Summary: | gnupg-1.4.0-r2 crashed on built with file open error on secring.gpg | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Nicolas Vilz <niv> |
Component: | Current packages | Assignee: | Crypto team [DISABLED] <crypto+disabled> |
Status: | VERIFIED FIXED | ||
Severity: | normal | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | PPC | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Workaround for gpg check failure with USE=selinux |
Description
Nicolas Vilz
2005-01-30 03:24:22 UTC
mh... problem still exists, sorry to disturb your sleep :) does rm -rf /var/tmp/portage/* and reemerging help? didn't change anything.. :/ what owner and permissions are on /var/tmp/portage/homedir/.gnupg/*ring.gpg? well, actually the .gnupg-dir doesn't exist after emerge fails. even after i copied my .gnupg-dir from a test-homedir, it doesn't exist after emerge fails. No problems here on ppc. Probably you have a program open, that accesses the sec- and pubkeyring (like gpg-agent)? gnupg-agent _does_ access and probably block /var/tmp/homedir/.gnupg/*sec.key, which doesn't exist and which wasn't created during merge-time? and which doesn't exist anymore after i copied it, owned it to portage:portage and tried to merge gnupg ? *shrug* weired programs :) I don't think so. The issue is that gnupg expects to create a real key in the home directory of the user building it. However if ~/.gnupg does not exist, the build fails as it does not create that directory manually (never mind the sandbox breakage issues this creates). The quick work around is to create ~/.gnupg. I've put some work into the 1.4.1 ebuild that should resolve this problem (the src_test works now, where it failed before). Please reopen if this problem persists. I am not the original poster, but I do have the same issue with app-crypt/gnupg-1.4.1 bugsy portage # emerge -pv gnupg These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild U ] app-crypt/gnupg-1.4.1 [1.2.6] +X +bzip2* +caps +curl -debug +ecc* +idea* +ldap +nls +readline +selinux* -smartcard +zlib 0 kB Total size of downloads: 0 kB Then, when I compile, I get the following: Making all in checks make[2]: Entering directory `/var/tmp/portage/gnupg-1.4.1/work/gnupg-1.4.1/checks' echo '#!/bin/sh' >./gpg_dearmor ../tools/mk-tdata 500 >data-500 echo "../g10/gpg --no-options --no-greeting \ --no-secmem-warning --batch --dearmor" >>./gpg_dearmor ../tools/mk-tdata 9000 >data-9000 chmod 755 ./gpg_dearmor ../tools/mk-tdata 32000 >data-32000 ../tools/mk-tdata 80000 >data-80000 cat ./../doc/HACKING \ ./../doc/DETAILS \ ./../doc/FAQ >plain-large ./gpg_dearmor > ./pubring.gpg < ./pubring.asc ./gpg_dearmor > ./secring.gpg < ./secring.asc gpg: keyblock resource `/var/tmp/portage/homedir/.gnupg/secring.gpg': file open error gpg: keyblock resource `/var/tmp/portage/homedir/.gnupg/pubring.gpg': file open error make[2]: *** [pubring.gpg] Error 2 make[2]: *** Waiting for unfinished jobs.... gpg: keyblock resource `/var/tmp/portage/homedir/.gnupg/secring.gpg': file open error gpg: keyblock resource `/var/tmp/portage/homedir/.gnupg/pubring.gpg': file open error make[2]: *** [secring.gpg] Error 2 make[2]: Leaving directory `/var/tmp/portage/gnupg-1.4.1/work/gnupg-1.4.1/checks' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/gnupg-1.4.1/work/gnupg-1.4.1' make: *** [all] Error 2 !!! ERROR: app-crypt/gnupg-1.4.1 failed. !!! Function src_compile, Line 116, Exitcode 2 !!! (no error message) !!! If you need support, post the topmost build error, NOT this status message. I have tried creating ~portage/.gnupg as well as empty key files in the homedir. same here, wasn't fixed for me. Worked around it by USE="-selinux" emerge gnupg Portage 2.0.51.19 (selinux/2005.1/ppc, gcc-3.4.1, glibc-2.3.4.20041102-r1, 2.6.11-hardnut-r13 ppc) ================================================================= System uname: 2.6.11-hardnut-r13 ppc 7447A, altivec supported Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.5 [2.3.5 (#1, May 1 2005, 18:06:15)] dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.8 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.9.5, 1.5, 1.6.3, 1.8.5-r3, 1.4_p6, 1.7.9-r1 sys-devel/binutils: 2.15.90.0.3-r4 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r4 ACCEPT_KEYWORDS="ppc" AUTOCLEAN="yes" CFLAGS="-O2 -mtune=G4 -maltivec -mabi=altivec -fno-strict-aliasing -pipe" CHOST="powerpc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mtune=G4 -maltivec -mabi=altivec -fno-strict-aliasing -pipe" DISTDIR="/var/tmp/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox selinux sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X alsa altivec berkdb cdr crypt cups dlloader dvd dvdread esd flac gd gdbm gif gpm gtk hardened imagemagick imlib java jpeg ldap mad motif mpeg ncurses network nls ogg opengl pam perl png ppc python readline real selinux ssl tcpd theora tiff truetype vorbis xml2 xv xvid zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS I have found that this issue persists with 1.4.1-r1 on x86 using selinux (built in the selinux/2004.1/x86/hardened profile). Note that this is a GnuPG issue, as an unpatched source compile with --enable-selinux-support fails with exactly the same error on a hardened/x86/2.6 profile. I've just tracked it down to this: The --enable-selinux-support configuration option forces it to try to grab or create the ~/.gnupg/{sec,pub}ring.gpg even when the --no-options command-line option disables the creation of the ~/.gnupg directory. #line 2921 g10/g10.c /* Add the keyrings, but not for some special commands and not in case of "-kvv userid keyring". Also avoid adding the secret keyring for a couple of commands to avoid unneeded access in case the secrings are stored on a floppy. We always need to add the keyrings if we are running under SELinux, thi is so that the rings are added to the list of secured files. */ Perhaps a workaround could be to ignore --no-options when selinux is enabled, and also to patch checks/Makefile to add e.g. `--homedir .' Created attachment 62151 [details, diff]
Workaround for gpg check failure with USE=selinux
Causes try_make_homedir to ignore --no-options when selinux is enabled.
Adds `--homedir .' to options in gpg_dearmor
touch checks/{pub,sec}ring.gpg to 1970-01-02 if they don't exist.
Thanks Ben - this patch is good. Commiting it soon and I'll submit it to the upstream devs. |