Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658646 - gnome-base/gnome-keyring: please bump: ssh-agent interface does not support SHA2 extension
Summary: gnome-base/gnome-keyring: please bump: ssh-agent interface does not support S...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Linux Gnome Desktop Team
URL: https://bugzilla.gnome.org/show_bug.c...
Whiteboard:
Keywords: STABLEREQ
: 659198 (view as bug list)
Depends on: 666926 672798
Blocks: 670024
  Show dependency tree
 
Reported: 2018-06-21 13:09 UTC by Thomas Deutschmann
Modified: 2019-02-17 16:01 UTC (History)
10 users (show)

See Also:
Package list:
app-crypt/gcr-3.28.0 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 gnome-base/gnome-keyring-3.28.2 alpha amd64 arm ia64 ppc ppc64 sparc x86 sys-auth/pambase-20150213-r2 alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Matt Turner gentoo-dev 2018-06-25 20:35:50 UTC
gnome-keyring % git tag --contains=35a01f8c6eaf3c991aaeb3f66449f41d3f0580bc
3.27.4
3.27.92
3.28.0
3.28.0.1
3.28.0.2
3.28.2

Ugh.
Comment 2 Pacho Ramos gentoo-dev 2018-06-26 17:12:47 UTC
*** Bug 659198 has been marked as a duplicate of this bug. ***
Comment 3 Mart Raudsepp gentoo-dev 2018-07-03 22:43:53 UTC
People can help by testing this (and only this, or whatever else is needed together with mentioning it here) locally within an otherwise GNOME 3.24 environment. If that goes well, hopefully we can add the 3.28.2 version immediately, without rest of gnome 3.28.
Comment 4 Leho Kraav (:macmaN @lkraav) 2018-07-05 10:42:10 UTC
(In reply to Mart Raudsepp from comment #3)
> People can help by testing this (and only this, or whatever else is needed
> together with mentioning it here) locally within an otherwise GNOME 3.24
> environment. If that goes well, hopefully we can add the 3.28.2 version
> immediately, without rest of gnome 3.28.

Is there going to be a 3.28 ebuild somewhere like https://gitweb.gentoo.org/proj/gnome.git/tree/gnome-base/gnome-keyring any time soon?
Comment 5 Alexander Tsoy 2018-07-17 22:47:30 UTC
(In reply to Mart Raudsepp from comment #3)
> People can help by testing this (and only this, or whatever else is needed
> together with mentioning it here) locally within an otherwise GNOME 3.24
> environment. If that goes well, hopefully we can add the 3.28.2 version
> immediately, without rest of gnome 3.28.
gnome-keyring-3.28 have issues with out pambase (bug 652194). Everything else is fine.
Comment 6 Mart Raudsepp gentoo-dev 2018-08-24 19:30:39 UTC
What's the actual issue here besides a warning?
Comment 7 Mart Raudsepp gentoo-dev 2018-08-24 19:32:51 UTC
Looks like with stricter servers one can't login with gnome-keyring ssh agent cache, I just am not trying such servers?
Comment 8 Leho Kraav (:macmaN @lkraav) 2018-08-24 19:46:57 UTC
> Looks like with stricter servers one can't login with gnome-keyring ssh agent cache, I just am not trying such servers?

I have yet to be denied anywhere, thus far it's been just the warning noise pollution.
Comment 9 aceone 2018-09-02 15:50:32 UTC
This happens with active gnome-keyring an gentoo server with openssh.

warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
Permission denied (publickey).

I have to kill gnome-keyring every time and then try again before it restarts it self.
Comment 10 Mart Raudsepp gentoo-dev 2018-09-22 10:49:37 UTC
For me often gnome-keyring ssh component doesn't even run with the old version, probably because of:
gnome-session[2141]: gnome-session-binary[2141]: WARNING: Could not parse desktop file gnome-keyring-ssh.desktop or it references a not found TryExec binary

Yet the desktop file looks just fine to me..
Comment 11 Larry the Git Cow gentoo-dev 2018-09-22 19:54:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4138c5bd17d07f859fbf5dec6b1c338f510a463e

commit 4138c5bd17d07f859fbf5dec6b1c338f510a463e
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-09-22 19:46:49 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-09-22 19:46:49 +0000

    gnome-base/gnome-keyring: bump to 3.28.2
    
    Bug: https://bugs.gentoo.org/658646
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 gnome-base/gnome-keyring/Manifest                  |  1 +
 .../gnome-keyring/gnome-keyring-3.28.2.ebuild      | 79 ++++++++++++++++++++++
 2 files changed, 80 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efcbd4017c4047428b2813509cded359158f4156

commit efcbd4017c4047428b2813509cded359158f4156
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-09-22 19:42:51 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-09-22 19:45:27 +0000

    app-crypt/gcr: bump to 3.28.0
    
    Bug: https://bugs.gentoo.org/658646
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 app-crypt/gcr/Manifest          |  1 +
 app-crypt/gcr/gcr-3.28.0.ebuild | 78 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
Comment 12 Mart Raudsepp gentoo-dev 2018-09-23 08:46:35 UTC
Please test these bumps (with USE=ssh-agent kept enabled), especially on stable systems with just gcr and gnome-keyring from ~arch. So we know if it's safe to fast-stabilize these in a week or so.
Comment 13 Pacho Ramos gentoo-dev 2018-09-23 16:14:41 UTC
The update to gnome-keyring-3.28.2 (and anything >=3.27.2) breaks the automatic unlocking of the keyring password. Previously, I simply needed to type my password at login time, and the keyring was automatically unlocked with it. Now, I am asked immediatly after login in again for the password to unlock the keyring

I have seen this was introduced in 3.27.2 due to this fix:
https://bugzilla.gnome.org/show_bug.cgi?id=781486

And, indeed, simply reversing this patch:
https://gitlab.gnome.org/GNOME/gnome-keyring/commit/9db67ef6e39ac51d426dee91da3b9305670241e6

Makes it work again.

But I don't know what have changed in other involved parties in recent gnome versions to not get into this issue (I have checked gdm and libsecret commits for that days without success)
Comment 14 Mart Raudsepp gentoo-dev 2018-09-23 16:22:24 UTC
(In reply to Pacho Ramos from comment #13)
> The update to gnome-keyring-3.28.2 (and anything >=3.27.2) breaks the
> automatic unlocking of the keyring password. Previously, I simply needed to
> type my password at login time, and the keyring was automatically unlocked
> with it. Now, I am asked immediatly after login in again for the password to
> unlock the keyring
> 
> I have seen this was introduced in 3.27.2 due to this fix:
> https://bugzilla.gnome.org/show_bug.cgi?id=781486

I observed this breakage too after re-login, but it's just a double entering of password in practice, as far as I can see. This seems like bug 652194.
Meanwhile it feels like it's better to 1) have working login against certain server without having to USE=-ssh-agent; 2) have more secure password handling, as that upstream bug suggests this patch in 3.27.2 was with security implications (improving it).
Comment 15 Pacho Ramos gentoo-dev 2018-09-23 16:30:07 UTC
Personally I would reverse the patch to not push now all the users to need to type the passwords two times on every login 

I will check anyway the pambase bug to see if it can be solved there
Comment 16 Pacho Ramos gentoo-dev 2018-09-23 16:47:16 UTC
It works with fixed pambase... I would then simply stabilize the three packages soon
Comment 17 Leho Kraav (:macmaN @lkraav) 2018-10-18 10:43:55 UTC
gnome-keyring-3.28.2 + pambase-20150213-r1 seem to be operating nicely here. Bug title warning has disappeared, and keyring unlock on login seemed to work.
Comment 18 Pacho Ramos gentoo-dev 2018-10-19 06:47:46 UTC
The same for me, I think we can CC arches finally
Comment 19 Thomas Deutschmann gentoo-dev Security 2018-10-26 00:53:25 UTC
x86 stable
Comment 20 Sergei Trofimovich gentoo-dev 2018-10-26 23:02:31 UTC
ppc64 stable
Comment 21 Sergei Trofimovich gentoo-dev 2018-10-27 18:55:57 UTC
ia64 stable
Comment 22 Matt Turner gentoo-dev 2018-10-29 01:02:20 UTC
amd64 stable
Comment 23 Gleb 2018-11-06 14:08:05 UTC
(In reply to Pacho Ramos from comment #16)
> It works with fixed pambase... I would then simply stabilize the three
> packages soon

On Xfce automatic unlocking no longer works after updaing pambase and gnome-keyring. Is this expected?
Comment 24 ernsteiswuerfel 2018-11-26 21:30:08 UTC
gnome-keyring-3.28.2 fails tests on ppc due to bug #671958. Not good but no regression over gnome-keyring-3.20.1.
Comment 25 Mart Raudsepp gentoo-dev 2018-12-05 15:33:29 UTC
arm64 stable
Comment 26 Matt Turner gentoo-dev 2018-12-28 03:46:58 UTC
alpha stable
Comment 27 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-02-12 13:04:55 UTC
s390 stable
Comment 28 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-02-17 16:00:51 UTC
arm stable