GPG key verification failed

[christopherhan]

I updated to version 1.3.1 of the playbook, but I am still receiving this error within Vagrant. Seems the "Import GPG keys" task is not running

TASK: [rvm_io.rvm1-ruby | Detect rvm binary] ********************************** 
<127.0.0.1> ESTABLISH CONNECTION FOR USER: vagrant
<127.0.0.1> REMOTE_MODULE stat path='/usr/local/lib/rvm/bin/rvm'
<127.0.0.1> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/chris/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=2222', '-o', 'IdentityFile="/Users/chris/.vagrant.d/insecure_private_key"', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '127.0.0.1', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1414596922.64-192939194049360 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1414596922.64-192939194049360 && echo $HOME/.ansible/tmp/ansible-tmp-1414596922.64-192939194049360'"]
<127.0.0.1> PUT /var/folders/qg/v9l_c749323g9fkrhz23hsq00000gq/T/tmpi2UW2q TO /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.64-192939194049360/stat
<127.0.0.1> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/chris/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=2222', '-o', 'IdentityFile="/Users/chris/.vagrant.d/insecure_private_key"', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '127.0.0.1', u'/bin/sh -c \'sudo -k && sudo -H -S -p "[sudo via ansible, key=plbuzbhbuemsbnfdacphmadcacuusinc] password: " -u root /bin/sh -c \'"\'"\'echo SUDO-SUCCESS-plbuzbhbuemsbnfdacphmadcacuusinc; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.64-192939194049360/stat; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.64-192939194049360/ >/dev/null 2>&1\'"\'"\'\'']
ok: [default] => {"changed": false, "stat": {"atime": 1414595175.9339015, "ctime": 1414101162.8497639, "dev": 2049, "exists": true, "gid": 1002, "inode": 140552, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "md5": "7b6ffc8b7d9e610d1600119e979c6c39", "mode": "0775", "mtime": 1414101156.414548, "nlink": 1, "pw_name": "root", "rgrp": true, "roth": true, "rusr": true, "size": 1440, "uid": 0, "wgrp": true, "woth": false, "wusr": true, "xgrp": true, "xoth": true, "xusr": true}}

TASK: [rvm_io.rvm1-ruby | Detect rvm installer] ******************************* 
<127.0.0.1> ESTABLISH CONNECTION FOR USER: vagrant
<127.0.0.1> REMOTE_MODULE stat path='/tmp/rvm-installer.sh'
<127.0.0.1> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/chris/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=2222', '-o', 'IdentityFile="/Users/chris/.vagrant.d/insecure_private_key"', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '127.0.0.1', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1414596922.8-80742544660849 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1414596922.8-80742544660849 && echo $HOME/.ansible/tmp/ansible-tmp-1414596922.8-80742544660849'"]
<127.0.0.1> PUT /var/folders/qg/v9l_c749323g9fkrhz23hsq00000gq/T/tmpXAytxY TO /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.8-80742544660849/stat
<127.0.0.1> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/chris/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=2222', '-o', 'IdentityFile="/Users/chris/.vagrant.d/insecure_private_key"', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '127.0.0.1', u'/bin/sh -c \'sudo -k && sudo -H -S -p "[sudo via ansible, key=enuddnbogvorzdffxmoxzugveamhauls] password: " -u root /bin/sh -c \'"\'"\'echo SUDO-SUCCESS-enuddnbogvorzdffxmoxzugveamhauls; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.8-80742544660849/stat; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.8-80742544660849/ >/dev/null 2>&1\'"\'"\'\'']
ok: [default] => {"changed": false, "stat": {"atime": 1414595353.0719852, "ctime": 1414595182.0689678, "dev": 2049, "exists": true, "gid": 0, "inode": 58191, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "md5": "ca657837bd4ededb7eb4ee10ce0b2802", "mode": "0644", "mtime": 1414595182.0689678, "nlink": 1, "pw_name": "root", "rgrp": true, "roth": true, "rusr": true, "size": 22371, "uid": 0, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}}

TASK: [rvm_io.rvm1-ruby | Detect current rvm version] ************************* 
<127.0.0.1> ESTABLISH CONNECTION FOR USER: vagrant
<127.0.0.1> REMOTE_MODULE command /usr/local/lib/rvm/bin/rvm version
<127.0.0.1> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/chris/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=2222', '-o', 'IdentityFile="/Users/chris/.vagrant.d/insecure_private_key"', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '127.0.0.1', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1414596922.93-117344882954281 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1414596922.93-117344882954281 && echo $HOME/.ansible/tmp/ansible-tmp-1414596922.93-117344882954281'"]
<127.0.0.1> PUT /var/folders/qg/v9l_c749323g9fkrhz23hsq00000gq/T/tmpYm6tqy TO /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.93-117344882954281/command
<127.0.0.1> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/chris/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=2222', '-o', 'IdentityFile="/Users/chris/.vagrant.d/insecure_private_key"', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '127.0.0.1', u'/bin/sh -c \'sudo -k && sudo -H -S -p "[sudo via ansible, key=dntiwpiutfoemkaovczerwjamzuarbfo] password: " -u root /bin/sh -c \'"\'"\'echo SUDO-SUCCESS-dntiwpiutfoemkaovczerwjamzuarbfo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.93-117344882954281/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1414596922.93-117344882954281/ >/dev/null 2>&1\'"\'"\'\'']
ok: [default] => {"changed": false, "cmd": ["/usr/local/lib/rvm/bin/rvm", "version"], "delta": "0:00:00.158156", "end": "2014-10-29 15:33:20.543296", "rc": 0, "start": "2014-10-29 15:33:20.385140", "stderr": "", "stdout": "rvm 1.25.34 (latest) by Wayne E. Seguin <wayneeseguin@gmail.com>, Michal Papis <mpapis@gmail.com> [https://rvm.io/]", "stdout_lines": ["rvm 1.25.34 (latest) by Wayne E. Seguin <wayneeseguin@gmail.com>, Michal Papis <mpapis@gmail.com> [https://rvm.io/]"]}

TASK: [rvm_io.rvm1-ruby | Install rvm installer] ****************************** 
skipping: [default]

TASK: [rvm_io.rvm1-ruby | Configure rvm installer] **************************** 
skipping: [default]

TASK: [rvm_io.rvm1-ruby | Import GPG keys] ************************************ 
skipping: [default]

TASK: [rvm_io.rvm1-ruby | Install rvm] **************************************** 
skipping: [default]

TASK: [rvm_io.rvm1-ruby | Update rvm] ***************************************** 
<127.0.0.1> ESTABLISH CONNECTION FOR USER: vagrant
<127.0.0.1> REMOTE_MODULE command /usr/local/lib/rvm/bin/rvm get stable && /usr/local/lib/rvm/bin/rvm reload #USE_SHELL
<127.0.0.1> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/chris/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=2222', '-o', 'IdentityFile="/Users/chris/.vagrant.d/insecure_private_key"', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '127.0.0.1', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1414596923.32-77930937418586 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1414596923.32-77930937418586 && echo $HOME/.ansible/tmp/ansible-tmp-1414596923.32-77930937418586'"]
<127.0.0.1> PUT /var/folders/qg/v9l_c749323g9fkrhz23hsq00000gq/T/tmpR2UAZM TO /home/vagrant/.ansible/tmp/ansible-tmp-1414596923.32-77930937418586/command
<127.0.0.1> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/chris/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=2222', '-o', 'IdentityFile="/Users/chris/.vagrant.d/insecure_private_key"', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '127.0.0.1', u'/bin/sh -c \'sudo -k && sudo -H -S -p "[sudo via ansible, key=teprlezjwpgbjhqiwyytjaxfwnislawa] password: " -u root /bin/sh -c \'"\'"\'echo SUDO-SUCCESS-teprlezjwpgbjhqiwyytjaxfwnislawa; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1414596923.32-77930937418586/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1414596923.32-77930937418586/ >/dev/null 2>&1\'"\'"\'\'']
````failed: [default] => {"changed": false, "cmd": "/usr/local/lib/rvm/bin/rvm get stable && /usr/local/lib/rvm/bin/rvm reload", "delta": "0:01:11.675976", "end": "2014-10-29 15:34:33.953772", "rc": 2, "start": "2014-10-29 15:33:22.277796"}
stderr: gpg: Signature made Wed 29 Oct 2014 12:52:06 PM UTC using RSA key ID BF04FF17
gpg: Can't check signature: public key not found
gpg: Signature made Wed 29 Oct 2014 12:52:06 PM UTC using RSA key ID BF04FF17
gpg: Can't check signature: public key not found
Could not update RVM, get some help at #rvm IRC channel at freenode servers.
stdout: Downloading https://get.rvm.io
Downloading https://github.com/wayneeseguin/rvm/archive/1.26.0.tar.gz
Downloading https://github.com/wayneeseguin/rvm/releases/download/1.26.0/1.26.0.tar.gz.asc
GPG signature verification failed for '/usr/local/lib/rvm/archives/rvm-1.26.0.tgz' - 'https://github.com/wayneeseguin/rvm/releases/download/1.26.0/1.26.0.tar.gz.asc'!
try downloading the signatures:

    gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3

they can be compared with:

    https://rvm.io/mpapis.asc
    https://keybase.io/mpapis

Downloading https://bitbucket.org/mpapis/rvm/get/1.26.0.tar.gz
Downloading https://github.com/wayneeseguin/rvm/releases/download/1.26.0/1.26.0.tar.gz.asc
GPG signature verification failed for '/usr/local/lib/rvm/archives/rvm-1.26.0.tgz' - 'https://github.com/wayneeseguin/rvm/releases/download/1.26.0/1.26.0.tar.gz.asc'!
try downloading the signatures:

    gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3

they can be compared with:

    https://rvm.io/mpapis.asc
    https://keybase.io/mpapis

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/Users/chris/site.retry

default                    : ok=17   changed=4    unreachable=0    failed=1   

Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

[nickjj]

It's skipping because you probably have rvm already installed. Right now the task is only set to run when rvm has not been detected so it doesn't keep trying to verify the key on every run.

For now you have 3 options:

1. Run an adhoc command with ansible to run gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3
2. SSH into the box manually and run gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3
3. Destroy rvm and let the role re-install it

[imendi]

Im having the same issue and none of the 3 options worked out.

[mpapis]

@IgnacioM try running on the box:

curl -#LO https://rvm.io/mpapis.asc && gpg --import mpapis.asc

[glebpom]

+1 It made this recipe unusable for me. It fails to work after the initial run.

[mpapis]

@nickjj maybe remove the restrain to update keys only when installing?

[fiddur]

I have the same issue.

Logging into the box and running the failed command manually works without problem: "/usr/local/lib/rvm/bin/rvm get stable && /usr/local/lib/rvm/bin/rvm reload"

Checking with gpg, the key is where it should be.

Trying to reproduce it more closely to what the output suggests but without ansible command python:

ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/home/liljegren/.ansible/cp/ansible-ssh-%h-%p-%r -o StrictHostKeyChecking=no -o Port=2222 -o IdentityFile="/home/liljegren/.vagrant.d/insecure_private_key" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=vagrant -o ConnectTimeout=10 127.0.0.1
sudo -k
sudo -i -S -p "[sudo via ansible, key=nhobfrhvarpwhlhgbrqpzjlsotxlkhwv] password: " -u root
/bin/sh
echo SUDO-SUCCESS-nhobfrhvarpwhlhgbrqpzjlsotxlkhwv
LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/local/lib/rvm/bin/rvm get stable && /usr/local/lib/rvm/bin/rvm reload

That works well, and after this the "Update rvm" works as well...

Otherwise, the solution right now seems to be to set the option:

rvm1_rvm_check_for_updates: false

[nickjj]

@mpapis If I remove that then it's going to run on every run hmm. Your recommendation should work but I really wonder what the root cause is. Is there anything patched into rvm itself that could cause a conflict?

I'd be curious how you guys are removing rvm to let the role re-install rvm so the newest version is in place. It passes on Travis with a fresh install.

@fiddur The exact situation happening here is:

1. get stable && reload will now fail because rvm requires verifying a gpg signature before it can modify your system.
2. The signature will not get imported when rvm is already installed. It verifies the installation of rvm by running rvm version. If it finds something in stdout then it assumes rvm is installed and skips.
3. The command that updates rvm (get stable && reload) only runs when rvm is installed and the check for updates flag is set to true. When you set that flag to false, the task skips out and rvm never tries to update itself.

I'm really really surprised that running gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3 on the server before trying to run the rvm role doesn't fix it.

[mpapis]

it should be run when you install or update rvm, not just on first install

[nickjj]

Ok, that changes everything then. Since the code base was modified to run get && reload all the time then the gpg check needs to happen. I'll implement your suggestion and push a new build soon.

I thought it only needed to happen once and then it was in your chain for the life of the machine.

[mpapis]

indeed I thought this way too, but if you have older RVM and try to rerun then your 1) do not have the key and 2) RVM needs the key to verify signatures

[nickjj]

v1.3.2 is up with the fix that runs the import on every run.

If someone can verify it works for them that would be great, I'll close the ticket after we get 1 verification.

Edit:
Well, I jumped the gun on that release, now it's failing on travis.

[wcleveland]

v.1.3.2 failed with:
fatal: [default] => error while evaluating conditional: D39DC0E3

I was able to fix this by changing line 32 of rvm.yml to:
when: rvm1_gpg_keys is defined

[a-chernykh]

I am getting the same error as @wcleveland got. Downgrading to 1.3.1 helps.

[nickjj]

If you do is defined then it will always run even when empty. It seems when conditions in ansible are a bit strange. We should do: rvm1_gpg_keys != '' to check for anything but an empty string.

It still fails tho.

[wcleveland]

You may want to change line 32 of rvm.yml to:
when: rvm1_gpg_keys is defined and rvm1_gpg_keys != ''

This will take care of both the undefined condition and the empty string. Since "and" short circuits on a false condition, the empty string conditional will not cause an exception.

I tested the change by commenting out the initial value in default/main.yml to force an undefined condition and later set the key value to '' and empty (ie. "rvm1_gpg_keys: ") to test the defined but empty condition.

[nickjj]

@wcleveland Yeah that would be fine. I tend not to bother with is defined checks because I always define them in my defaults.

What happens when you re-run the role? I noticed it was failing on travis when it does an idempotency check. I just haven't had a chance to really look into the cause yet.

[mrcrilly]

@wcleveland and I have both come to the same conclusion here: line 32 is wrong in the role downloaded from Ansible Galaxy, but the code base here is fine. You need to re-sync this repository with Ansible Galaxy to resolve this issue, @nickjj

[mrcrilly]

As a second comment to this, after some thought, you could (should?) be using default values here, such as:

- name: Import GPG keys
  command: 'gpg --keyserver {{ rvm1_gpg_key_server | default("hkp://keys.gnupg.net") }} --recv-keys {{ rvm1_gpg_keys | default("D39DC0E3") }}'
  changed_when: False
  when: rvm1_gpg_keys != ''

This is instead of relaying on the defaults/main.yml file being in place. It also allows you to remove the 'when:' clause entirely.

[nickjj]

Hmm, what's on master now failed on Travis last week but I did finally get a chance to set it up locally and it's passing on Debian. I guess it was just a fluke fail because it only failed when re-running the role in hopes to get 0 changes. Maybe a new version of rvm was pushed in between test runs.

It's all passing now, v1.3.3 was released which is back to working and it's on the Galaxy.

@mrcrilly The defaults/main.yml should always be in place unless you forked the role and decided to remove it. Part of the reason for that file existing is so that you don't have to spread default variables around in different areas of your role.

Thanks for the feedback guys, this issue should be buried.

[elocnatsirt]

I'm still having this issue on a clean box that doesn't have RVM installed or ruby installed at all. I manually pulled down the keys running the gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3 commands for both root and my other user. I get this:

gpg: requesting key D39DC0E3 from hkp server keys.gnupg.net
gpg: key D39DC0E3: "Michal Papis (RVM signing) mpapis@gmail.com" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

This is on a clean server. Another server I already have this installed on works fine - I can rerun the role and it goes through and checks okay, I can also run the command and it gives the output above.