|Summary:||gnome-base/gnome-keyring: please bump: ssh-agent interface does not support SHA2 extension|
|Product:||Gentoo Linux||Reporter:||Thomas Deutschmann <whissi>|
|Component:||Stabilization||Assignee:||Gentoo Linux Gnome Desktop Team <gnome>|
|Severity:||normal||CC:||alexander, base-system, kuzetsa, leho, mattst88|
|Runtime testing required:||---|
|Bug Depends on:||666926, 672798|
Description Thomas Deutschmann 2018-06-21 13:09:41 UTC
Looks like we need a gnome-keyring package with https://gitlab.gnome.org/GNOME/gnome-keyring/commit/35a01f8c6eaf3c991aaeb3f66449f41d3f0580bc to prevent issues like https://forums.gentoo.org/viewtopic-t-1082598-postdays-0-postorder-asc-start-0.html
Comment 1 Matt Turner 2018-06-25 20:35:50 UTC
gnome-keyring % git tag --contains=35a01f8c6eaf3c991aaeb3f66449f41d3f0580bc 3.27.4 3.27.92 3.28.0 220.127.116.11 18.104.22.168 3.28.2 Ugh.
Comment 2 Pacho Ramos 2018-06-26 17:12:47 UTC
*** Bug 659198 has been marked as a duplicate of this bug. ***
Comment 3 Mart Raudsepp 2018-07-03 22:43:53 UTC
People can help by testing this (and only this, or whatever else is needed together with mentioning it here) locally within an otherwise GNOME 3.24 environment. If that goes well, hopefully we can add the 3.28.2 version immediately, without rest of gnome 3.28.
Comment 4 Leho Kraav (:macmaN @lkraav) 2018-07-05 10:42:10 UTC
(In reply to Mart Raudsepp from comment #3) > People can help by testing this (and only this, or whatever else is needed > together with mentioning it here) locally within an otherwise GNOME 3.24 > environment. If that goes well, hopefully we can add the 3.28.2 version > immediately, without rest of gnome 3.28. Is there going to be a 3.28 ebuild somewhere like https://gitweb.gentoo.org/proj/gnome.git/tree/gnome-base/gnome-keyring any time soon?
Comment 5 Alexander Tsoy 2018-07-17 22:47:30 UTC
(In reply to Mart Raudsepp from comment #3) > People can help by testing this (and only this, or whatever else is needed > together with mentioning it here) locally within an otherwise GNOME 3.24 > environment. If that goes well, hopefully we can add the 3.28.2 version > immediately, without rest of gnome 3.28. gnome-keyring-3.28 have issues with out pambase (bug 652194). Everything else is fine.
Comment 6 Mart Raudsepp 2018-08-24 19:30:39 UTC
What's the actual issue here besides a warning?
Comment 7 Mart Raudsepp 2018-08-24 19:32:51 UTC
Looks like with stricter servers one can't login with gnome-keyring ssh agent cache, I just am not trying such servers?
Comment 8 Leho Kraav (:macmaN @lkraav) 2018-08-24 19:46:57 UTC
> Looks like with stricter servers one can't login with gnome-keyring ssh agent cache, I just am not trying such servers? I have yet to be denied anywhere, thus far it's been just the warning noise pollution.
Comment 9 aceone 2018-09-02 15:50:32 UTC
This happens with active gnome-keyring an gentoo server with openssh. warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512) Permission denied (publickey). I have to kill gnome-keyring every time and then try again before it restarts it self.
Comment 10 Mart Raudsepp 2018-09-22 10:49:37 UTC
For me often gnome-keyring ssh component doesn't even run with the old version, probably because of: gnome-session: gnome-session-binary: WARNING: Could not parse desktop file gnome-keyring-ssh.desktop or it references a not found TryExec binary Yet the desktop file looks just fine to me..
Comment 11 Larry the Git Cow 2018-09-22 19:54:23 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4138c5bd17d07f859fbf5dec6b1c338f510a463e commit 4138c5bd17d07f859fbf5dec6b1c338f510a463e Author: Mart Raudsepp <firstname.lastname@example.org> AuthorDate: 2018-09-22 19:46:49 +0000 Commit: Mart Raudsepp <email@example.com> CommitDate: 2018-09-22 19:46:49 +0000 gnome-base/gnome-keyring: bump to 3.28.2 Bug: https://bugs.gentoo.org/658646 Package-Manager: Portage-2.3.49, Repoman-2.3.10 gnome-base/gnome-keyring/Manifest | 1 + .../gnome-keyring/gnome-keyring-3.28.2.ebuild | 79 ++++++++++++++++++++++ 2 files changed, 80 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efcbd4017c4047428b2813509cded359158f4156 commit efcbd4017c4047428b2813509cded359158f4156 Author: Mart Raudsepp <firstname.lastname@example.org> AuthorDate: 2018-09-22 19:42:51 +0000 Commit: Mart Raudsepp <email@example.com> CommitDate: 2018-09-22 19:45:27 +0000 app-crypt/gcr: bump to 3.28.0 Bug: https://bugs.gentoo.org/658646 Package-Manager: Portage-2.3.49, Repoman-2.3.10 app-crypt/gcr/Manifest | 1 + app-crypt/gcr/gcr-3.28.0.ebuild | 78 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+)
Comment 12 Mart Raudsepp 2018-09-23 08:46:35 UTC
Please test these bumps (with USE=ssh-agent kept enabled), especially on stable systems with just gcr and gnome-keyring from ~arch. So we know if it's safe to fast-stabilize these in a week or so.
Comment 13 Pacho Ramos 2018-09-23 16:14:41 UTC
The update to gnome-keyring-3.28.2 (and anything >=3.27.2) breaks the automatic unlocking of the keyring password. Previously, I simply needed to type my password at login time, and the keyring was automatically unlocked with it. Now, I am asked immediatly after login in again for the password to unlock the keyring I have seen this was introduced in 3.27.2 due to this fix: https://bugzilla.gnome.org/show_bug.cgi?id=781486 And, indeed, simply reversing this patch: https://gitlab.gnome.org/GNOME/gnome-keyring/commit/9db67ef6e39ac51d426dee91da3b9305670241e6 Makes it work again. But I don't know what have changed in other involved parties in recent gnome versions to not get into this issue (I have checked gdm and libsecret commits for that days without success)
Comment 14 Mart Raudsepp 2018-09-23 16:22:24 UTC
(In reply to Pacho Ramos from comment #13) > The update to gnome-keyring-3.28.2 (and anything >=3.27.2) breaks the > automatic unlocking of the keyring password. Previously, I simply needed to > type my password at login time, and the keyring was automatically unlocked > with it. Now, I am asked immediatly after login in again for the password to > unlock the keyring > > I have seen this was introduced in 3.27.2 due to this fix: > https://bugzilla.gnome.org/show_bug.cgi?id=781486 I observed this breakage too after re-login, but it's just a double entering of password in practice, as far as I can see. This seems like bug 652194. Meanwhile it feels like it's better to 1) have working login against certain server without having to USE=-ssh-agent; 2) have more secure password handling, as that upstream bug suggests this patch in 3.27.2 was with security implications (improving it).
Comment 15 Pacho Ramos 2018-09-23 16:30:07 UTC
Personally I would reverse the patch to not push now all the users to need to type the passwords two times on every login I will check anyway the pambase bug to see if it can be solved there
Comment 16 Pacho Ramos 2018-09-23 16:47:16 UTC
It works with fixed pambase... I would then simply stabilize the three packages soon
Comment 17 Leho Kraav (:macmaN @lkraav) 2018-10-18 10:43:55 UTC
gnome-keyring-3.28.2 + pambase-20150213-r1 seem to be operating nicely here. Bug title warning has disappeared, and keyring unlock on login seemed to work.
Comment 18 Pacho Ramos 2018-10-19 06:47:46 UTC
The same for me, I think we can CC arches finally
Comment 19 Thomas Deutschmann 2018-10-26 00:53:25 UTC
Comment 20 Sergei Trofimovich 2018-10-26 23:02:31 UTC
Comment 21 Sergei Trofimovich 2018-10-27 18:55:57 UTC
Comment 22 Matt Turner 2018-10-29 01:02:20 UTC
Comment 23 Gleb 2018-11-06 14:08:05 UTC
(In reply to Pacho Ramos from comment #16) > It works with fixed pambase... I would then simply stabilize the three > packages soon On Xfce automatic unlocking no longer works after updaing pambase and gnome-keyring. Is this expected?
Comment 24 ernsteiswuerfel 2018-11-26 21:30:08 UTC
gnome-keyring-3.28.2 fails tests on ppc due to bug #671958. Not good but no regression over gnome-keyring-3.20.1.
Comment 25 Mart Raudsepp 2018-12-05 15:33:29 UTC
Comment 26 Matt Turner 2018-12-28 03:46:58 UTC
Comment 27 Mikle Kolyada 2019-02-12 13:04:55 UTC
Comment 28 Mikle Kolyada 2019-02-17 16:00:51 UTC
Comment 29 Stabilization helper bot 2019-11-28 09:01:16 UTC
An automated check of this bug failed - the following atom is unknown: sys-auth/pambase-20150213-r2 Please verify the atom list.
Comment 30 Stabilization helper bot 2019-12-01 22:01:27 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 31 Sergei Trofimovich 2019-12-08 22:02:52 UTC
dropping m68k/sh as they are not in the stabilization list (and i assume they were never intended to be stabilized)
Comment 32 Mart Raudsepp 2020-01-11 08:10:51 UTC
ppc and sparc got done from a newer collection bug too