** Description changed: [Impact] torbrowser-launcher, on some Ubuntu flavors, will not run unless gnupg/gnupg2 is available on the system. This is due to the package making signature verification checks to validate the tarballs obtained from the Tor project. As such, we require gnupg/gnupg2 to be installed as a dependency. Further, we also require to use the actual /usr/bin/gnupg binary as there are cases where /usr/bin/gnupg2 does *not* symlink back to the gnupg binary. [Test Case] (1) Use a clean installation (not an upgrade from 18.04) of Ubuntu 20.04 where torbrowser-launcher was not installed and configured before. (2) Install torbrowser-launcher. (3) Run torbrowser-launcher from a terminal. (4) torbrowser-launcher will crash during signature verification: $ torbrowser-launcher Tor Browser Launcher By Micah Lee, licensed under MIT version 0.3.2 https://github.com/micahflee/torbrowser-launcher Creating GnuPG homedir /home/user/.local/share/torbrowser/gnupg_homedir Downloading Tor Browser for the first time. Downloading https://aus1.torproject.org/torbrowser/update_3/release/Linux_x86_64-gcc3/x/en-US Latest version: 9.5.4 Downloading https://dist.torproject.org/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz.asc Downloading https://dist.torproject.org/torbrowser/9.5.4/tor-browser-linux64-9.5.4_en-US.tar.xz Verifying Signature Refreshing local keyring... Traceback (most recent call last): - File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 589, in verify - c.verify(signature=sig, signed_data=signed) - File "/usr/lib/python3/dist-packages/gpg/core.py", line 559, in verify - raise errors.BadSignatures(results[1], results=results) + File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 589, in verify + c.verify(signature=sig, signed_data=signed) + File "/usr/lib/python3/dist-packages/gpg/core.py", line 559, in verify + raise errors.BadSignatures(results[1], results=results) gpg.errors.BadSignatures: 110775B5D101FB36BC6C911BEB774491D9FF06E2: Key expired During handling of the above exception, another exception occurred: Traceback (most recent call last): - File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 600, in run - verify() - File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 594, in verify - raise Exception + File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 600, in run + verify() + File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 594, in verify + raise Exception Exception During handling of the above exception, another exception occurred: Traceback (most recent call last): - File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 603, in run - self.common.refresh_keyring() - File "/usr/lib/python3/dist-packages/torbrowser_launcher/common.py", line 209, in refresh_keyring - '--refresh-keys'], stderr=subprocess.PIPE) - File "/usr/lib/python3.7/subprocess.py", line 775, in __init__ - restore_signals, start_new_session) - File "/usr/lib/python3.7/subprocess.py", line 1522, in _execute_child - raise child_exception_type(errno_num, err_msg, err_filename) + File "/usr/lib/python3/dist-packages/torbrowser_launcher/launcher.py", line 603, in run + self.common.refresh_keyring() + File "/usr/lib/python3/dist-packages/torbrowser_launcher/common.py", line 209, in refresh_keyring + '--refresh-keys'], stderr=subprocess.PIPE) + File "/usr/lib/python3.7/subprocess.py", line 775, in __init__ + restore_signals, start_new_session) + File "/usr/lib/python3.7/subprocess.py", line 1522, in _execute_child + raise child_exception_type(errno_num, err_msg, err_filename) FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/gpg2': '/usr/bin/gpg2' Aborted [Regression Potential] Limited regression potential - requiring gnupg is not insane here, and using the non-symlinked binary is also a sane change. + + [racb] We're changing the binary name used to call gpg, so users with + unusual system configurations who don't have a valid /usr/bin/gpg, or + have wrapped the old name or similar may be affected. [Original Bug Description] The torbrowser-launcher package does not depend on gnupg/gnupg2 on Ubuntu 20.04. This results in torbrowser-launcher not working on some Ubuntu flavors that do not have gnupg installed by-default. Also, torbrowser-launcher calls /usr/bin/gpg2 instead of /usr/bin/gpg. The /usr/bin/gpg2 is just a symlink to /usr/bin/gpg on Debian/Ubuntu, provided by gnupg2 package that is not installed by-default on some Ubuntu-based systems (including Linux Mint), even if they have gnupg installed out-of-box. The following patch and debian/control update fix the issue: https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/f83349ae954a888a7913ac64c98dbb53a284932f https://salsa.debian.org/pkg-privacy-team/torbrowser-launcher/-/commit/68908ebd6567fad56642c57d2fb1f75dad6efe4a The first link contain a patch that replaces /usr/bin/gpg2 with /usr/bin/gpg in torbrowser-launcher code. The second link contain a change adding gnupg as torbrowser-launcher dependency to debian/control. It is already fixed in Groovy.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1897306 Title: [SRU] torbrowser-launcher has missing gnupg dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1897306/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
