending to agent: Invalid argument gpg: key F08FF84541F5A0C0: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 I traced this error down to the use of "gpg --allow-secret-key-import --import" in the unshare script. GnuPG upstream has always maintained that use of gpg in scripts requires use of the --batch directive, which avoids the error. Why this error response was introduced in the change from GnuPG 2.2.27 to 2.2.34, i don't yet fully understand, but using --batch does avoid the problem. The attached patch should hopefully make the sbuild autopkgtest succeed with either version of GnuPG2. thanks for maintaining sbuild in debian! --dkgFrom 4bdf145dd92df9db01fa38e1ab33cf1c36926ce9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Mon, 25 Apr 2022 12:30:11 -0400 Subject: [PATCH] Use --batch with gpg when importing secret key The use of gpg here is automated, and should not trigger a prompt to the user. GnuPG upstream recommends always using --batch in contexts like this. With GnuPG 2.2.34, the import actually fails, with gpg-agent logging the following failures: 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- IMPORT_KEY --timestamp=20210125T124832 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> [[Confidential data not shown]] 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- [[Confidential data not shown]] 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- [[Confidential data not shown]] 2022-04-25 12:28:02 gpg-agent[899673] command 'IMPORT_KEY' failed: Invalid argument <gcrypt> 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> ERR 16777261 Invalid argument <gcrypt> 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- SETKEYDESC Please+enter+the+passphrase+to+import+the+OpenPGP+secret+key:%0A%22sbuild+fake+uploader+<fake-uploa...@debian.org>%22%0A255-bit+EDDSA+key,+ID+A4179B1DD69E01DD,% 0Acreated+2021-01-25+(main+key+ID+F08FF84541F5A0C0).%0A 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> OK 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- IMPORT_KEY --timestamp=20210125T124832 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> [[Confidential data not shown]] 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- [[Confidential data not shown]] 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- [[Confidential data not shown]] 2022-04-25 12:28:02 gpg-agent[899673] command 'IMPORT_KEY' failed: Invalid argument <gcrypt> 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> ERR 16777261 Invalid argument <gcrypt> 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- SETKEYDESC Please+enter+the+passphrase+to+import+the+OpenPGP+secret+key:%0A%22sbuild+fake+uploader+<fake-uploa...@debian.org>%22%0A255-bit+ECDH+key,+ID+52C3581ED0C37392,%0 Acreated+2021-01-25+(main+key+ID+F08FF84541F5A0C0).%0A 2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> OK Using --batch here changes the IMPORT_KEY assuan directive such that it includes an --unattended flag, which bypasses the failures we're seeing on upgrading GnuPG in debian unstable. Having to perform this workaround is unfortunate. A better approach would be to rewrite sbuild's tooling to use OpenPGP utilities designed for operation in a script, but doing so is a larger and more intrusive patch. --- debian/tests/unshare | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/tests/unshare b/debian/tests/unshare index aa23bb08..272330f5 100755 --- a/debian/tests/unshare +++ b/debian/tests/unshare @@ -101,7 +101,7 @@ verify() { # FIXME: generate a key without expiry date -cat << END | gpg --allow-secret-key-import --import - +cat << END | gpg --batch --allow-secret-key-import --import - -----BEGIN PGP PRIVATE KEY BLOCK----- xVgEYA6+IBYJKwYBBAHaRw8BAQdAM1MKmD3Qm9XwkCv40xOUt1KTLL3nQ2NYfl6B -- 2.35.1signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: gnupg2 Source-Version: 2.2.35-1 Done: Daniel Kahn Gillmor <d...@fifthhorseman.net> We believe that the bug you reported is fixed in the latest version of gnupg2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated gnupg2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 27 Apr 2022 17:09:01 -0400 Source: gnupg2 Architecture: source Version: 2.2.35-1 Distribution: unstable Urgency: medium Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org> Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net> Closes: 1010171 Changes: gnupg2 (2.2.35-1) unstable; urgency=medium . * New upstream release. * refresh patches. * Correct handling of 256-bit Ed25519 secret keys (Closes: #1010171). * Building for Windows requires libgpg-error 1.45 Checksums-Sha1: c9cedb11df855515e862029abbacc106a21bc9a6 3219 gnupg2_2.2.35-1.dsc 25449f0417ff0011036b8e48217901222aef7c44 7262687 gnupg2_2.2.35.orig.tar.bz2 7f32403fab4a95e359b2d78f4c080083b4deeff8 228 gnupg2_2.2.35.orig.tar.bz2.asc 5a85f4858ab8bf3bbda358745393801d6a349351 61800 gnupg2_2.2.35-1.debian.tar.xz 031ab8ba90513c2e54fbfb389920a4e4c030a8a6 18944 gnupg2_2.2.35-1_amd64.buildinfo Checksums-Sha256: adeaad1e34214f90ddc68e2fa232061cac3216c4db5e00e76bc2846534de96cd 3219 gnupg2_2.2.35-1.dsc 340bc255938971e6e729b3d9956fa2ef4db8215d77693bf300df2bb302498690 7262687 gnupg2_2.2.35.orig.tar.bz2 433176d7c36c03fcef5888248fed9209ebe87246b996e263c3b0f923ba99e137 228 gnupg2_2.2.35.orig.tar.bz2.asc 536904f9c65508d44a151fc283bc72f6270a212d7106e0f75b276e6618346961 61800 gnupg2_2.2.35-1.debian.tar.xz e0a8a5ac58c4c91dc1f765830984f986b591291037f54af72ae775adbbcbfe88 18944 gnupg2_2.2.35-1_amd64.buildinfo Files: f9aa2b5c3f053d3e4c95e1753f347b5c 3219 utils optional gnupg2_2.2.35-1.dsc be226268a90b4e31379a41f023aaacb6 7262687 utils optional gnupg2_2.2.35.orig.tar.bz2 7f0bfbbbdf41e30a048adf09a5604343 228 utils optional gnupg2_2.2.35.orig.tar.bz2.asc cd922663aabefced89f4850d937fd31e 61800 utils optional gnupg2_2.2.35-1.debian.tar.xz 455697430a2a21b218d87db6ddc55612 18944 utils optional gnupg2_2.2.35-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYmoBigAKCRA+nXFzcd5W XOKAAP4rhLzBjdKBcabTUComF72NR2TTXjIEi4FrJEwZLOY5TwD9FnLZkSHCTPLb Ya4gJPG3mVsxFWoPXLK7DzXbc2dxrAM= =mx2p -----END PGP SIGNATURE-----
--- End Message ---