[xenial] gpg 2.1+ compliance + fix decryption of journalist replies #4094
Conversation
There was a problem hiding this comment.
- All xenial app test should now pass (and after this PR is merged we will make that a required CI job)
- All trusty app tests should also still pass
- In the xenial staging environment, a source should now be able to decrypt journalist replies
- In the xenial dev environment (
BASE_OS=xenial make dev), a source should now be able to decrypt journalist replies - In the trusty dev environment (
make dev), a source should still be able to decrypt journalist replies - In the trusty staging environment, a source should still be able to decrypt journalist replies
Finally 👍 💯 🥇
@redshiftzero Though this will need a rebase.
install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
Outdated
Show resolved
Hide resolved
|
Thanks @redshiftzero, great to see all xenial tests passing! Visual diff looks good to me. I've also done a functional upgrade test as follows:
I was able to decrypt the message ! However, I do get this in Did anyone see this error in their testing under xenial? |
|
Oh interesting, I have seen that, check out #4045. Did you only see this error once during upgrade? |
|
Yes, it only happens once: the first time a source decrypts a reply once the server was upgraded. I cannot reproduce by creating a new source (and replying to this new source), nor by rebooting. |
|
Does the upgrade do something like symlink |
|
Ah gotcha, I expect this is happening due to the private key migration done (once) when running gpg2.1 for the first time |
redshiftzero
force-pushed
the
xenial-pinentry
branch
from
d30e19d
to
33dd74c
Compare
--pinentry-mode does not exist for the default version of gpg2 on trusty (it also won't use gpg-agent, which is fine)
Issues on the gnupg mailing list seems to indicate that the pinentry option is the culprit [0] https://dev.gnupg.org/T3465 [1] https://lists.gnupg.org/pipermail/gnupg-users/2016-May/055965.html
we can just use mock to set the platform for test purposes
there are some gpg 2.1 compatibility issues with how this was written previously: namely that exporting secret keys needs to be apparently requires a passphrase [0], which isis's python-gnupg does not support [1]. this commit modifies the test to instead just assert that the file decrypts with a key in the keyring, not the specific key. [0] https://bitbucket.org/vinay.sajip/python-gnupg/commits/9e90361bfc2fc853953a64aca6a0b6bcb64981c8?at=default#Lgnupg.pyT1142 [1] https://github.com/isislovecruft/python-gnupg/blob/master/pretty_bad_protocol/gnupg.py#L423
since in the trusty dev env, there's no gpg-agent, let's make sure we don't bail out this function (pkill returns 1 if the process was not found)
redshiftzero
force-pushed
the
xenial-pinentry
branch
from
33dd74c
to
a9f5826
Compare
|
On xenial, gpg still points to gpg (v1), no symlink. I think you are right @redshiftzero . Also I did have a source set up on that server, so a migration was necessary. It doesn't seem to generate an ossec alert, so I think we should keep a close eye on the apache logs during the QA period. |
|
ok so one idea that should handle this situation (as well as validate the theory above re: this |
| @@ -97,6 +97,12 @@ case "$1" in | |||
| echo allow-loopback-pinentry > /var/lib/securedrop/keys/gpg-agent.conf | |||
| fi | |||
|
|
|||
| # Migrate private keyring to gpg2.1 if needed | |||
| if [ ! -d "/var/lib/securedrop/keys/private-keys-v1.d" ]; then | |||
There was a problem hiding this comment.
This is a good approach for the upgrade story, in future we can remove these postinst steps (after a few releases)
There was a problem hiding this comment.
We probably never can. We had instances that were pre 0.4 recently, and that release was a looooooong time ago.
There was a problem hiding this comment.
So while we have instances that had not ran their Ansible playbooks since before 0.4, the server side was up to latest. Since we can monitor what version the securedrop-app-code package is on via the source interface metadata endpoint (and soon we'll be able to monitor also the base OS via the source interface metadata endpoint), we should be able to remove this from postinst once we have everyone on xenial and post-0.12.0.
redshiftzero
changed the title
redshiftzero
force-pushed
the
xenial-pinentry
branch
from
9796519
to
a9f5826
Compare
|
OK so I tested 9796519 via the following procedure:
But 9796519 did not work: I still saw the exception, because the migration failed to work due to the fact that importing secret keys appeared to require the secret key passphrase, which we don't have (a behavior change in gpg2.1, similar to why 826aa96 was necessary). Furthermore, thinking about this a bit more, even if this did work, Since the note @emkll found won't produce an OSSEC alert (and recall source-error.log does not exist in prod), and this high-priority bug is resolved by this PR, I suggest we should merge this in as is. That said, it is still an unhandled exception, so I'm going to file a followup, and we should try another method to resolve if we have time before 0.12.0 (since the fix will be smaller than the diff in this PR, it's something we could do during QA depending on how things go). Note to reviewers: I've made no other changes since the testing was done above (I force pushed to drop 9796519), so an additional round of testing is not necessary. |
redshiftzero
changed the title
Status
Ready for review
Description of Changes
Fixes #3622
Fixes #4013
Changes proposed in this pull request:
thoughts welcome on this as I had to sidestep some API weirdness / bugs on the gpg side which I note in the commit messages
Testing
BASE_OS=xenial make dev), a source should now be able to decrypt journalist repliesmake dev), a source should still be able to decrypt journalist repliesDeployment
New installs and upgrades both will have the now required gpg-agent conf (for gpg 2.1+) written to disk via
postinstofsecuredrop-app-code. A reboot will then occur.Checklist
If you made changes to the server application code:
make ci-lint) and tests (make -C securedrop test) pass in the development containerIf you made changes to the system configuration:
If you made non-trivial code changes: