Summary: | emerge --sync stucks on getting key via WKD | ||
---|---|---|---|
Product: | Gentoo Infrastructure | Reporter: | Rafal Kupiec <belliash> |
Component: | Other | Assignee: | Gentoo Infrastructure <infra-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | d, gentoo, mgorny |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=875800 https://bugs.gentoo.org/show_bug.cgi?id=779766 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Rafal Kupiec
2022-09-27 06:29:03 UTC
I have same issue. app-portage/gemato falls back to hkp/hkps [1] in case of errors while fetching over WKD and uses hkps://keys.gentoo.org: ❯ grep sync-openpgp-keyserver /usr/share/portage/config/repos.conf sync-openpgp-keyserver = hkps://keys.gentoo.org The fallback will always occur for "developer@gentoo.org" due to it not being a UID for a valid public key. The hkps keyserver currently just resolves this "UID" to 47 public keys: ❯ export GNUPGHOME="$(mktemp -d)" ❯ gpg --auto-key-locate hkps://keys.gentoo.org --locate-external-keys developer@gentoo.org 2>&1 | tail -n 5 gpg: key 350AAD7C2B859DE3: public key "Christian Faulhammer <christian@faulhammer.org>" imported gpg: key 979CAF40D0455535: public key "Anthony G. Basile <basile@virtual.dyc.edu>" imported gpg: Total number processed: 47 gpg: imported: 47 gpg: error retrieving 'developer@gentoo.org' via hkps://keys.gentoo.org: No fingerprint Therefore, above output of "--locate-keys" should be fine. [1] https://github.com/projg2/gemato/blob/805ca36a222c5649b16134e818f8c8b23415c7a2/gemato/openpgp.py#L468-L471 Right, the problem is that it then hangs In the end, portage/gemato tries to refresh the keys at: ❯ grep sync-openpgp-key-path /usr/share/portage/config/repos.conf sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc ❯ equery belongs /usr/share/openpgp-keys/gentoo-release.asc * Searching for /usr/share/openpgp-keys/gentoo-release.asc ... sec-keys/openpgp-keys-gentoo-release-20220101 (/usr/share/openpgp-keys/gentoo-release.asc) Only 4 public keys should be covered: ❯ sed -n '/^# Keys included:/,/^$/p' /var/db/repos/gentoo/sec-keys/openpgp-keys-gentoo-release/openpgp-keys-gentoo-release-20220101.ebuild # Keys included: # DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D # D99EAC7379A850BCE47DA5F29E6438C817072058 # 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 # EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72 I don't know why "emerge --sync" tries to fetch keys belonging to "developer@gentoo.org" on your machine. You should check the file the "sync-openpgp-key-path" setting points to on your machine. Ah, "developer@gentoo.org" was just an example. The .asc file should be checked anyway. And, should "emerge --sync" hang again, you should check the output of: gpg --debug all -vvvvv --auto-key-locate wkd --locate-external-keys infrastructure@gentoo.org gpg --debug all -vvvvv --auto-key-locate wkd --locate-external-keys releng@gentoo.org gpg --debug all -vvvvv --auto-key-locate wkd --locate-external-keys repomirrorci@gentoo.org WKD advanced is online again. $ T=$(mktemp -d) ; gpg --homedir $T --auto-key-locate wkd --locate-external-keys infrastructure@gentoo.org releng@gentoo.org repomirrorci@gentoo.org ; rm -rf "$T" gpg: keybox '/tmp/tmp.KcIpfNLMh3/pubring.kbx' created gpg: /tmp/tmp.KcIpfNLMh3/trustdb.gpg: trustdb created gpg: key A13D0EF1914E7A72: public key "Gentoo repository mirrors (automated git signing key) <repomirrorci@gentoo.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found gpg: key 9E6438C817072058: public key "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>" imported gpg: key BB572E0E2D182910: public key "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" imported gpg: Total number processed: 2 gpg: imported: 2 gpg: no ultimately trusted keys found gpg: key DB6B8C1F96D8BF6D: public key "Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found pub rsa4096 2018-05-28 [C] [expires: 2024-07-01] EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72 uid [ unknown] Gentoo repository mirrors (automated git signing key) <repomirrorci@gentoo.org> sub rsa2048 2018-05-28 [S] [expires: 2024-07-01] pub dsa1024 2004-07-20 [SC] [expires: 2024-01-01] D99EAC7379A850BCE47DA5F29E6438C817072058 uid [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org> sub elg2048 2004-07-20 [E] [expires: 2024-01-01] pub rsa4096 2011-11-25 [C] [expires: 2024-07-01] DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D uid [ unknown] Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org> sub rsa4096 2011-11-25 [S] [expires: 2024-07-01] The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=9268a92b9666eaaf263999b18220c0d56d8c476c commit 9268a92b9666eaaf263999b18220c0d56d8c476c Author: Sam James <sam@gentoo.org> AuthorDate: 2023-08-13 04:36:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-08-17 06:52:55 +0000 sync: rsync, git: respect --debug for gemato Respect --debug and pass it down to gemato so we get nice debugging output when e.g. 'refreshing keys' is stuck. Bug: https://bugs.gentoo.org/646194 Bug: https://bugs.gentoo.org/647696 Bug: https://bugs.gentoo.org/691666 Bug: https://bugs.gentoo.org/779766 Bug: https://bugs.gentoo.org/873133 Bug: https://bugs.gentoo.org/906875 Bug: https://github.com/projg2/gemato/issues/7 Bug: https://github.com/projg2/gemato/issues/25 Signed-off-by: Sam James <sam@gentoo.org> lib/portage/sync/modules/git/git.py | 15 +++++++++++++-- lib/portage/sync/modules/rsync/rsync.py | 11 +++++++++-- lib/portage/sync/syncbase.py | 12 ++++++++---- 3 files changed, 30 insertions(+), 8 deletions(-) |