[buildd-tools-devel] Bug#827315: Bug#827315: sbuild: Does not work with gnupg 2.x installed in the chroot
Johannes Schauer
josch at debian.org
Wed Jun 15 16:07:32 UTC 2016
Hi,
Quoting John Paul Adrian Glaubitz (2016-06-14 23:42:45)
> I recently accidentally upgraded gnupg in my experimental chroots to
> version 2.x. This upgrade rendered the chroots unusable with sbuild,
> attempting to build a package will fail with the following error:
>
> gpg: /«BUILDDIR»/resolver-X436Nh/gpg/trustdb.gpg: trustdb created
> gpg: Warning: not using 'Sbuild Signer' as default key: No secret key
> gpg: all values passed to '--default-key' ignored
> gpg: no default secret key: No secret key
> gpg: signing failed: No secret key
> Failed to sign dummy archive Release file.
>
> Downgrading gnupg to 1.4.x resolves the problem again.
thanks a lot for reporting this! I can now reproduce this outside of sbuild in
the following way.
In a Debian unstable chroot with gnupg 1.4.20-6 I set up a new keypair and
$GNUPGHOME by issuing the following commands:
$ export GNUPGHOME=/tmp/gpg
$ mkdir /tmp/apt_archive
$ mkdir --mode=0700 /tmp/gpg
$ cat > /tmp/gpgbatch <<EOF
> Key-Type: RSA
> Key-Length: 1024
> Name-Real: Sbuild Signer
> Name-Comment: Sbuild Build Dependency Archive Key
> Name-Email: buildd-tools-devel at lists.alioth.debian.org
> Expire-Date: 0
> %secring /tmp/apt_archive/sbuild-key.sec
> %pubring /tmp/apt_archive/sbuild-key.pub
> %commit
> EOF
$ gpg --no-options --no-default-keyring --batch --gen-key /tmp/gpgbatch
I then copy /tmp/gpg and /tmp/apt_archive to a Debian unstable chroot with
experimental enabled and the gnupg package upgraded to version 2.1.12-1. I
create a dummy Release file in /tmp/apt_archive/Release and then run:
$ gpg --yes --no-default-keyring --homedir /tmp/gpg \
--secret-keyring /tmp/apt_archive/sbuild-key.sec \
--keyring /tmp/apt_archive/sbuild-key.pub \
--default-key 'Sbuild Signer' -abs --digest-algo SHA512 \
-o /tmp/apt_archive/Release.gpg /tmp/apt_archive/Release
This results in:
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/tmp/gpg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: /tmp/gpg/trustdb.gpg: trustdb created
gpg: Warning: not using 'Sbuild Signer' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
Thanks to Daniel Kahn Gillmor in #debian-gnupg, a solution that would solve
this problem and at the same time that keys generated with gnupg 2.1.12-1
outside the chroot are not compatible with 1.4.20-6 (or earlier) inside the
chroot would be to always use gpg --export, gpg --export-secret-keys, and gpg
--import.
I'll work on a fix which lets sbuild-update generate plain keys using the above
method and store it in /var/lib/sbuild/apt-keys under a different file name.
Then sbuild can do the right thing depending on which keys it finds in that
directory while still being compatible with the old keys.
Thanks!
cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20160615/c8298dc5/attachment.sig>
More information about the Buildd-tools-devel
mailing list