Ubuntu
simplestreams package

Autopkgtest/build fails, because example gpg key is expired

Bug #2013081 reported by Dominik Viererbe
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
simplestreams (Ubuntu)
Fix Released
Undecided
Dominik Viererbe
Bionic
Won't Fix
Undecided
Unassigned
Focal
Fix Committed
Undecided
Unassigned
Jammy
Fix Committed
Undecided
Unassigned
Kinetic
Won't Fix
Undecided
Unassigned

Bug Description

[Impact]

Simplestreams package fails to build on Bionic, Focal and Jammy.
That issue is caused by the expired test gpg keys.
The fix is to generate a new keys to avoid this problem.

[Test Plan]

Type in:

1. git ubuntu clone simplestreams
2. pull-lp-source -d simplestreams <release-name>
3. cd simplestreams
4. git checkout ubuntu/<release-name>-devel
5. dpkg-buildpackage -S -I -i -nc -d -uc -us
6. cd ..
7. sbuild -d <release-name>-amd64 simplestreams_<version>.dsc

*where <release-name> equals bionic, focal and jammy

Example of failed output:

make[1]: Entering directory '/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460'
./tools/create-gpgdir
creating GNUPGHOME dir in /build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/gnupg.
  pubkey '/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/examples/keys/example.pub'
  secret '/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/examples/keys/example.sec'
  pubkeys: /build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/examples/keys/example.pub
imported secret key /build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/examples/keys/example.sec
imported pubkey /build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/examples/keys/example.pub
./tools/tenv ./tools/sign-examples
Traceback (most recent call last):
  File "/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/tools/js2signed", line 53, in <module>
    main()
  File "/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/tools/js2signed", line 41, in main
    signjson_file(path, force=force)
  File "/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/tools/sign_helper.py", line 25, in signjson_file
    util.sign_file(fname, inline=False)
  File "/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/simplestreams/util.py", line 546, in sign_file
    return subp(get_sign_cmd(path=fname, output=outfile, inline=inline))[0]
  File "/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/simplestreams/util.py", line 458, in subp
    raise subprocess.CalledProcessError(rc, args, output=(out, err))
subprocess.CalledProcessError: Command '['gpg', '--batch', '--output', '/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/examples/cirros/streams/v1/index.json.gpg', '--armor', '--detach-sign', '/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460/examples/cirros/streams/v1/index.json']' returned non-zero exit status 2
Makefile:39: recipe for target 'examples-sign' failed
make[1]: *** [examples-sign] Error 1
make[1]: Leaving directory '/build/simplestreams-83uOzI/simplestreams-0.1.0~bzr460'
dh_auto_test: make -j1 test returned exit code 2
debian/rules:7: recipe for target 'build' failed
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
--------------------------------------------------------------------------------

Example of successful output:

The package builds without any issues.

[Where problems could occur]

The regression possibilities here are really low.
It is unlikely but possible that users could hardcode valid gpg keys into a file. In that case if the same user wants to install simplestreams, there is a high risk that a warning message will appear and there is a necessity to unify the keys by removing it and installing the package again.

---------------------original bug description-----------------------------

Running the autopkgtest fails to build the package. During the build process the example gpg key (examples/keys/example.pub and examples/keys/example.sec) gets imported. When the example key is used to test the package during build time; the build fails, because gpg fails to sign something with the expired gpg key.

How to verify:
1. Checkout the source tree
2. import examples/keys/example.pub with gpg --import examples/keys/example.pub
3. see details about key: gpg --list-keys 198E8D3C27227898CB4D413CA9714A203967536E

Should display something like this:
pub rsa1024 2013-02-26 [SCEA] [expired: 2023-02-24]
      198E8D3C27227898CB4D413CA9714A203967536E
uid [ expired] Simple Streams Test User (Test Usage Only. Do Not Import.) <email address hidden>

4. Note that the key expired at 24.02.2023
5. (optional) remove key: gpg --delete-keys 198E8D3C27227898CB4D413CA9714A203967536E

How to fix this:
Generate a new key upstream or do the key generation dynamically to avoid this problem entirely.

See original description

Related branches

~michal-maloszewski99/ubuntu/+source/simplestreams:lp-2013081-gpg-keys-jammyr
git-ubuntu bot: Approve
Lucas Kanashiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 112 lines (+92/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/lp2013081-build-fails-gpg-key-expired-jammy.patch (+82/-0)
debian/patches/series (+1/-0)
~michal-maloszewski99/ubuntu/+source/simplestreams:lp-2013081-gpg-keys-focal
git-ubuntu bot: Approve
Lucas Kanashiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 112 lines (+92/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/lp2013081-build-fails-gpg-key-expired-focal.patch (+82/-0)
debian/patches/series (+1/-0)
~michal-maloszewski99/ubuntu/+source/simplestreams:lp-2013081-gpg-keys-bionic
Lucas Kanashiro (community): Approve
Sergio Durigan Junior (community): Needs Fixing
Canonical Server Reporter: Pending requested
git-ubuntu import: Pending requested
Diff: 112 lines (+92/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/lp2013081-build-fails-gpg-key-expired.patch (+82/-0)
debian/patches/series (+1/-0)
~dviererbe/simplestreams:rotate-example-gpg-keys
Paride Legovini: Approve
Server Team CI bot: Needs Fixing (continuous-integration)
Robie Basak: Needs Fixing
Diff: 73 lines (+28/-28)
2 files modified
examples/keys/example.pub (+10/-10)
examples/keys/example.sec (+18/-18)
Dominik Viererbe (dviererbe)
Changed in simplestreams (Ubuntu):
assignee: nobody → Dominik Viererbe (dviererbe)
status: New → In Progress
Dominik Viererbe (dviererbe)
Changed in simplestreams (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Your changelog missed a bug reference, this is actually released

 simplestreams | 0.1.0-48-gb936edd4-0ubuntu2 | lunar/universe | all
 simplestreams | 0.1.0-48-gb936edd4-0ubuntu2 | mantic/universe | all

Changed in simplestreams (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Michal has found the same,
he will work on pushing the fix to block-proposed for Focal and Jammy to not hit anyone else again in the future.

Furthermore he will need it to fix 1870360 in Bionic.

For Kinetic, since this is just a quality of life for potential future updates I think we can ignore, it just has a few weeks of support left.
Setting won't fix

Changed in simplestreams (Ubuntu Kinetic):
status: New → Won't Fix
Changed in simplestreams (Ubuntu Jammy):
status: New → Triaged
Changed in simplestreams (Ubuntu Focal):
status: New → Triaged
Changed in simplestreams (Ubuntu Bionic):
status: New → Triaged
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Changed in simplestreams (Ubuntu Focal):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Changed in simplestreams (Ubuntu Jammy):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Michał Małoszewski (michal-maloszewski99)
Changed in simplestreams (Ubuntu Bionic):
status: Triaged → In Progress
Michał Małoszewski (michal-maloszewski99)
Changed in simplestreams (Ubuntu Focal):
status: Triaged → In Progress
Michał Małoszewski (michal-maloszewski99)
Changed in simplestreams (Ubuntu Jammy):
status: Triaged → In Progress
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
tags: added: server-todo
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

As this is an autopkgtest-only fix, I am marking this bug block-proposed.

tags: added: block-proposed-jammy
Changed in simplestreams (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Dominik, or anyone else affected,

Accepted simplestreams into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/simplestreams/0.1.0-48-gb936edd4-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in simplestreams (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Dominik, or anyone else affected,

Accepted simplestreams into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/simplestreams/0.1.0-30-g3cc8988a-0ubuntu1.20.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: block-proposed-focal
removed: verification-needed-focal
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote (last edit ):
Download full text (3.4 KiB)

The fix works, both 0.1.0-48-gb936edd4-0ubuntu1.1 and 0.1.0-30-g3cc8988a-0ubuntu1.20.04.2 fix the bug.

Jammy:

I followed the same steps (1:1) on my local machine, which are described in the SRU template above, but previously, after installing a simplestreams package I typed in:

$ apt policy simplestreams

The output:

simplestreams:
  Installed: 0.1.0-48-gb936edd4-0ubuntu1
  Candidate: 0.1.0-48-gb936edd4-0ubuntu1
  Version table:
 *** 0.1.0-48-gb936edd4-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
        100 /var/lib/dpkg/status

After following the steps, I've noticed that nothing has changed there, so the problem still existed:

make[1]: Entering directory '/<<PKGBUILDDIR>>'
./tools/create-gpgdir
creating GNUPGHOME dir in /<<PKGBUILDDIR>>/gnupg.
  pubkey '/<<PKGBUILDDIR>>/examples/keys/example.pub'
  secret '/<<PKGBUILDDIR>>/examples/keys/example.sec'
  pubkeys: /<<PKGBUILDDIR>>/examples/keys/example.pub
imported secret key /<<PKGBUILDDIR>>/examples/keys/example.sec
imported pubkey /<<PKGBUILDDIR>>/examples/keys/example.pub
./tools/tenv ./tools/sign-examples
Traceback (most recent call last):
  File "/<<PKGBUILDDIR>>/tools/js2signed", line 53, in <module>
    main()
  File "/<<PKGBUILDDIR>>/tools/js2signed", line 41, in main
    signjson_file(path, force=force)
  File "/<<PKGBUILDDIR>>/tools/sign_helper.py", line 25, in signjson_file
    util.sign_file(fname, inline=False)
  File "/<<PKGBUILDDIR>>/simplestreams/util.py", line 546, in sign_file
    return subp(get_sign_cmd(path=fname, output=outfile, inline=inline))[0]
  File "/<<PKGBUILDDIR>>/simplestreams/util.py", line 458, in subp
    raise subprocess.CalledProcessError(rc, args, output=(out, err))
subprocess.CalledProcessError: Command '['gpg', '--batch', '--output', '/<<PKGBUILDDIR>>/examples/cirros/streams/v1/index.json.gpg', '--armor', '--detach-sign', '/<<PKGBUILDDIR>>/examples/cirros/streams/v1/index.json']' returned non-zero exit status 2
Makefile:39: recipe for target 'examples-sign' failed
make[1]: *** [examples-sign] Error 1
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
dh_auto_test: make -j1 test returned exit code 2
debian/rules:7: recipe for target 'build' failed
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
--------------------------------------------------------------------------------
Build finished at 2023-06-12T14:50:16Z

Finished
--------

+------------------------------------------------------------------------------+
| Cleanup |
 +------------------------------------------------------------------------------+

Purging /<<BUILDDIR>>
Not cleaning session: cloned chroot in use
E: Build failure (dpkg-buildpackage died)

Then I've upgraded simplestreams using:
$ apt install simplestreams=0.1.0-48-gb936edd4-0ubuntu1.1

Later I've typed in:

$ apt policy simplestreams

simplestreams:
  Installed: 0.1.0-48-gb936edd4-0ubuntu1.1
  Candidate: 0.1.0-48-gb936edd4-0ubuntu1.1
  Version table:
 *** 0.1.0-48-gb936edd4-0ubuntu1.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 ...

Read more...

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

> FYI: The same steps were performed for Focal - the fix there works as well.

Setting tag accordingly

tags: added: verification-done-focal
Changed in simplestreams (Ubuntu Bionic):
status: In Progress → Won't Fix
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

The fix provided for Jammy and Focal works, we only wanted to get it to -proposed for the next person to not stumble over it again. So all we can do as of today is done.

Bionic status is set to "Won't Fix" because it is entering ESM and this change won’t land in -updated anyway.

Changed in simplestreams (Ubuntu Bionic):
assignee: Michał Małoszewski (michal-maloszewski99) → nobody
Changed in simplestreams (Ubuntu Focal):
assignee: Michał Małoszewski (michal-maloszewski99) → nobody
Changed in simplestreams (Ubuntu Jammy):
assignee: Michał Małoszewski (michal-maloszewski99) → nobody
tags: removed: server-todo verification-done-focal
tags: added: verification-done-focal
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.