Since upgrading to gnupg-1.4*, repoman goes into an infinite loop trying to sign the manifest, and failing: !!! YOU MUST sign the Manifest. !!! You can also disable this for the time being by removing FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18765': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18765': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error gpg: no default secret key: secret key not available gpg: .//Manifest: clearsign failed: secret key not available !!! YOU MUST sign the Manifest. !!! You can also disable this for the time being by removing FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18766': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18766': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error gpg: no default secret key: secret key not available gpg: .//Manifest: clearsign failed: secret key not available Exiting due to signal This is running 'repoman ci' as root. The net effect is that the regenerated Manifest doesn't get signed, and doesn't get commited, which is a major problem if you miss it, and the wrong Manifest gets out in a sync. I am not certain, but the above may be due to a change in gnupg and not nessicarily repoman.
Not sure but at a guess: First you changed to root with "su" rather than "su -" so your HOME didn't get updated. Then... gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' Your .gnupg has the correct permissions but gpg incorrectly detects it because the user id doesn't match. gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18765': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18765': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error gpg: no default secret key: secret key not available gpg: .//Manifest: clearsign failed: secret key not available gpg can't write to .gnupg because the user id doesn't match and it can't figure out what the deal is. I'll leave the choice up to you.. Close this as invalid or reassign it to whoever does gpg so that perhaps they might patch it to handle the "running gpg as root but my user's environment" case a bit better. As for the infinite loop bit, the best we can do is to limit it to five runs or something like that. The chance of broken manifests is always there unless infra prevents their propagation.
No, I don't use su like that. Most of the time I'm logged in directly as root via SSH (Limited to a trusted network, and auth via SSH keys only). In my make.conf I have: PORTAGE_GPG_DIR=/home/robbat2/.gnupg PORTAGE_GPG_KEY=3233C22C I'll pass this along to the GPG maintainer for now, maybe they can help more, as it's definetly a regression in GPG from 1.2 (worked) to 1.4 (broken).
bug 72873 handles repoman's infinite loop issue.
still a problem?
Yes the problem still exists. OUTPUT follows: >>> Computed message digests. Checking in Manifest; /var/cvsroot/gentoo-x86/net-fs/autofs/Manifest,v <-- Manifest new revision: 1.54; previous revision: 1.53 done gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie- int.4839': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie- int.4839': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error gpg: no default secret key: secret key not available gpg: .//Manifest: clearsign failed: secret key not available !!! YOU MUST sign the Manifest. !!! You can also disable this for the time being by removing FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie- int.4843': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie- int.4843': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error gpg: no default secret key: secret key not available gpg: .//Manifest: clearsign failed: secret key not available !!! YOU MUST sign the Manifest. !!! You can also disable this for the time being by removing FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie- int.4846': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie- int.4846': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error gpg: no default secret key: secret key not available gpg: .//Manifest: clearsign failed: secret key not available !!! YOU MUST sign the Manifest. !!! You can also disable this for the time being by removing FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie- int.4848': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie- int.4848': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error gpg: no default secret key: secret key not available gpg: .//Manifest: clearsign failed: secret key not available !!! YOU MUST sign the Manifest. !!! You can also disable this for the time being by removing FEATURES='sign'Exiting due to signal The 'Exiting due to signal' is due to me hitting ctrl-C. The infinite loop still exists, however it doesn't spew so fast anymore because of the 3 second delay added in bug #72873.
*bump* the problem still exists.
Is this still a problem? How are people signing stuff if it always loops? :) Does this happen all the time or just some of the time...etc...Can anyone besides Robin reproduce this bug?
(In reply to comment #2) > No, I don't use su like that. > Most of the time I'm logged in directly as root via SSH (Limited to a trusted network, and auth via SSH keys only). > > In my make.conf I have: > PORTAGE_GPG_DIR=/home/robbat2/.gnupg > PORTAGE_GPG_KEY=3233C22C > Try changing the PORTAGE_GPG_KEY to 0x3233C22C, or put another identifier (like an email or username). In addition, check to see if there is a /root/.gnupg directory and any gpg.conf in there. If so, make sure it either contains the same thing as your home, or just make sure any default key is the one you want.
I changed PORTAGE_GPG_KEY to 0x3233C22C, as you requested, same behavior. Changing to a username or email will NOT give me the desired effect. 0x3233C22C is a subkey on my main key, that I intend on using explictly for signing commits (this will be made clear when I post the signing proposals in a few days). I'm going to strace this entire operation in a moment for you. # !523 repoman ci -m 'Update metadata.' Setting paths: PORTDIR = "/usr/portage" PORTDIR_OVERLAY = "" RepoMan scours the neighborhood... >>> Creating Manifest for /usr/gentoo-cvs/gentoo-x86/app-backup/amanda digest.assumed 1 digest-amanda-2.4.5::amanda-2.4.5.tar.gz digest.assumed 1 digest-amanda-2.4.5::amanda-2.4.5.tar.gz Performing a cvs -n up with a little magic grep to check for updates. * 1 files being committed... 0 have headers that will change. * Files with headers will cause the manifests to be made and recommited. myupdates: ['./metadata.xml'] myheaders: [] Using commit message: ------------------------------------------------------------------------------ Update metadata. (Portage version: 2.1) ------------------------------------------------------------------------------ /var/cvsroot/gentoo-x86/app-backup/amanda/metadata.xml,v <-- metadata.xml new revision: 1.3; previous revision: 1.2 >>> Creating Manifest for /usr/gentoo-cvs/gentoo-x86/app-backup/amanda digest.assumed 1 digest-amanda-2.4.5::amanda-2.4.5.tar.gz gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8076': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8076': Permission denied gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error gpg: no default secret key: secret key not available gpg: ./Manifest: clearsign failed: secret key not available !!! "!!! gpg exited with '512' status" !!! Disabled FEATURES='sign' /var/cvsroot/gentoo-x86/app-backup/amanda/Manifest,v <-- Manifest new revision: 1.19; previous revision: 1.18
Created attachment 89123 [details] strace2.log.bz2 Sorry about the compression, the file was too big for a direct upload.
The interesting bits, with line numbers. ... 77671 [pid 8541] mmap2(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f9d000 77672 [pid 8541] capset(0x19980330, 0, {CAP_IPC_LOCK, CAP_IPC_LOCK, 0}) = 0 77673 [pid 8541] mlock(0xb7f9d000, 32768) = 0 77674 [pid 8541] capset(0x19980330, 0, {0, CAP_IPC_LOCK, 0}) = 0 77675 [pid 8541] getuid32() = 0 77676 [pid 8541] geteuid32() = 0 77677 [pid 8541] access("/home/robbat2/.gnupg/gpg.conf-1.4.3-ecc0.1.6", R_OK) = -1 EACCES (Permission denied) 77678 [pid 8541] access("/home/robbat2/.gnupg/gpg.conf-1.4.3", R_OK) = -1 EACCES (Permission denied) 77679 [pid 8541] access("/home/robbat2/.gnupg/gpg.conf-1.4", R_OK) = -1 EACCES (Permission denied) 77680 [pid 8541] access("/home/robbat2/.gnupg/gpg.conf-1", R_OK) = -1 EACCES (Permission denied) 77681 [pid 8541] access("/home/robbat2/.gnupg/gpg.conf", R_OK) = -1 EACCES (Permission denied) 77682 [pid 8541] stat64("/home/robbat2/.gnupg", {st_dev=makedev(8, 10), st_ino=10748027, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=10000, st_gid=100, st_b lksize=4096, st_blocks=8, st_size=4096, st_atime=2005/02/09-22:08:00, st_mtime=2006/06/14-02:35:55, st_ctime=2006/06/14-02:35:55}) = 0 77683 [pid 8541] stat64("/home/robbat2", {st_dev=makedev(8, 10), st_ino=10747905, st_mode=S_IFDIR|0755, st_nlink=256, st_uid=10000, st_gid=100, st_blksiz e=4096, st_blocks=112, st_size=53248, st_atime=2005/06/02-19:58:09, st_mtime=2006/06/14-03:30:03, st_ctime=2006/06/14-03:30:03}) = 0 77684 [pid 8541] getuid32() = 0 77685 [pid 8541] write(2, "gpg: ", 5gpg: ) = 5 77686 [pid 8541] write(2, "WARNING: unsafe ownership on hom"..., 60WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg' 77687 ) = 60 77688 [pid 8541] open("/home/robbat2/.gnupg/options", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) 77689 [pid 8541] access("/home/robbat2/.gnupg/random_seed", F_OK) = -1 EACCES (Permission denied) 77690 [pid 8541] open("/home/robbat2/.gnupg/secring.gpg", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied) 77691 [pid 8541] access("/home/robbat2/.gnupg/secring.gpg", F_OK) = -1 EACCES (Permission denied) 77692 [pid 8541] access("/home/robbat2/.gnupg", F_OK) = 0 77693 [pid 8541] getpid() = 8541 77694 [pid 8541] uname({sysname="Linux", nodename="curie-int", release="2.6.13-gentoo", version="#1 Fri Sep 2 00:50:40 PDT 2005", machine="i686"}) = 0 77695 [pid 8541] getpid() = 8541 77696 [pid 8541] open("/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8541", O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0644) = -1 EACCES (Permission denied) 77697 [pid 8541] write(2, "gpg: ", 5gpg: ) = 5 77698 [pid 8541] write(2, "failed to create temporary file "..., 103failed to create temporary file `/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8541': Permission denied 77699 ) = 103 Very interestingly, look at these: 77675 [pid 8541] getuid32() = 0 77676 [pid 8541] geteuid32() = 0 ... 77684 [pid 8541] getuid32() = 0 ... 77691 [pid 8541] access("/home/robbat2/.gnupg/secring.gpg", F_OK) = -1 EACCES (Permission denied) If we are running as root, why did access to that file get blocked? Maybe something with the capabilties stuff?
This just in, it is a breakage in the capabilties stuff. USE=-caps emerge =gnupg-1.4* and then repoman works fine.
mars tmp # gpg -a --clearsign -u 0x467fbf7d --homedir /home/peter/.gnupg test.sh gpg: WARNING: unsafe ownership on homedir `/home/peter/.gnupg' You need a passphrase to unlock the secret key for user: "Peter Hyman (GnuPG Key for Peter Hyman) <pete@peterhyman.com>" 1024-bit DSA key, ID 467FBF7D, created 2003-06-20 File `test.sh.asc' exists. Overwrite? (y/N) y This was an attempt to simulate the signing of a file with a key owned by a user as root. Works for me
Great! I am glad you were able to discover that. I have -caps in my use flags for gnupg. So, I never would have been able to reproduce. The repoman source for this action looked OK afaik. I was stumped! Good work!
Created attachment 89127 [details] strace3.log Here is a log of just gnupg running, that shows only it's failure, and none of the repoman bloat.
*** *** WARNING: using capabilities with GnuPG is experimental code! ***" and *** *** The use of capabilities on this system is not possible. *** You need a recent Linux kernel and some patches: *** fcaps-2.2.9-990610.patch (kernel patch for 2.2.9) *** fcap-module-990613.tar.gz (kernel module) *** libcap-1.92.tar.gz (user mode library and utilities) *** And you have to configure the kernel with CONFIG_VFS_CAP_PLUGIN *** set (filesystems menu). Be warned: This code is *really* ALPHA. ***" You did see this in configure, didn't you?
Miles ahead of you there. I'm the developer that added libcap to the tree. 1.92 is a misnomer, they renumbered it. 1.92 was released in 1998. 1.10 is the current version. Capabilities were alpha-level code in the 2.2 kernel, but that was MANY years ago. They are stable in 2.6, it's just gnupg using them wrongly it seems.
(In reply to comment #17) > Miles ahead of you there. (you and the rest of the world :) ) > I'm the developer that added libcap to the tree. > 1.92 is a misnomer, they renumbered it. > 1.92 was released in 1998. 1.10 is the current version. > Shoot me! I'm the idiot! But seriously, I did not know your involvement. > Capabilities were alpha-level code in the 2.2 kernel, but that was MANY years > ago. > They are stable in 2.6, it's just gnupg using them wrongly it seems. > Well, at least it (gnupg) warns of that in configure. From my brief review, I am not sure what "capabilities" are added. And, btw, I was not able to find the VFS_CAP_PLUGIN anywhere in the kernel tree. Is a patch still needed? At least we know the cause, although not the solution, to the problem. :)
no solutions other than -cap which is where I am at.
Here's a testcase of what gnupg SHOULD be doing. Testcase output as a user: initial - Caps: 134524940 is =i cap_setpcap-i point #1 (should be cap_ipc_lock+ep) - Caps: 134524972 is =i cap_setpcap-i 39:errno=(1,Operation not permitted) point #2 (should be cap_ipc_lock+p) - Caps: 134524972 is =i cap_setpcap-i 47:errno=(1,Operation not permitted) point #3 (should be cap_ipc_lock-eip) - Caps: 134524972 is =i cap_setpcap,cap_ipc_lock-i point #4 (Should be cap_ipc_lock+ep) - Caps: 134525004 is =i cap_setpcap,cap_ipc_lock-i point #5 (should be all-eip) - Caps: 134525076 is = point #6 (should be all+eip) - Caps: 134525124 is = 65:errno=(1,Operation not permitted) end - Caps: 134525124 is = Testcase output as root: initial - Caps: 134524940 is =eip cap_setpcap-eip point #1 (should be cap_ipc_lock+ep) - Caps: 134524972 is =eip cap_setpcap-eip point #2 (should be cap_ipc_lock+p) - Caps: 134524972 is =eip cap_ipc_lock-e cap_setpcap-eip point #3 (should be cap_ipc_lock-eip) - Caps: 134524972 is =eip cap_setpcap,cap_ipc_lock-eip point #4 (Should be cap_ipc_lock+ep) - Caps: 134525004 is =eip cap_setpcap,cap_ipc_lock-eip point #5 (should be all-eip) - Caps: 134525084 is = point #6 (should be all+eip) - Caps: 134525132 is = 65:errno=(13,Permission denied) end - Caps: 134525132 is = Testcase: #include <errno.h> #include <fcntl.h> #include <sys/capability.h> #define O_LARGEFILE 0100000 #define FILENAME "/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8541" void print_cap(char* prefix) { cap_t current_cap = cap_get_proc(); char* cap_string = cap_to_text(current_cap,NULL); printf("%s - Caps: %d is %s\n",prefix,current_cap,cap_string); cap_free(cap_string); cap_free(current_cap); } void pe(int l) { if(errno != 0) {printf("%d:errno=(%d,%s)\n",l,errno,strerror(errno)); } errno = 0; } int main(int argc, char** argv) { unlink(FILENAME); print_cap("initial"); errno = 0; cap_t current_cap = cap_get_proc(); cap_value_t caps[] = {CAP_IPC_LOCK}; //cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); cap_set_flag(current_cap, CAP_EFFECTIVE, 1, caps, CAP_SET); pe(__LINE__); cap_set_flag(current_cap, CAP_PERMITTED, 1, caps, CAP_SET); pe(__LINE__); cap_set_proc(current_cap); print_cap("point #1 (should be cap_ipc_lock+ep)"); //cap_set_proc( cap_from_text("cap_ipc_lock+p") ); cap_set_flag(current_cap, CAP_EFFECTIVE, 1, caps, CAP_CLEAR); pe(__LINE__); cap_set_flag(current_cap, CAP_PERMITTED, 1, caps, CAP_SET); pe(__LINE__); cap_set_proc(current_cap); print_cap("point #2 (should be cap_ipc_lock+p)"); cap_set_flag(current_cap, CAP_EFFECTIVE, 1, caps, CAP_CLEAR); pe(__LINE__); cap_set_flag(current_cap, CAP_PERMITTED, 1, caps, CAP_CLEAR); pe(__LINE__); cap_set_flag(current_cap, CAP_INHERITABLE, 1, caps, CAP_CLEAR); pe(__LINE__); cap_set_proc(current_cap); print_cap("point #3 (should be cap_ipc_lock-eip)"); cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); print_cap("point #4 (Should be cap_ipc_lock+ep)"); cap_set_proc( cap_from_text("all-eip") ); print_cap("point #5 (should be all-eip)"); cap_set_proc( cap_from_text("all+eip") ); print_cap("point #6 (should be all+eip)"); int i = 42; i = open(FILENAME, O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0644); int e = errno; pe(__LINE__); print_cap("end"); } === end of testcase However: cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); and cap_set_proc( cap_from_text("cap_ipc_lock+p") ); These are the existing code from gnupg. The problem with them is that they CLEAR all of the other privileges. This blocks root from accessing items that aren't owned by root ;-), like the .gnupg home directory. Additionally, that capability can't actually be granted to users without the gpg binary being setuid, and still leaves things broken for root regardless. crypto team: I vote for disabling capabilities usage in gnupg, since it's not entirely clear what upstream was actually trying to accomplish.
Peter: I'm just annoyed at myself that I didn't strace gnupg sooner and spot this.
Good one Robin. Happy to remove caps. If upstream want to fix it for next release (if there is one) may add it back. It still leaves a requirement for +suid for <2.6.9 kernels so I thinking of adding back to keep those 2.4 junkies happy. Thoughts? Robin, you did the hard yards - want to report upstream this?
Ok, I've put out revision bumps of 1.4 and 1.9 that now have capabilities disabled. I'm going to talk to upstream and see what they think should be done.
Hi, what is the current status of USE=caps support in gnupg-2.0.11 and pinentry-0.7.6? The latter package ebuild has in pkg_postinst(): <quote> To do so activate the caps USE flag and add the CAP_IPC_LOCK capability to the permitted set of your users." </quote> Googling around I could find what do you mean with this. Saw some hints about /etc/capabilities file but I do not have this file and maybe that was 2.2 kernel time?