Bug#1010171: marked as done (sbuild's "unshare" test fails with gpg-agent 2.2.34-1)

Debian Bug Tracking System Wed, 27 Apr 2022 20:06:15 -0700

Your message dated Thu, 28 Apr 2022 03:03:55 +0000
with message-id <e1njurf-0006id...@fasolo.debian.org>
and subject line Bug#1010171: fixed in gnupg2 2.2.35-1
has caused the Debian Bug report #1010171,
regarding sbuild's "unshare" test fails with gpg-agent 2.2.34-1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1010171: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010171
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: sbuild
Version: 0.83.0
Control: affects -1 + gpg-agent
Control: tags -1 + patch

When trying to upgrade to gnupg2 from version 2.2.27-1 to version
2.2.34-1, we see a failure in the unshare-qemuwrapper test:

https://ci.debian.net/data/autopkgtest/testing/amd64/s/sbuild/21152998/log.gz

+ ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no -i 
/tmp/autopkgtest-lxc.29hmt_yk/downtmp/autopkgtest_tmp/id_rsa -T -p 10022 
root@localhost env --chdir=/build/ AUTOPKGTEST_TMP=/tmp runuser -u user -- 
./debian/tests/unshare
Warning: Permanently added '[localhost]:10022' (ED25519) to the list of known 
hosts.
gpg: keybox '/tmp/gpghome/pubring.kbx' created
gpg: /tmp/gpghome/trustdb.gpg: trustdb created
gpg: key F08FF84541F5A0C0: public key "sbuild fake uploader 
<fake-uploa...@debian.org>" imported
gpg: key F08FF84541F5A0C0/F08FF84541F5A0C0: error sending to agent: Invalid 
argument
gpg: key F08FF84541F5A0C0/A4179B1DD69E01DD: error sending to agent: Invalid 
argument
gpg: key F08FF84541F5A0C0: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

I traced this error down to the use of "gpg --allow-secret-key-import
--import" in the unshare script.  GnuPG upstream has always maintained
that use of gpg in scripts requires use of the --batch directive, which
avoids the error.  Why this error response was introduced in the change
from GnuPG 2.2.27 to 2.2.34, i don't yet fully understand, but using
--batch does avoid the problem.

The attached patch should hopefully make the sbuild autopkgtest succeed
with either version of GnuPG2.

thanks for maintaining sbuild in debian!

       --dkg

From 4bdf145dd92df9db01fa38e1ab33cf1c36926ce9 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Mon, 25 Apr 2022 12:30:11 -0400
Subject: [PATCH] Use --batch with gpg when importing secret key

The use of gpg here is automated, and should not trigger a prompt to
the user.  GnuPG upstream recommends always using --batch in contexts
like this.

With GnuPG 2.2.34, the import actually fails, with gpg-agent logging
the following failures:

2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- IMPORT_KEY --timestamp=20210125T124832
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> [[Confidential data not shown]]
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- [[Confidential data not shown]]
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- [[Confidential data not shown]]
2022-04-25 12:28:02 gpg-agent[899673] command 'IMPORT_KEY' failed: Invalid argument <gcrypt>
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> ERR 16777261 Invalid argument <gcrypt>
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- SETKEYDESC Please+enter+the+passphrase+to+import+the+OpenPGP+secret+key:%0A%22sbuild+fake+uploader+<fake-uploa...@debian.org>%22%0A255-bit+EDDSA+key,+ID+A4179B1DD69E01DD,%
0Acreated+2021-01-25+(main+key+ID+F08FF84541F5A0C0).%0A
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> OK
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- IMPORT_KEY --timestamp=20210125T124832
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> [[Confidential data not shown]]
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- [[Confidential data not shown]]
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- [[Confidential data not shown]]
2022-04-25 12:28:02 gpg-agent[899673] command 'IMPORT_KEY' failed: Invalid argument <gcrypt>
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> ERR 16777261 Invalid argument <gcrypt>
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 <- SETKEYDESC Please+enter+the+passphrase+to+import+the+OpenPGP+secret+key:%0A%22sbuild+fake+uploader+<fake-uploa...@debian.org>%22%0A255-bit+ECDH+key,+ID+52C3581ED0C37392,%0
Acreated+2021-01-25+(main+key+ID+F08FF84541F5A0C0).%0A
2022-04-25 12:28:02 gpg-agent[899673] DBG: chan_10 -> OK

Using --batch here changes the IMPORT_KEY assuan directive such that
it includes an --unattended flag, which bypasses the failures we're
seeing on upgrading GnuPG in debian unstable.

Having to perform this workaround is unfortunate.  A better approach
would be to rewrite sbuild's tooling to use OpenPGP utilities designed
for operation in a script, but doing so is a larger and more intrusive
patch.
---
 debian/tests/unshare | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/tests/unshare b/debian/tests/unshare
index aa23bb08..272330f5 100755
--- a/debian/tests/unshare
+++ b/debian/tests/unshare
@@ -101,7 +101,7 @@ verify() {
 
 
 # FIXME: generate a key without expiry date
-cat << END | gpg --allow-secret-key-import --import -
+cat << END | gpg --batch --allow-secret-key-import --import -
 -----BEGIN PGP PRIVATE KEY BLOCK-----
 
 xVgEYA6+IBYJKwYBBAHaRw8BAQdAM1MKmD3Qm9XwkCv40xOUt1KTLL3nQ2NYfl6B
-- 
2.35.1

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: gnupg2
Source-Version: 2.2.35-1
Done: Daniel Kahn Gillmor <d...@fifthhorseman.net>

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1010...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated gnupg2 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 Apr 2022 17:09:01 -0400
Source: gnupg2
Architecture: source
Version: 2.2.35-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Closes: 1010171
Changes:
 gnupg2 (2.2.35-1) unstable; urgency=medium
 .
   * New upstream release.
   * refresh patches.
   * Correct handling of 256-bit Ed25519 secret keys (Closes: #1010171).
   * Building for Windows requires libgpg-error 1.45
Checksums-Sha1:
 c9cedb11df855515e862029abbacc106a21bc9a6 3219 gnupg2_2.2.35-1.dsc
 25449f0417ff0011036b8e48217901222aef7c44 7262687 gnupg2_2.2.35.orig.tar.bz2
 7f32403fab4a95e359b2d78f4c080083b4deeff8 228 gnupg2_2.2.35.orig.tar.bz2.asc
 5a85f4858ab8bf3bbda358745393801d6a349351 61800 gnupg2_2.2.35-1.debian.tar.xz
 031ab8ba90513c2e54fbfb389920a4e4c030a8a6 18944 gnupg2_2.2.35-1_amd64.buildinfo
Checksums-Sha256:
 adeaad1e34214f90ddc68e2fa232061cac3216c4db5e00e76bc2846534de96cd 3219 
gnupg2_2.2.35-1.dsc
 340bc255938971e6e729b3d9956fa2ef4db8215d77693bf300df2bb302498690 7262687 
gnupg2_2.2.35.orig.tar.bz2
 433176d7c36c03fcef5888248fed9209ebe87246b996e263c3b0f923ba99e137 228 
gnupg2_2.2.35.orig.tar.bz2.asc
 536904f9c65508d44a151fc283bc72f6270a212d7106e0f75b276e6618346961 61800 
gnupg2_2.2.35-1.debian.tar.xz
 e0a8a5ac58c4c91dc1f765830984f986b591291037f54af72ae775adbbcbfe88 18944 
gnupg2_2.2.35-1_amd64.buildinfo
Files:
 f9aa2b5c3f053d3e4c95e1753f347b5c 3219 utils optional gnupg2_2.2.35-1.dsc
 be226268a90b4e31379a41f023aaacb6 7262687 utils optional 
gnupg2_2.2.35.orig.tar.bz2
 7f0bfbbbdf41e30a048adf09a5604343 228 utils optional 
gnupg2_2.2.35.orig.tar.bz2.asc
 cd922663aabefced89f4850d937fd31e 61800 utils optional 
gnupg2_2.2.35-1.debian.tar.xz
 455697430a2a21b218d87db6ddc55612 18944 utils optional 
gnupg2_2.2.35-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYmoBigAKCRA+nXFzcd5W
XOKAAP4rhLzBjdKBcabTUComF72NR2TTXjIEi4FrJEwZLOY5TwD9FnLZkSHCTPLb
Ya4gJPG3mVsxFWoPXLK7DzXbc2dxrAM=
=mx2p
-----END PGP SIGNATURE-----

--- End Message ---

Bug#1010171: marked as done (sbuild's "unshare" test fails with gpg-agent 2.2.34-1)

Reply via email to