Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integration tests fail for gpg 2.4.4 #4989

Closed
catmsred opened this issue Mar 1, 2024 · 4 comments · Fixed by #5026
Closed

Integration tests fail for gpg 2.4.4 #4989

catmsred opened this issue Mar 1, 2024 · 4 comments · Fixed by #5026
Assignees
@catmsred
Labels
bug Something isn't working correctly

Comments

@catmsred
Copy link
Collaborator

catmsred commented Mar 1, 2024

Bug report

When running integration tests on Ubuntu 24.04 images containing gpg 2.4.4 (up from 2.2.40 on previous releases), TestApt integrations tests:

  • test_ppa_source
  • test_signed_by
  • test_key
  • test_keyserver

All fail with assert TEST_PPA_KEY in self.get_keys(class_client).

Steps to reproduce the problem

Create a VM with gpg 2.4.4 (Ubuntu 24.04 dailies after 20240227 all cause it) and the following userdata:

#cloud-config
bootcmd:
    - rm -f /etc/apt/sources.list /etc/apt/sources.list.d/ubuntu.sources

apt:
  conf: |
    APT {
        Get {
            Assume-Yes "true";
            Fix-Broken "true";
        }
    }
  primary:
    - arches: [default]
      uri: http://badarchive.ubuntu.com/ubuntu
  security:
    - arches: [default]
      uri: http://badsecurity.ubuntu.com/ubuntu
  sources_list: |
    deb $MIRROR $RELEASE main restricted
    deb-src $MIRROR $RELEASE main restricted
    deb $PRIMARY $RELEASE universe restricted
    deb-src $PRIMARY $RELEASE universe restricted
    deb $SECURITY $RELEASE-security multiverse
    deb-src $SECURITY $RELEASE-security multiverse
  sources:
    test_keyserver:
      keyid: 110E21D8B0E2A1F0243AF6820856F197B892ACEA
      keyserver: keyserver.ubuntu.com
      source: "deb http://ppa.launchpad.net/canonical-kernel-team/ppa/ubuntu $RELEASE main"
    test_ppa:
      keyid: 441614D8
      keyserver: keyserver.ubuntu.com
      source: "ppa:simplestreams-dev/trunk"
    test_signed_by:
      keyid: A2EB2DEC0BD7519B7B38BE38376A290EC8068B11
      keyserver: keyserver.ubuntu.com
      source: "deb [signed-by=$KEY_FILE] http://ppa.launchpad.net/juju/stable/ubuntu $RELEASE main"
    test_bad_key:
      key: ""
      source: "deb $MIRROR $RELEASE main"
    test_key:
      source: "deb http://ppa.launchpad.net/cloud-init-dev/test-archive/ubuntu $RELEASE main"
      key: |
        -----BEGIN PGP PUBLIC KEY BLOCK-----
        Version: SKS 1.1.6
        Comment: Hostname: keyserver.ubuntu.com

        mQINBFbZRUIBEAC+A0PIKYBP9kLC4hQtRrffRS11uLo8/BdtmOdrlW0hpPHzCfKnjR3tvSEI
        lqPHG1QrrjAXKZDnZMRz+h/px7lUztvytGzHPSJd5ARUzAyjyRezUhoJ3VSCxrPqx62avuWf
        RfoJaIeHfDehL5/dTVkyiWxfVZ369ZX6JN2AgLsQTeybTQ75+2z0xPrrhnGmgh6g0qTYcAaq
        M5ONOGiqeSBX/Smjh6ALy5XkhUiFGLsI7Yluf6XSICY/x7gd6RAfgSIQrUTNMoS1sqhT4aot
        +xvOfQy8ySkfAK4NddXql6E/+ZqTmBY/Lr0YklFBy8jGT+UysfiIznPMIwbmgq5Li7BtDDtX
        b8Uyi4edPpjtextezfXYn4NVIpPL5dPZS/FXh4HpzyH0pYCfrH4QDGA7i52AGmhpiOFjJMo6
        N33sdjZHOH/2Vyp+QZaQnsdUAi1N4M6c33tQbpIScn1SY+El8z5JDA4PBzkw8HpLCi1gGoa6
        V4kfbWqXXbGAJFkLkP/vc4+pY9axOlmCkJg7xCPwhI75y1cONgovhz+BEXOzolh5KZuGbGbj
        xe0wva5DLBeIg7EQFf+99pOS7Syby3Xpm6ZbswEFV0cllK4jf/QMjtfInxobuMoI0GV0bE5l
        WlRtPCK5FnbHwxi0wPNzB/5fwzJ77r6HgPrR0OkT0lWmbUyoOQARAQABtC1MYXVuY2hwYWQg
        UFBBIGZvciBjbG91ZCBpbml0IGRldmVsb3BtZW50IHRlYW2JAjgEEwECACIFAlbZRUICGwMG
        CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAg9Bvvk0wTfHfcP/REK5N2s1JYc69qEa9ZN
        o6oi+A7l6AYw+ZY88O5TJe7F9otv5VXCIKSUT0Vsepjgf0mtXAgf/sb2lsJn/jp7tzgov3YH
        vSrkTkRydz8xcA87gwQKePuvTLxQpftF4flrBxgSueIn5O/tPrBOxLz7EVYBc78SKg9aj9L2
        yUp+YuNevlwfZCTYeBb9r3FHaab2HcgkwqYch66+nKYfwiLuQ9NzXXm0Wn0JcEQ6pWvJscbj
        C9BdawWovfvMK5/YLfI6Btm7F4mIpQBdhSOUp/YXKmdvHpmwxMCN2QhqYK49SM7qE9aUDbJL
        arppSEBtlCLWhRBZYLTUna+BkuQ1bHz4St++XTR49Qd7vDERALpApDjB2dxPfMiBzCMwQQyq
        uy13exU8o2ETLg+dZSLfDTzrBNsBFmXlw8WW17nTISYdKeGKL+QdlUjpzdwUMMzHhAO8SmMH
        zjeSlDSRMXBJFAFSbCl7EwmMKa3yVX0zInT91fNllZ3iatAmtVdqVH/BFQfTIMH2ET7A8WzJ
        ZzVSuMRhqoKdr5AMcHuJGPUoVkVJHQA+NNvEiXSysF3faL7jmKapmUwrhpYYX2H8pf+VMu2e
        cLflKTI28dl+ZQ4Pl/aVsxrti/pzhdYy05Sn5ddtySyIkvo8L1cU5MWpbvSlFPkTstBUDLBf
        pb0uBy+g0oxJQg15
        =uy53
        -----END PGP PUBLIC KEY BLOCK-----
    test_write:
      keyid: A2EB2DEC0BD7519B7B38BE38376A290EC8068B11
      keyserver: keyserver.ubuntu.com
      source: "deb [signed-by=$KEY_FILE] http://ppa.launchpad.net/juju/stable/ubuntu $RELEASE main"
      append: false
    test_write.list:
      keyid: A2EB2DEC0BD7519B7B38BE38376A290EC8068B11
      keyserver: keyserver.ubuntu.com
      source: "deb [signed-by=$KEY_FILE] http://ppa.launchpad.net/juju/devel/ubuntu $RELEASE main"
      append: false
    test_append:
      keyid: A2EB2DEC0BD7519B7B38BE38376A290EC8068B11
      keyserver: keyserver.ubuntu.com
      source: "deb [signed-by=$KEY_FILE] http://ppa.launchpad.net/juju/stable/ubuntu $RELEASE main"
    test_append.list:
      keyid: A2EB2DEC0BD7519B7B38BE38376A290EC8068B11
      keyserver: keyserver.ubuntu.com
      source: "deb [signed-by=$KEY_FILE] http://ppa.launchpad.net/juju/devel/ubuntu $RELEASE main"
apt_pipelining: os

SSH into the VM and run:

$ gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/test_keyserver.gpg

This returns no output. On earlier versions of gpg we would see the key printed, e.g.

$ gpg --with-fingerprint --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/test_keyserver.gpg 
/etc/apt/trusted.gpg.d/test_keyserver.gpg
-----------------------------------------
pub   rsa1024 2010-12-01 [SC]
      110E 21D8 B0E2 A1F0 243A  F682 0856 F197 B892 ACEArr
uid           [ unknown] Launchpad PPA for Canonical Kernel Team

Environment details

  • Cloud-init version: 24.1 [probably impacts earlier versions too but this is what I was testing with]
  • Operating System Distribution: Ubuntu 24.04 later than 20240229
  • Cloud provider, platform or installer type: GCE, AWS

Additional Details

The underlying issue appears to be related to gpg2 using keybox as the default format. When gpg is called for the first time it initializes ~/.gnupg including a config file that specifies the use of keybox. If I run rm .gnupg/common.conf and then rerun the list keys command, it works as it did in prior versions.
@catmsred catmsred added bug Something isn't working correctly new An issue that still needs triage labels Mar 1, 2024
@catmsred catmsred self-assigned this Mar 1, 2024
@blackboxsw blackboxsw removed the new An issue that still needs triage label Mar 1, 2024
@blackboxsw
Copy link
Collaborator

Confirmed with the following procedure on lxd noble images with builddate 20240220:

test script

#/bin/sh
set -ex
lxc launch ubuntu-daily:noble nn
lxc exec nn -- cat /etc/cloud/build.info
lxc exec nn -- dpkg -l gnupg
lxc exec nn -- gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
lxc exec nn -- apt-get update 
lxc exec nn -- apt install -y gnupg
echo Keys are listed without .gnupg/commons.conf use-keyboxd
lxc exec nn -- gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
cat > common.conf <<EOF
use-keyboxd
EOF
echo Keys NOT listed when .gnupg/common.conf contains use-keyboxd
lxc file push common.conf nn/root/.gnupg/
lxc exec nn -- gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg

test output

+ lxc launch ubuntu-daily:noble nn
Creating nn
Starting nn
+ lxc exec nn -- cat /etc/cloud/build.info
build_name: server
serial: 20240220
+ lxc exec nn -- dpkg -l gnupg
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version           Architecture Description
+++-==============-=================-============-=============================>
ii  gnupg          2.2.40-1.1ubuntu1 all          GNU privacy guard - a free PG>
+ lxc exec nn -- gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

+ lxc exec nn -- apt-get update -q
+ lxc exec nn -- apt install -y gnupg
Reading package lists... Done
...
Setting up gnupg (2.4.4-2ubuntu7) ...
+ echo Keys are listed without .gnupg/commons.conf use-keyboxd
Keys are listed without .gnupg/commons.conf use-keyboxd
+ lxc exec nn -- gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

+ cat
+ echo Keys NOT listed when .gnupg/common.conf contains use-keyboxd
Keys NOT listed when .gnupg/common.conf contains use-keyboxd
+ lxc file push common.conf nn/root/.gnupg/
+ lxc exec nn -- gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg

debug-level 9 with use-keyboxd

root@nn:~#  gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg --debug-level 9
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust ipc clock lookup extprog
gpg: enabled compatibility flags:
gpg: DBG: [no clock] start
gpg: using pgp trust model
gpg: DBG: [no clock] keydb_new
gpg: DBG: chan_4 <- # Home: /root/.gnupg
gpg: DBG: chan_4 <- # Config: [none]
gpg: DBG: chan_4 <- OK Keyboxd 2.4.4 at your service
gpg: DBG: connection to the keyboxd established
gpg: DBG: chan_4 -> GETINFO version
gpg: DBG: chan_4 <- D 2.4.4
gpg: DBG: chan_4 <- OK
gpg: DBG: [no clock] keydb_search_reset
gpg: DBG: keydb_search_reset (hd=0x000055a2b802a100)
gpg: DBG: [no clock] keydb_search enter
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: FIRST
gpg: DBG: chan_4 -> SEARCH --openpgp
gpg: DBG: chan_4 <- ERR 134217755 Not found <Keybox>
gpg: DBG: [no clock] keydb_search leave (not found)
gpg: DBG: [no clock] keydb_release
gpg: DBG: [no clock] close_context (found)
gpg: DBG: chan_4 -> BYE
gpg: DBG: [no clock] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
gpg: objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks

debug-level 9 without use-keyboxd

root@nn:~#  gpg --with-fingerprint --list-keys --keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg --debug-level 9
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust ipc clock lookup extprog
gpg: enabled compatibility flags:
gpg: DBG: [no clock] start
gpg: using pgp trust model
gpg: DBG: [no clock] keydb_new
gpg: DBG: [no clock] keydb_search_reset
gpg: DBG: keydb_search_reset (hd=0x00005562905573d0)
gpg: DBG: [no clock] keydb_search enter
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: FIRST
gpg: DBG: internal_keydb_search: searching keybox (resource 0 of 2)
gpg: DBG: internal_keydb_search: searched keybox (resource 0 of 2) => EOF
gpg: DBG: internal_keydb_search: searching keyring (resource 1 of 2)
gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 0; need_fpr = 0; any_skip = 0
gpg: DBG: fd_cache_open (/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg) not cached
gpg: DBG: iobuf-1.0: open '/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg' desc=file_filter(fd) fd=5
gpg: DBG: keyring_search: initializing offset table. (need_keyid: 0 => 1)
gpg: DBG: keyring_search: searching from start of resource.
gpg: DBG: iobuf-1.0: underflow: buffer size: 65536; still buffered: 0 => space for 65536 bytes
gpg: DBG: iobuf-1.0: underflow: A->FILTER (65536 bytes)
gpg: DBG: iobuf-1.0: A->FILTER() returned rc=0 (ok), read 1167 bytes
gpg: DBG: parse_packet(iob=1): type=6 length=525 (search.../../g10/keyring.c.1111)
gpg: DBG: keyring_search: packet starting at offset 0 matched descriptor 0
gpg: DBG: keyring_search: returning success
gpg: DBG: free_packet() type=6
gpg: DBG: free_packet() type=6
gpg: DBG: internal_keydb_search: searched keyring (resource 1 of 2) => Success
gpg: DBG: [no clock] keydb_search leave (found)
gpg: DBG: [no clock] keydb_get_keyblock enter
gpg: DBG: fd_cache_open (/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg) not cached
gpg: DBG: iobuf-2.0: open '/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg' desc=file_filter(fd) fd=6
gpg: DBG: iobuf-2.0: underflow: buffer size: 65536; still buffered: 0 => space for 65536 bytes
gpg: DBG: iobuf-2.0: underflow: A->FILTER (65536 bytes)
gpg: DBG: iobuf-2.0: A->FILTER() returned rc=0 (ok), read 1167 bytes
gpg: DBG: parse_packet(iob=2): type=6 length=525 (parse.../../g10/keyring.c.415)
gpg: DBG: parse_packet(iob=2): type=13 length=66 (parse.../../g10/keyring.c.415)
gpg: DBG: parse_packet(iob=2): type=2 length=568 (parse.../../g10/keyring.c.415)
gpg: DBG: iobuf-2.0: underflow: buffer size: 65536; still buffered: 0 => space for 65536 bytes
gpg: DBG: iobuf-2.0: underflow: A->FILTER (65536 bytes)
gpg: DBG: iobuf-2.0: A->FILTER() returned rc=-1 (EOF), read 0 bytes
gpg: DBG: /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg: close fd/handle 6
gpg: DBG: fd_cache_close (/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg) new slot created
gpg: DBG: iobuf-2.0: close '?'
gpg: DBG: [no clock] keydb_get_keyblock leave
gpg: DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffff003051300d0609608648016503040203050004402c \
gpg: DBG:                  7354448c83bceb4a5ebeda7c54e4be33b0f5714efad61f8c8c64a2ff5cf06e33 \
gpg: DBG:                  a16ffa1a20ba916fef5261a05796bec6dddad57e827dc9f9e0ece417857bc9
gpg: DBG: rsa_verify  sig:+a4b6727c73ff959aa0239602b7f983a5076de38281ce43066d210ae1436565af \
gpg: DBG:                  e36eda19e8b708fb8bc340c62c25d977273976a13c9af8cc94e9a600a2a58f5b \
gpg: DBG:                  868374d809b4168d63de32704f65b9058246685c9effe8207b6d6461b75b07ce \
gpg: DBG:                  9b752d367e4980f03b027af10469ec345a665f58e908946deba1ab60d4713a1f \
gpg: DBG:                  55b0716e1adc90de19b5e2ef9befe71bd9bf722a2973ae8bc11764c6a7c9df60 \
gpg: DBG:                  b2abed534b955a2090c6ec35b3886f8a6eeeaa08333840d960dcb1fba75e02ad \
gpg: DBG:                  1c406dce25be885182c578790aac21c74592e558e473cf8f62bc4eaa58e924de \
gpg: DBG:                  f068746a9ac6d5157c64a6b2dca48ca67c95d5f00a9f87ccf5bca22f3400a2f0 \
gpg: DBG:                  b42d9f4c30cb2b012ff8e40bc2dc810a4928632c59f55f57510a23baffb8e664 \
gpg: DBG:                  4a19b40a79de191ff12301b22efc85536b06e999c1f21d040d6fdb6f8b638c50 \
gpg: DBG:                  2bcab85c2a11700f46fa9bf353d6155bb7119c36591a5d2ec0ec3bcfd3e44011 \
gpg: DBG:                  792852a3583cf87c293e2baf98b46a68bc629e90605bf08ec403a529bcf82a03 \
gpg: DBG:                  f41d234b752013f4374e9141cb357d4680404b73e831b2e73911851e29192667 \
gpg: DBG:                  f9d1444fb3dd02310af38cbb05d638b7e5358dc488bc18f417607b2f044bef11 \
gpg: DBG:                  a94a920a8bf7a40172ecd75edbbc51da0af99460dec9569d46326545c6121dc7 \
gpg: DBG:                  a0859b77f11bc42335be6d7ab7bf62a2beb8e81c5e7cb5525c2d094ce5ad268f
gpg: DBG: rsa_verify    n:+effc6c72b71fcb7125d8b8cd0cc0aa236c1c9ef35b341b59c4c7e973e95014a4 \
gpg: DBG:                  85199db92a7570470be770ac64bf09e78bb808cf44b53c028c44fe38ef655a7c \
gpg: DBG:                  c4518458761d925a97199fe025f3f97777c8501b591d910997c07c9bda4c1dff \
gpg: DBG:                  c041076c0be6338b3486e6de4c867a2dc34e382d7b5d104931dade89cf4386ae \
gpg: DBG:                  1fb9228c6a5fba598aae82bf5f41a216948a828c769ec44ba4587cdee897a1d2 \
gpg: DBG:                  2c596b317b557e1fe28e937d8f766154655e442f2428742c2793e421b9afc418 \
gpg: DBG:                  9487b48999f654c7421084d31a0c75df75900636d9e1cf335179bd45a8d2d256 \
gpg: DBG:                  4ad2fcf9ec010ccc846d410e6d9539217ae2379b2977df16a3392d74504dea93 \
gpg: DBG:                  2ec8d46dbaea47ab3f1823bc505ee37d48fa23bb5a2f2826b073bf243e23a4a4 \
gpg: DBG:                  42d206e95017da889c8bbee7a9c77916a2a2f7b0dd0b865308f34f9f03b193be \
gpg: DBG:                  83b1e2da6a565ce513a4da8d8bbe8df5b74293854b97b010c74bdba873c6c660 \
gpg: DBG:                  fe0799bd36c0adc3fe3ac24a46686fe24368e80c9dc8743fdd957f7f75fd993d \
gpg: DBG:                  ff48f2db25aba6920a7763377ab793de06ef99424fe637958d36e6a284d115ee \
gpg: DBG:                  595bd5986f634171bbd05577f04d974af3bb1a77ac88a70764d7d920a0ef0139 \
gpg: DBG:                  c579305ee43fd9e4c3134bf41e51a7b64b998c6a300d99311d9412c5954ecdd6 \
gpg: DBG:                  42455697fd61052e929ad80429c39449ad0e2867f39f89f5f22733f6ee8d37c1
gpg: DBG: rsa_verify    e:+010001
gpg: DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
gpg: DBG:                  ffffffffffffffffffffff003051300d0609608648016503040203050004402c \
gpg: DBG:                  7354448c83bceb4a5ebeda7c54e4be33b0f5714efad61f8c8c64a2ff5cf06e33 \
gpg: DBG:                  a16ffa1a20ba916fef5261a05796bec6dddad57e827dc9f9e0ece417857bc9
gpg: DBG: rsa_verify    => Good
gpg: DBG: free_packet() type=6
gpg: DBG: free_packet() type=13
gpg: DBG: free_packet() type=2
gpg: DBG: [no clock] keydb_search enter
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: NEXT
gpg: DBG: internal_keydb_search: searching keyring (resource 1 of 2)
gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 0; need_fpr = 0; any_skip = 0
gpg: DBG: keyring_search: initializing offset table. (need_keyid: 0 => 1)
gpg: DBG: keyring_search: not searching from start of resource.
gpg: DBG: iobuf-1.0: underflow: buffer size: 65536; still buffered: 0 => space for 65536 bytes
gpg: DBG: iobuf-1.0: underflow: A->FILTER (65536 bytes)
gpg: DBG: iobuf-1.0: A->FILTER() returned rc=-1 (EOF), read 0 bytes
gpg: DBG: /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg: close fd/handle 5
gpg: DBG: fd_cache_close (/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg) new slot created
gpg: DBG: keyring_search: no matches (EOF)
gpg: DBG: internal_keydb_search: searched keyring (resource 1 of 2) => EOF
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

gpg: DBG: [no clock] keydb_search leave (not found)
gpg: DBG: [no clock] keydb_release
gpg: DBG: iobuf-1.0: close '?'
gpg: DBG: [no clock] stop
gpg: keydb: handles=1 locks=0 parse=0 get=1
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=1 found=1 not=1 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=1 cached=0 good=0 bad=0
gpg: objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
gpg: objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks

@julian-klode
Copy link

julian-klode commented Mar 1, 2024
edited

OK I haven't played with keyboxd yet, it's a bit new and fancy (and IMO useless), but this seems to be documented in the gpg(1) manual page under the --keyring option:

Note that if the option use-keyboxd is enabled in ‘common.conf’, no keyrings are used at all and keys are all maintained by the keyboxd process in its own database.

I'm not sure this makes a whole lot of sense for your tests to use the host configuration; when doing stuff with gpg in a program, you should usually:

  1. setup a temporary directory to act as the home directory (GNUPGHOME)
  2. pass --no-options --no-default-keyring --homedir $GNUPGHOME to gpg, probably --no-auto-check-trustdb --trust-model always too
  3. When done, run gpgconf --kill all with GNUPGHOME set and then delete the directory

See apt-key for example or I believe livecd-rootfs too

@julian-klode
Copy link

I'll go patch out use-keyboxd in new installs.

@julian-klode
Copy link

gnupg2 patched in https://launchpad.net/ubuntu/+source/gnupg2/2.4.4-2ubuntu9 to no longer write common.conf on fresh installs. But please ensure your test suite doesn't rely on host config and home dirs.

@holmanb holmanb mentioned this issue Mar 7, 2024
Merged
2 tasks
TheRealFalcon pushed a commit that referenced this issue Mar 13, 2024
@holmanb
fix(gpg): Make gpg resilient to host configuration changes (#5026)
7281055 
Use ephemeral GNUPGHOME in gpg commands.
Make a gpg context manager to manage daemon and gpg tempdir lifetimes.
Bring back process shutdown via gpgconf (fallback to killing when not present)
Add relevant tests and update existing tests.
Fixes several failing tests due to keyboxd changes in Noble.

Fixes GH-4989
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@catmsred catmsred

Labels
bug Something isn't working correctly
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make gpg resilient to host configuration changes holmanb/cloud-init
4 participants
@julian-klode @catmsred @blackboxsw and others