| 2020-11-10 21:42:00 |
Simon Poirier |
bug |
|
|
added bug |
| 2020-11-10 21:42:07 |
Simon Poirier |
landscape-client: status |
New |
Confirmed |
|
| 2020-11-10 21:42:13 |
Simon Poirier |
landscape-client: importance |
Undecided |
Critical |
|
| 2020-11-10 21:42:16 |
Simon Poirier |
landscape-client: importance |
Critical |
High |
|
| 2020-11-10 21:42:19 |
Simon Poirier |
landscape-client: assignee |
|
Simon Poirier (simpoir) |
|
| 2020-11-11 15:58:59 |
John Lewis |
bug |
|
|
added subscriber John Lewis |
| 2020-11-11 21:03:38 |
Simon Poirier |
landscape-client: status |
Confirmed |
In Progress |
|
| 2020-11-13 19:45:39 |
Simon Poirier |
landscape-client: status |
In Progress |
Fix Committed |
|
| 2020-11-13 20:35:55 |
Simon Poirier |
bug task added |
|
landscape-client (Ubuntu) |
|
| 2020-11-13 20:36:02 |
Simon Poirier |
landscape-client (Ubuntu): status |
New |
Confirmed |
|
| 2020-11-13 20:36:31 |
Simon Poirier |
nominated for series |
|
Ubuntu Groovy |
|
| 2020-11-13 20:36:31 |
Simon Poirier |
bug task added |
|
landscape-client (Ubuntu Groovy) |
|
| 2020-11-13 20:36:31 |
Simon Poirier |
nominated for series |
|
Ubuntu Bionic |
|
| 2020-11-13 20:36:31 |
Simon Poirier |
bug task added |
|
landscape-client (Ubuntu Bionic) |
|
| 2020-11-13 20:36:31 |
Simon Poirier |
nominated for series |
|
Ubuntu Hirsute |
|
| 2020-11-13 20:36:31 |
Simon Poirier |
bug task added |
|
landscape-client (Ubuntu Hirsute) |
|
| 2020-11-13 20:36:31 |
Simon Poirier |
nominated for series |
|
Ubuntu Focal |
|
| 2020-11-13 20:36:31 |
Simon Poirier |
bug task added |
|
landscape-client (Ubuntu Focal) |
|
| 2020-11-13 20:36:49 |
Simon Poirier |
landscape-client (Ubuntu Hirsute): status |
Confirmed |
New |
|
| 2020-11-13 23:19:03 |
Simon Poirier |
description |
Since bionic, ubuntu-keyring removed `/etc/apt/trusted.gpg` in favor of `/etc/apt/trusted.gpg.d/`
This breaks signature verification for the upgrade-tool.
Trying to release-upgrade through landscape yields a failure on signature check:
2020-11-10 15:47:51,019 WARNING [MainThread] Invalid signature for upgrade-tool tarball: /usr/bin/gpg failed (out='', err='gpg: keybox '/etc/apt/trusted.gpg' created
gpg: Signature made Fri Oct 16 03:28:09 2020 UTC
gpg: using RSA key 3B4FE6ACC0B21F32
gpg: Can't check signature: No public key |
[Impact]
* When launching an Ubuntu release-upgrade through landscape-client, the
upgrade-tool fails GPG verification due to trusted apt key having changed
location as of 18.04 LTS.
* The proposed patch extends gpg lookup path to include all
/etc/apt/trusted.gpg.d/*.gpg files in addition to /etc/apt/trusted.gpg
when verifying the upgrade-tool signature.
[Test Case]
* Install and register the landscape-client against a landscape-server
on a series supporting an upgrade.
* Wait for it to sync up packages.
* On the computer packages page, there is a link at the bottom to request a
release upgrade of that machine, if a supported version is available.
* The upgrade fails and /var/log/landscape/release-upgrader.log will indicate
a failed gpg verification.
[Where problems could occur]
* One thing which has been considered in this fix is how someone could have
worked around the issue by re-creating the old key path. The fix covers
such a case by still reading the deprecated trusted.gpg file.
* Although some care has been taken to only load valid gpg keys from apt
trusted keychain, there could be unforeseen scenarios where invalid data
gets read from the keychain. In such a case, the strict nature of gpg would
reject the signature verification, thus being no worse than without the fix.
* The affected callsite is used for verifying the release-upgrader code prior
to running it. One bad thing which we could imagine with this code path is
falsely accepting an invalid file signature, which may create a security
issue. This would likely take shape of injecting a gpg key, without
having root access, in the search path.
[Other Info]
* There is no way to directly verify this issue on 20.10 Groovy and later
(without faking a release) due to the lack of upgrade path to a supported
LTS. The ubuntu-keyring package having the same file layout, the same
validation failure is however to be expected if left unpatched.
[Original description]
Since bionic, ubuntu-keyring removed `/etc/apt/trusted.gpg` in favor of `/etc/apt/trusted.gpg.d/`
This breaks signature verification for the upgrade-tool.
Trying to release-upgrade through landscape yields a failure on signature check:
2020-11-10 15:47:51,019 WARNING [MainThread] Invalid signature for upgrade-tool tarball: /usr/bin/gpg failed (out='', err='gpg: keybox '/etc/apt/trusted.gpg' created
gpg: Signature made Fri Oct 16 03:28:09 2020 UTC
gpg: using RSA key 3B4FE6ACC0B21F32
gpg: Can't check signature: No public key |
|
| 2020-11-16 15:30:44 |
David Coronel |
bug |
|
|
added subscriber David Coronel |
| 2020-11-16 22:07:05 |
Simon Poirier |
landscape-client (Ubuntu Hirsute): assignee |
|
Simon Poirier (simpoir) |
|
| 2020-11-16 22:07:07 |
Simon Poirier |
landscape-client (Ubuntu Groovy): assignee |
|
Simon Poirier (simpoir) |
|
| 2020-11-16 22:07:10 |
Simon Poirier |
landscape-client (Ubuntu Focal): assignee |
|
Simon Poirier (simpoir) |
|
| 2020-11-16 22:07:12 |
Simon Poirier |
landscape-client (Ubuntu Bionic): assignee |
|
Simon Poirier (simpoir) |
|
| 2020-11-16 22:07:16 |
Simon Poirier |
landscape-client (Ubuntu Hirsute): status |
New |
In Progress |
|
| 2020-11-16 22:07:18 |
Simon Poirier |
landscape-client (Ubuntu Groovy): status |
New |
In Progress |
|
| 2020-11-16 22:07:21 |
Simon Poirier |
landscape-client (Ubuntu Focal): status |
New |
In Progress |
|
| 2020-11-16 22:07:24 |
Simon Poirier |
landscape-client (Ubuntu Bionic): status |
New |
In Progress |
|
| 2020-11-19 15:29:18 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~simpoir/ubuntu/+source/landscape-client/+git/landscape-client/+merge/394185 |
|
| 2020-11-19 15:29:49 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~simpoir/ubuntu/+source/landscape-client/+git/landscape-client/+merge/394186 |
|
| 2020-11-19 15:30:42 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~simpoir/ubuntu/+source/landscape-client/+git/landscape-client/+merge/394187 |
|
| 2020-11-19 15:31:23 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~simpoir/ubuntu/+source/landscape-client/+git/landscape-client/+merge/394188 |
|
| 2021-02-11 07:24:39 |
Albourne Software |
bug |
|
|
added subscriber Albourne Software |
| 2021-07-28 23:15:15 |
Brian Murray |
landscape-client (Ubuntu Groovy): status |
In Progress |
Won't Fix |
|
| 2022-02-14 22:12:41 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~simpoir/ubuntu/+source/landscape-client/+git/landscape-client/+merge/415567 |
|
| 2022-02-14 22:15:14 |
Simon Poirier |
nominated for series |
|
Ubuntu Impish |
|
| 2022-02-14 22:15:14 |
Simon Poirier |
bug task added |
|
landscape-client (Ubuntu Impish) |
|
| 2022-02-14 22:15:14 |
Simon Poirier |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-02-14 22:15:14 |
Simon Poirier |
bug task added |
|
landscape-client (Ubuntu Jammy) |
|
| 2022-02-14 22:16:27 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~simpoir/ubuntu/+source/landscape-client/+git/landscape-client/+merge/415568 |
|
| 2022-02-14 23:17:56 |
Simon Poirier |
bug |
|
|
added subscriber STS Sponsors |
| 2022-02-15 17:16:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~simpoir/ubuntu/+source/landscape-client/+git/landscape-client/+merge/415626 |
|
| 2022-02-15 17:20:31 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~simpoir/ubuntu/+source/landscape-client/+git/landscape-client/+merge/415627 |
|
| 2022-02-15 17:23:13 |
Simon Poirier |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2022-02-19 17:52:49 |
Mathew Hodson |
tags |
|
dist-upgrade |
|
| 2022-02-19 17:53:43 |
Mathew Hodson |
landscape-client (Ubuntu Bionic): importance |
Undecided |
Medium |
|
| 2022-02-19 17:53:45 |
Mathew Hodson |
landscape-client (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2022-02-19 17:53:47 |
Mathew Hodson |
landscape-client (Ubuntu Groovy): importance |
Undecided |
Medium |
|
| 2022-02-19 17:53:49 |
Mathew Hodson |
landscape-client (Ubuntu Hirsute): importance |
Undecided |
Medium |
|
| 2022-02-19 17:53:52 |
Mathew Hodson |
landscape-client (Ubuntu Impish): importance |
Undecided |
Medium |
|
| 2022-02-19 17:53:54 |
Mathew Hodson |
landscape-client (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2022-02-23 18:06:13 |
Simon Poirier |
landscape-client (Ubuntu Bionic): assignee |
Simon Poirier (simpoir) |
|
|
| 2022-02-23 18:06:30 |
Simon Poirier |
landscape-client (Ubuntu Focal): assignee |
Simon Poirier (simpoir) |
|
|
| 2022-02-23 18:06:32 |
Simon Poirier |
landscape-client (Ubuntu Groovy): assignee |
Simon Poirier (simpoir) |
|
|
| 2022-02-23 18:06:35 |
Simon Poirier |
landscape-client (Ubuntu Hirsute): assignee |
Simon Poirier (simpoir) |
|
|
| 2022-02-23 18:06:39 |
Simon Poirier |
landscape-client (Ubuntu Impish): assignee |
|
Simon Poirier (simpoir) |
|
| 2022-02-23 18:06:42 |
Simon Poirier |
landscape-client (Ubuntu Jammy): assignee |
Simon Poirier (simpoir) |
|
|
| 2022-02-23 18:06:45 |
Simon Poirier |
landscape-client (Ubuntu Impish): assignee |
Simon Poirier (simpoir) |
|
|
| 2022-03-11 18:28:27 |
Andreas Hasenack |
landscape-client (Ubuntu Hirsute): status |
In Progress |
Won't Fix |
|
| 2022-03-11 18:28:34 |
Andreas Hasenack |
landscape-client (Ubuntu Impish): status |
New |
In Progress |
|
| 2022-03-11 18:28:55 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
| 2022-03-11 19:52:56 |
Launchpad Janitor |
landscape-client (Ubuntu Jammy): status |
In Progress |
Fix Released |
|
| 2022-03-22 21:16:27 |
Brian Murray |
bug |
|
|
added subscriber Brian Murray |
| 2022-03-22 21:16:42 |
Brian Murray |
landscape-client (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
| 2022-03-22 21:16:44 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-03-22 21:16:46 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2022-03-22 21:16:50 |
Brian Murray |
tags |
dist-upgrade |
dist-upgrade verification-needed verification-needed-impish |
|
| 2022-03-22 21:18:19 |
Brian Murray |
landscape-client (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2022-03-22 21:18:26 |
Brian Murray |
tags |
dist-upgrade verification-needed verification-needed-impish |
dist-upgrade verification-needed verification-needed-focal verification-needed-impish |
|
| 2022-03-22 21:19:12 |
Brian Murray |
landscape-client (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2022-03-22 21:19:20 |
Brian Murray |
tags |
dist-upgrade verification-needed verification-needed-focal verification-needed-impish |
dist-upgrade verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish |
|
| 2022-03-22 21:24:29 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2022-03-28 21:10:56 |
Simon Poirier |
tags |
dist-upgrade verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish |
dist-upgrade verification-done-bionic verification-needed verification-needed-focal verification-needed-impish |
|
| 2022-03-30 00:07:22 |
Simon Poirier |
tags |
dist-upgrade verification-done-bionic verification-needed verification-needed-focal verification-needed-impish |
dist-upgrade verification-done verification-done-bionic verification-done-focal verification-done-impish |
|
| 2022-03-30 10:06:51 |
Launchpad Janitor |
landscape-client (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
| 2022-03-30 10:06:55 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2022-03-30 10:06:59 |
Launchpad Janitor |
landscape-client (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2022-03-30 10:07:03 |
Launchpad Janitor |
landscape-client (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2023-03-01 17:18:11 |
Mauricio Faria de Oliveira |
removed subscriber SE ("STS") Sponsors |
|
|
|
