git-ubuntu

Importer service fails to start due to missing public key

Bug #1801725 reported by Robie Basak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
git-ubuntu
Fix Released
Critical
Unassigned

Bug Description

The git-ubuntu importer service won't restart because it is running on Xenial and using the ubuntu-keyring package, and the archive now has a signature for which it doesn't have a public key.

http://archive.ubuntu.com/ubuntu/dists/disco-proposed/InRelease (for example) is signed by both 3B4FE6ACC0B21F32 and 871920D1991BC93C. The latter is not present in /usr/share/keyrings/ubuntu-archive-keyring.gpg in Xenial, but is present in /usr/share/keyrings/ubuntu-archive-keyring.gpg in Cosmic and onwards. gpgv fails with:

gpgv: Signature made Mon Nov 5 10:46:15 2018 UTC
gpgv: using RSA key 3B4FE6ACC0B21F32
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <email address hidden>"
gpgv: Signature made Mon Nov 5 10:46:15 2018 UTC
gpgv: using RSA key 871920D1991BC93C
gpgv: Can't check signature: No public key

Tags: import

Related branches

~racb/git-ubuntu:cosmic-keyring
Server Team CI bot: Approve (continuous-integration)
Andreas Hasenack: Approve
Canonical Server: Pending requested
Diff: 61 lines (+32/-2)
2 files modified
gitubuntu/integration_test.py (+30/-0)
snap/snapcraft.yaml (+2/-2)
Revision history for this message
Robie Basak (racb) wrote :

It'd be nice to be able to tell gpgv that any one verified signature can be considered a successful verification, but I don't see any option to do that.

A workaround might be to embed the ubuntu-keyring package from Cosmic into the snap (along with ubuntu-cloudimage-keyring which is needed due to dependencies). I might be able to hack that into snapcraft.yaml by manually downloading the debs from Launchpad and installing them, or just extracting the keyrings if necessary. Ultimately git-ubuntu only really needs the keyring files from these packages to be made available to it. git-ubuntu already uses the snap-embedded keyrings rather than the system ones.

One caveat is that snapcraft.yaml will need manually updating every time Ubuntu keys are rotated, but this is better than the current situation where key rotations aren't handled at all without keyring SRUs into Xenial.

Would this be acceptable?

tags: added: import
Revision history for this message
Robie Basak (racb) wrote :

Andreas points out that this has happened before which led to commit e1b4cd8c9c488a0403f6efecd2cdf3748aa85963 and bug 1752656.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Dual-signing relies on the fact that at least one of the signatures is valid.
One shouldn't block on /all/ signatures being valid.
Thus imho this is a bug in the importer if it requires all keys.

Irrespective of the old bug 1752656, there is already 2018 key as an SRU to bionic in bug https://bugs.launchpad.net/ubuntu/bionic/+source/ubuntu-keyring/+bug/1798073 which is in the unapproved queue for a while now.

Revision history for this message
Robie Basak (racb) wrote :

> One shouldn't block on /all/ signatures being valid.

Agreed.

> Thus imho this is a bug in the importer if it requires all keys.

Further discussed on IRC. Unfortunately it's not something we can fix in the importer without the additional functionality to appear in gpgv first.

Robie Basak (racb)
Changed in usd-importer:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.