Changed ubuntu-keyring paths breaks upgrade to focal.

Bug #1903776 reported by Simon Poirier
20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Client
Fix Committed
High
Simon Poirier
landscape-client (Ubuntu)
Fix Released
Medium
Unassigned
Bionic
Fix Released
Medium
Unassigned
Focal
Fix Released
Medium
Unassigned
Groovy
Won't Fix
Medium
Unassigned
Hirsute
Won't Fix
Medium
Unassigned
Impish
Fix Released
Medium
Unassigned
Jammy
Fix Released
Medium
Unassigned

Bug Description

[Impact]

 * When launching an Ubuntu release-upgrade through landscape-client, the
   upgrade-tool fails GPG verification due to trusted apt key having changed
   location as of 18.04 LTS.

 * The proposed patch extends gpg lookup path to include all
   /etc/apt/trusted.gpg.d/*.gpg files in addition to /etc/apt/trusted.gpg
   when verifying the upgrade-tool signature.

[Test Case]

 * Install and register the landscape-client against a landscape-server
   on a series supporting an upgrade.

 * Wait for it to sync up packages.

 * On the computer packages page, there is a link at the bottom to request a
   release upgrade of that machine, if a supported version is available.

 * The upgrade fails and /var/log/landscape/release-upgrader.log will indicate
   a failed gpg verification.

[Where problems could occur]

 * One thing which has been considered in this fix is how someone could have
   worked around the issue by re-creating the old key path. The fix covers
   such a case by still reading the deprecated trusted.gpg file.

 * Although some care has been taken to only load valid gpg keys from apt
   trusted keychain, there could be unforeseen scenarios where invalid data
   gets read from the keychain. In such a case, the strict nature of gpg would
   reject the signature verification, thus being no worse than without the fix.

 * The affected callsite is used for verifying the release-upgrader code prior
   to running it. One bad thing which we could imagine with this code path is
   falsely accepting an invalid file signature, which may create a security
   issue. This would likely take shape of injecting a gpg key, without
   having root access, in the search path.

[Other Info]

 * There is no way to directly verify this issue on 20.10 Groovy and later
   (without faking a release) due to the lack of upgrade path to a supported
   LTS. The ubuntu-keyring package having the same file layout, the same
   validation failure is however to be expected if left unpatched.

[Original description]

Since bionic, ubuntu-keyring removed `/etc/apt/trusted.gpg` in favor of `/etc/apt/trusted.gpg.d/`

This breaks signature verification for the upgrade-tool.
Trying to release-upgrade through landscape yields a failure on signature check:

2020-11-10 15:47:51,019 WARNING [MainThread] Invalid signature for upgrade-tool tarball: /usr/bin/gpg failed (out='', err='gpg: keybox '/etc/apt/trusted.gpg' created
gpg: Signature made Fri Oct 16 03:28:09 2020 UTC
gpg: using RSA key 3B4FE6ACC0B21F32
gpg: Can't check signature: No public key

Related branches

Simon Poirier (simpoir)
Changed in landscape-client:
status: New → Confirmed
importance: Undecided → Critical
importance: Critical → High
assignee: nobody → Simon Poirier (simpoir)
Simon Poirier (simpoir)
Changed in landscape-client:
status: Confirmed → In Progress
Revision history for this message
Simon Poirier (simpoir) wrote :
Simon Poirier (simpoir)
Changed in landscape-client:
status: In Progress → Fix Committed
Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu):
status: New → Confirmed
Changed in landscape-client (Ubuntu Hirsute):
status: Confirmed → New
Simon Poirier (simpoir)
description: updated
Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Hirsute):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Groovy):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Focal):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Bionic):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Hirsute):
status: New → In Progress
Changed in landscape-client (Ubuntu Groovy):
status: New → In Progress
Changed in landscape-client (Ubuntu Focal):
status: New → In Progress
Changed in landscape-client (Ubuntu Bionic):
status: New → In Progress
Revision history for this message
John Lewis (jlewis-johnlewis-deactivatedaccount) wrote :

The customer is asking if there's an update?

Revision history for this message
John Lewis (jlewis-johnlewis-deactivatedaccount) wrote :

Customer has asked again for a further update.

Revision history for this message
Albourne Software (asoftware) wrote :

Hi , Do you have any updates ?

Revision history for this message
Brian Murray (brian-murray) wrote :

The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release

Changed in landscape-client (Ubuntu Groovy):
status: In Progress → Won't Fix
Mathew Hodson (mhodson)
tags: added: dist-upgrade
Changed in landscape-client (Ubuntu Bionic):
importance: Undecided → Medium
Changed in landscape-client (Ubuntu Focal):
importance: Undecided → Medium
Changed in landscape-client (Ubuntu Groovy):
importance: Undecided → Medium
Changed in landscape-client (Ubuntu Hirsute):
importance: Undecided → Medium
Changed in landscape-client (Ubuntu Impish):
importance: Undecided → Medium
Changed in landscape-client (Ubuntu Jammy):
importance: Undecided → Medium
Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Bionic):
assignee: Simon Poirier (simpoir) → nobody
Changed in landscape-client (Ubuntu Focal):
assignee: Simon Poirier (simpoir) → nobody
Changed in landscape-client (Ubuntu Groovy):
assignee: Simon Poirier (simpoir) → nobody
Changed in landscape-client (Ubuntu Hirsute):
assignee: Simon Poirier (simpoir) → nobody
Changed in landscape-client (Ubuntu Impish):
assignee: nobody → Simon Poirier (simpoir)
Changed in landscape-client (Ubuntu Jammy):
assignee: Simon Poirier (simpoir) → nobody
Changed in landscape-client (Ubuntu Impish):
assignee: Simon Poirier (simpoir) → nobody
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hirsute is EOL since January 2022, closing that task.

Changed in landscape-client (Ubuntu Hirsute):
status: In Progress → Won't Fix
Changed in landscape-client (Ubuntu Impish):
status: New → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

All the others were uploaded.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 19.12-0ubuntu12

---------------
landscape-client (19.12-0ubuntu12) jammy; urgency=medium

  * d/p/lp1903776-release-upgrade.patch (LP: #1903776)
    - Use /etc/apt/trusted.gpg.d for validating upgrade-tool signature.

 -- Simon Poirier <email address hidden> Wed, 09 Mar 2022 11:02:22 -0500

Changed in landscape-client (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

I personally curious about this statement from the bug description given that it is possible with do-release-upgrade to perform upgrades to just about any release you want.

" * There is no way to directly verify this issue on 20.10 Groovy and later
   (without faking a release) due to the lack of upgrade path to a supported
   LTS."

How exactly does landscape-client go about determining if a release upgrade is available?

Changed in landscape-client (Ubuntu Impish):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-impish
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Simon, or anyone else affected,

Accepted landscape-client into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/landscape-client/19.12-0ubuntu10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in landscape-client (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Simon, or anyone else affected,

Accepted landscape-client into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/landscape-client/19.12-0ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in landscape-client (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Simon, or anyone else affected,

Accepted landscape-client into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/landscape-client/18.01-0ubuntu3.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Simon Poirier (simpoir) wrote :

Verified landscape-client 18.01-0ubuntu3.6 on bionic by updating to the bionic-proposed package.

I registered a new LXD container client on a SaaS account, triggered a release upgrade. The upgrade tool downloaded, validated, launched and the landscape activity completed successfully.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Simon Poirier (simpoir) wrote :

I verified landscape-client 19.12-0ubuntu4.3 from focal-proposed.
I used landscape-server-quickstart from ppa:landscape/19.10 and registered the proposed client against it.
Then I had to enable the upcoming upgrade tool to the server:

# sudo -u landscape psql landscape-standalone-main -c "insert into meta_release (code_name, name, version, date, supported, upgrade_tool_tarball_url, upgrade_tool_signature_url, lts) VALUES ('jammy', 'Jammy Jellyfish', '22.04 LTS', now(), 't', 'http://archive.ubuntu.com/ubuntu/dists/jammy/main/dist-upgrader-all/current/jammy.tar.gz', 'http://archive.ubuntu.com/ubuntu/dists/jammy/main/dist-upgrader-all/current/jammy.tar.gz.gpg', 't')"
# sudo -u landscape psql landscape-standalone-main -c "update meta_release set upgrade_id=(select id from meta_release where code_name='jammy') where code_name in ('focal', 'impish')"

Launching the release upgrade activity from the web UI, the client machine was able to download and validate the upgrade tool and upgraded to jammy succesfully.

Revision history for this message
Simon Poirier (simpoir) wrote :

I also verified landscape-client 19.12-0ubuntu10.1 from impish-proposed.
I used the same landscape-server-quickstart from ppa:landscape/19.10 as previously, with the same database query to enable upgrading.

Again, upgrade tool downloaded and validated successfully on the proposed version, with the upgrade successful and the
logs confirming the success:

# tail -f /var/log/landscape/release-upgrader.log
2022-03-29 19:58:48,927 DEBUG [MainThread] Started firing run.
2022-03-29 19:58:48,927 DEBUG [MainThread] Finished firing run.
2022-03-29 19:58:49,793 INFO [MainThread] Successfully fetched upgrade-tool files
2022-03-29 19:58:49,817 INFO [MainThread] Successfully verified upgrade-tool tarball
2022-03-29 20:09:34,616 INFO [MainThread] Queuing message with release upgrade results to exchange urgently.
2022-03-29 20:09:35,028 DEBUG [MainThread] Started firing stop.
2022-03-29 20:09:35,028 DEBUG [MainThread] Finished firing stop.

tags: added: verification-done verification-done-focal verification-done-impish
removed: verification-needed verification-needed-focal verification-needed-impish
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 19.12-0ubuntu10.1

---------------
landscape-client (19.12-0ubuntu10.1) impish; urgency=medium

  * d/p/0006-lp1903776-release-upgrade.patch (LP: #1903776)
    - Use /etc/apt/trusted.gpg.d for validating upgrade-tool signature.

 -- Simon Poirier <email address hidden> Thu, 10 Feb 2022 18:46:26 -0500

Changed in landscape-client (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for landscape-client has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 19.12-0ubuntu4.3

---------------
landscape-client (19.12-0ubuntu4.3) focal; urgency=medium

  * d/p/0004-lp1903776-release-upgrade.patch (LP: #1903776)
    - Use /etc/apt/trusted.gpg.d for validating upgrade-tool signature.

 -- Simon Poirier <email address hidden> Mon, 14 Feb 2022 18:56:31 -0500

Changed in landscape-client (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package landscape-client - 18.01-0ubuntu3.6

---------------
landscape-client (18.01-0ubuntu3.6) bionic; urgency=medium

  * d/p/1903776-release-upgrade.patch (LP: #1903776)
    - Use /etc/apt/trusted.gpg.d for validating upgrade-tool signature.

 -- Simon Poirier <email address hidden> Tue, 17 Nov 2020 19:06:42 -0500

Changed in landscape-client (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.