FS#49946 - makepkg does signing inside fakeroot which doesn't work (well) with gpg 2.1.13+

Attached to Project: Pacman
Opened by Tomas Volf (gray_-_wolf) - Monday, 04 July 2016, 19:57 GMT
Last edited by Eli Schwartz (eschwartz) - Wednesday, 13 December 2017, 20:50 GMT
Task Type Bug Report
Category General
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Medium
Priority Normal
Reported Version 5.0.1
Due in Version 5.1.0
Due Date Undecided
Percent Complete 100%
Votes 9
Private No

Details

Description: makepkg does signing the package inside fakeroot, which doesn't work very well with gpg 2.1.13. Every odd invocation succeeds (but still prompts for password), ever even fails.

I can try to put together a patch if there is interested and chance to get it merged.

Originally discussed here: https://bbs.archlinux.org/viewtopic.php?id=214338

It is cause by changes in gnupg, see the link for details.

Additional info:
* package version(s): pacman 5.0.1-4, gnupg 2.1.13-1

Steps to reproduce:

1) launch gpg-agent: gpg-agent --daemon
2) makepkg --sign -f ---> will ask for password
3) makepkg --sing -f ---> will fail without asking

Logs:

[ paladin@ts ] :: ~/archrepo/laptop-mode-tools
Load: 0.25 0.37 0.25 , Memory: 25.78 %, Disk: 5.45 %
$ makepkg --sign
==> Making package: laptop-mode-tools 1.69.2-1 (Mon Jul 4 21:51:46 CEST 2016)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found laptop-mode-tools-1.69.2-1.tar.gz
==> Validating source files with sha256sums...
laptop-mode-tools-1.69.2-1.tar.gz ... Passed
==> Extracting sources...
-> Extracting laptop-mode-tools-1.69.2-1.tar.gz with bsdtar
==> Entering fakeroot environment...
==> Starting package()...
./install.sh
which: no invoke-rc.d in (/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/home/paladin/bin:/home/paladin/bin)
which: no service in (/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/home/paladin/bin:/home/paladin/bin)
Installed ACPI support.
Installed APM support.
Installed PMU (pmud/pbbuttonsd) support.
Reloading acpid daemon
acpid(424): Operation not permitted
acpid: no process found
Installation complete.
==> Tidying install...
-> Removing libtool files...
-> Purging unwanted files...
-> Removing static library files...
-> Stripping unneeded symbols from binaries and libraries...
-> Compressing man and info pages...
==> Checking for packaging issue...
==> Creating package "laptop-mode-tools"...
-> Generating .PKGINFO file...
-> Generating .BUILDINFO file...
-> Generating .MTREE file...
-> Compressing package...
==> Signing package...
-> Created signature file /home/paladin/archrepo/packages/laptop-mode-tools-1.69.2-1-any.pkg.tar.xz.sig.
==> Leaving fakeroot environment.
==> Finished making: laptop-mode-tools 1.69.2-1 (Mon Jul 4 21:52:01 CEST 2016)

[ paladin@ts ] :: ~/archrepo/laptop-mode-tools
Load: 0.23 0.36 0.25 , Memory: 25.82 %, Disk: 5.45 %
:( $ makepkg --sign -f
==> Making package: laptop-mode-tools 1.69.2-1 (Mon Jul 4 21:52:07 CEST 2016)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found laptop-mode-tools-1.69.2-1.tar.gz
==> Validating source files with sha256sums...
laptop-mode-tools-1.69.2-1.tar.gz ... Passed
==> Extracting sources...
-> Extracting laptop-mode-tools-1.69.2-1.tar.gz with bsdtar
==> Removing existing $pkgdir/ directory...
==> Entering fakeroot environment...
==> Starting package()...
./install.sh
which: no invoke-rc.d in (/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/home/paladin/bin:/home/paladin/bin)
which: no service in (/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/home/paladin/bin:/home/paladin/bin)
Installed ACPI support.
Installed APM support.
Installed PMU (pmud/pbbuttonsd) support.
Reloading acpid daemon
acpid(424): Operation not permitted
acpid: no process found
Installation complete.
==> Tidying install...
-> Removing libtool files...
-> Purging unwanted files...
-> Removing static library files...
-> Stripping unneeded symbols from binaries and libraries...
-> Compressing man and info pages...
==> Checking for packaging issue...
==> Creating package "laptop-mode-tools"...
-> Generating .PKGINFO file...
-> Generating .BUILDINFO file...
-> Generating .MTREE file...
-> Compressing package...
==> Signing package...
==> WARNING: Failed to sign package file.
==> Leaving fakeroot environment.
==> Finished making: laptop-mode-tools 1.69.2-1 (Mon Jul 4 21:52:14 CEST 2016)
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Wednesday, 13 December 2017, 20:50 GMT
Reason for closing:  Fixed
Additional comments about closing:  https://git.archlinux.org/pacman.git/com mit/?id=c6b04c04653ba9933fe978829148312e 412a9ea7
Comment by Allan McRae (Allan) - Tuesday, 05 July 2016, 01:37 GMT
Looks like we should sign outside fakeroot. Flagged for 5.0.2, but that might take a bit more changes than I would be happy.
Comment by surefire (surefire) - Thursday, 12 January 2017, 13:19 GMT
Is it possible just to reset LD_PRELOAD for signing?

I added LD_PRELOAD= to makepkg line 1306:
LD_PRELOAD= gpg --detach-sign --use-agent ${SIGNWITHKEY} --no-armor "$filename" &>/dev/null || ret=$?

and now the signature works as expected.
Comment by Sebastian Stammler (epinephrine) - Monday, 13 February 2017, 12:40 GMT
Please fix, this bug interrupts my automated repository builds.
Comment by Sebastian Stammler (epinephrine) - Monday, 13 February 2017, 12:56 GMT
BTW, --use-agent is a dummy option in gpg2 and can be removed.
Comment by Allan McRae (Allan) - Monday, 17 April 2017, 08:51 GMT
Patch submitted to the mailing list.
Comment by Maciej Sitarz (macieks2) - Sunday, 22 October 2017, 15:29 GMT
Any progress on this issue?
Where I can find the proposed patch so I could test/use it?
Comment by Eli Schwartz (eschwartz) - Sunday, 22 October 2017, 16:10 GMT
It's available in pacman-git 5.0.1.r163.gc6b04c04

https://git.archlinux.org/pacman.git/commit/?id=c6b04c04653ba9933fe978829148312e412a9ea7

@allan, it is slightly awkward that even with !sign we now get the message "Signing package(s)..." as we check $SIGNPKG each time in create_signature() but the message is now generated one step up. It would probably be more accurate to do that check in makepkg.sh even if it does have to be done twice, for regular and source packages.
Comment by Eli Schwartz (eschwartz) - Sunday, 12 November 2017, 17:44 GMT

Loading...