FS#71274 - [pacman] saves DB signature file to wrong filename when redirected to different filename
Attached to Project:
Pacman
Opened by Christoph Reiter (lazka) - Wednesday, 16 June 2021, 20:37 GMT
Last edited by Allan McRae (Allan) - Thursday, 01 July 2021, 00:59 GMT
Opened by Christoph Reiter (lazka) - Wednesday, 16 June 2021, 20:37 GMT
Last edited by Allan McRae (Allan) - Thursday, 01 July 2021, 00:59 GMT
|
Details
This worked with pacman 5, but fails with pacman 6
* Use the following DB in /etc/pacman.conf: ``` [mingw64] Server = https://mirror.msys2.org/mingw/mingw64/ ``` * Run `pacman -Syy` Expected: It works Actual: error: mingw64: missing required signature error: failed to synchronize all databases (invalid or corrupted database (PGP signature)) ---- The problem is that the mirror is a https://github.com/etix/mirrorbits instance which (1) redirects all URLs to a mirror and (2) de-refs symlinks before doing so. This means there will be redirects with a different filename for each DB related file. The first request gives: $ curl -I https://mirror.msys2.org/mingw/x86_64/mingw64.db HTTP/2 302 cache-control: private, no-cache content-type: text/html; charset=utf-8 date: Wed, 16 Jun 2021 20:21:05 GMT link: <https://repo.msys2.org/mingw/x86_64/mingw64.db.tar.gz>; rel=duplicate; pri=1; geo=de location: https://mirror.yandex.ru/mirrors/msys2/mingw/x86_64/mingw64.db.tar.gz server: Mirrorbits/v0.5.1-31-geeea0e0-dirty This results in pacman doing the following: debug: mingw64.db: url is https://mirror.msys2.org/mingw/x86_64/mingw64.db debug: mingw64.db: maxsize 134217728 debug: mingw64.db: opened tempfile for download: /var/lib/pacman/sync/mingw64.db.part (wb) debug: mingw64.db: curl returned result 0 from transfer debug: mingw64.db: response code 200 Then it tries to fetch the signature file: debug: mingw64.db.tar.gz.sig: url is https://repo.msys2.org/mingw/x86_64/mingw64.db.tar.gz.sig debug: mingw64.db.tar.gz.sig: maxsize 16384 debug: mingw64.db.tar.gz.sig: opened tempfile for download: /var/lib/pacman/sync/mingw64.db.tar.gz.sig.part (wb) debug: mingw64.db.tar.gz.sig: curl returned result 0 from transfer debug: mingw64.db.tar.gz.sig: response code 200 Then it fails to find the signature file on disk and fails: debug: "/var/lib/pacman/sync/mingw64.db.sig" is not readable: No such file or directory debug: sig path /var/lib/pacman/sync/mingw64.db.sig could not be opened debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 593) : missing PGP signature debug: missing required signature error: mingw64: missing required signature debug: failed to validate db: mingw64 The filesystem contains a /var/lib/pacman/sync/mingw64.db.tar.gz.sig though I know that this is a bit of a weird edge case, so if this is out of scope I understand. I'll try to teach(hack) mirrorbits to not de-reference symlinks instead. |
This task depends upon
Closed by Allan McRae (Allan)
Thursday, 01 July 2021, 00:59 GMT
Reason for closing: Fixed
Additional comments about closing: git commit 0147de169a2abd193699957d4e76aec522901fd2
Thursday, 01 July 2021, 00:59 GMT
Reason for closing: Fixed
Additional comments about closing: git commit 0147de169a2abd193699957d4e76aec522901fd2
Comment by
Christoph Reiter (lazka) -
Wednesday, 16 June 2021, 23:40 GMT
Comment by
morganamilo (morganamilo) -
Thursday, 17 June 2021, 01:01 GMT
Comment by
Christoph Reiter (lazka) -
Thursday, 17 June 2021, 08:34 GMT
Comment by
Christoph Reiter (lazka) - Friday,
18 June 2021, 10:08 GMT
I'll try to fix mirrorbits (my server) to not leak symlink
de-reffing. Maybe this becomes all moot then.
It's a bug in alpm either way. Glad your server exposed it in time
for a .1 release.
Ah, the server URL was wrong, it's
"https://mirror.msys2.org/mingw/x86_64/" (I can't find a way to
edit the post)
I can confirm that
https://lists.archlinux.org/pipermail/pacman-dev/2021-June/025231.html
fixes the issue for me.