I have updated the test case. ** Description changed:
[Impact] torbrowser-launcher, on some Ubuntu flavors, will not run unless gnupg/gnupg2 is available on the system. This is due to the package making signature verification checks to validate the tarballs obtained from the Tor project. As such, we require gnupg/gnupg2 to be installed as a dependency. Further, we also require to use the actual /usr/bin/gnupg binary as there are cases where /usr/bin/gnupg2 does *not* symlink back to the gnupg binary. [Test Case] - (1) Install torbrowser-launcher - (2) Signature verification for the download of tor browser's tarball will fail. + (1) Use a clean installation (not an upgrade from 18.04) of Ubuntu 20.04 where torbrowser-launcher was not installed and configured before. + (2) Install torbrowser-launcher. + (3) Run torbrowser-launcher from a terminal. + (4) torbrowser-launcher will crash during signature verification: + + $ torbrowser-launcher + Tor Browser Launcher + By Micah Lee, licensed under MIT + version 0.3.2 + https://github.com/micahflee/torbrowser-launcher + Creating GnuPG homedir /home/user/.local/share/torbrowser/gnupg_homedir + Downloading Tor Browser for the first time. + Downloading https://aus1.torproject.org/torbrowser/update_3/release/Linux_x86_64-gcc3/x/en-US + Latest version: 9.5.4 + Downloading https://dist.torproject.org/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz.asc + Downloading https://dist.torproject.org/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz + Verifying Signature + Refreshing local keyring... + Traceback (most recent call last): + File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 589, in verify + c.verify(signature=sig, signed_data=signed) + File "/usr/lib/python3/dist-packages/gpg/core.py", line 559, in verify + raise errors.BadSignatures(results[1], results=results) + gpg.errors.BadSignatures: 110775B5D101FB36BC6C911BEB774491D9FF06E2: Key expired + + During handling of the above exception, another exception occurred: + + Traceback (most recent call last): + File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 600, in run + verify() + File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 594, in verify + raise Exception + Exception + + During handling of the above exception, another exception occurred: + + Traceback (most recent call last): + File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 603, in run + self.common.refresh_keyring() + File "/usr/lib/python3/dist-packages/torbrowser_launcher/common.py", line 209, in refresh_keyring + '--refresh-keys'], stderr=subprocess.PIPE) + File "/usr/lib/python3.7/subprocess.py", line 775, in __init__ + restore_signals, start_new_session) + File "/usr/lib/python3.7/subprocess.py", line 1522, in _execute_child + raise child_exception_type(errno_num, err_msg, err_filename) + FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/gpg2': '/usr/bin/gpg2' + Aborted [Regression Potential] Limited regression potential - requiring gnupg is not insane here, and using the non-symlinked binary is also a sane change. - [Original Bug Description] The torbrowser-launcher package does not depend on gnupg/gnupg2 on Ubuntu 20.04. This results in torbrowser-launcher not working on some Ubuntu flavors that do not have gnupg installed by-default. Also, torbrowser-launcher calls /usr/bin/gpg2 instead of /usr/bin/gpg. The /usr/bin/gpg2 is just a symlink to /usr/bin/gpg on Debian/Ubuntu, provided by gnupg2 package that is not installed by-default on some Ubuntu-based systems (including Linux Mint), even if they have gnupg installed out-of-box. The following patch and debian/control update fix the issue: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/f83349ae954a888a7913ac64c98dbb53a284932f https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/68908ebd6567fad56642c57d2fb1f75dad6efe4a The first link contain a patch that replaces /usr/bin/gpg2 with /usr/bin/gpg in torbrowser-launcher code. The second link contain a change adding gnupg as torbrowser-launcher dependency to debian/control. It is already fixed in Groovy. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1897306 Title: [SRU] torbrowser-launcher has missing gnupg dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1897306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs