FS#76580 - [pacman][archlinux-keyring] archlinux-keyring-wkd-sync corrupted my keyring

Attached to Project: Arch Linux
Opened by xyz (sjon) - Tuesday, 15 November 2022, 13:27 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:14 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Allan McRae (Allan)
Christian Hesse (eworm)
David Runge (dvzrv)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

I was running pacman manually when the keyring.timer triggerd, leading to:

...
archlinux-keyring-wkd-sync[2579506]: Skipping key 034D823DA2055BEE6A6BF0BB25EA6900D9EA5EBC with UID george@rawlinson.net.nz...
archlinux-keyring-wkd-sync[2579506]: Refreshing key 034D823DA2055BEE6A6BF0BB25EA6900D9EA5EBC with UID grawlinson@archlinux.org...
archlinux-keyring-wkd-sync[2579587]: pub ed25519 2016-11-03 [C]
archlinux-keyring-wkd-sync[2579587]: 034D823DA2055BEE6A6BF0BB25EA6900D9EA5EBC
archlinux-keyring-wkd-sync[2579587]: uid [ unknown] George Rawlinson <george@rawlinson.net.nz>
archlinux-keyring-wkd-sync[2579587]: uid [ full ] George Rawlinson <grawlinson@archlinux.org>
archlinux-keyring-wkd-sync[2579587]: sub ed25519 2016-11-04 [A]
archlinux-keyring-wkd-sync[2579587]: sub ed25519 2016-11-03 [S]
archlinux-keyring-wkd-sync[2579587]: sub cv25519 2016-11-04 [E]
archlinux-keyring-wkd-sync[2579506]: Refreshing key 04DC3FB1445FECA813C27EFAEA4F7B321A906AD9 with UID polyzen@archlinux.org...
archlinux-keyring-wkd-sync[2579589]: pub rsa4096 2016-01-03 [SC] [expires: 2024-11-09]
archlinux-keyring-wkd-sync[2579589]: 04DC3FB1445FECA813C27EFAEA4F7B321A906AD9
archlinux-keyring-wkd-sync[2579589]: uid [ full ] Daniel M. Capella <polyzen@archlinux.org>
archlinux-keyring-wkd-sync[2579589]: sub rsa4096 2016-01-03 [E] [expires: 2024-11-09]
archlinux-keyring-wkd-sync[2579506]: Refreshing key 04F7A0E31E08D3E08D39AFEBD147F94364295E8C with UID raster@archlinux.org...
sh[2579596]: warning: Public keyring not found; have you run 'pacman-key --init'?
archlinux-keyring-wkd-sync[2579615]: gpg: can't open '/etc/pacman.d/gnupg/pubring.gpg'
archlinux-keyring-wkd-sync[2579615]: gpg: keydb_get_keyblock failed: Value not found
archlinux-keyring-wkd-sync[2579615]: gpg: no writable keyring found: Not found
archlinux-keyring-wkd-sync[2579615]: gpg: error reading '[stream]': General error
archlinux-keyring-wkd-sync[2579615]: gpg: error retrieving 'raster@archlinux.org' via WKD: General error
archlinux-keyring-wkd-sync[2579615]: gpg: error reading key: General error

It seems as running them simultaneously can result in corruption and archlinux-keyring-wkd-sync.service should have ConditionPathExists=!/var/lib/pacman/db.lck added
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:14 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/pacman/issues/3
Comment by Christian Hesse (eworm) - Tuesday, 15 November 2022, 13:45 GMT
Hmm... I think gnupg should use its own locking, no? Anybody can explain this?
Comment by Christian Hesse (eworm) - Tuesday, 15 November 2022, 13:47 GMT
Oh, pacman adds option 'lock-never' in /etc/pacman.d/gnupg/gpg.conf...
Comment by Christian Hesse (eworm) - Tuesday, 15 November 2022, 13:52 GMT
Well, it is still possible to run the script manually. Perhaps we should check inside the script?
But this needs to work the other way round as well: I archlinux-keyring-wkd-sync is running pacman should complain.
Comment by David Runge (dvzrv) - Tuesday, 15 November 2022, 16:26 GMT
Back in September I have started a discussion around this topic on a-d-p[1], but noone seemed to show interest.

Adding `ConditionPathExists=!/var/lib/pacman/db.lck` to the service may help, but I'm not sure how to ensure we're not blocking the other way round?
Write a temporary `/var/pacman/db.lck`?

[1] https://lists.archlinux.org/archives/list/arch-dev-public%40lists.archlinux.org/thread/JVMJ6ZXLZWZ7U5SL6USGW3VR3NNMRNYJ/
Comment by Christian Hesse (eworm) - Tuesday, 15 November 2022, 20:48 GMT
Oh, this mail is marked as "important, to be read" in my inbox, but ignored since then due to limited time. 🙈

Given that the update script is run from timer, but pacman is not (at least usually)... Just adding the condition in service file first could be the first action to catch "most" issues at least.
Comment by Christian Hesse (eworm) - Tuesday, 15 November 2022, 20:54 GMT
Or we adopt something similar to makepkg...

https://gitlab.archlinux.org/pacman/pacman/-/commit/4b83bcfcee46b6adcb80fc7a9fb85d3af58fb741
https://gitlab.archlinux.org/pacman/pacman/-/blob/master/scripts/makepkg.sh.in#L245
Comment by Christian Hesse (eworm) - Tuesday, 15 November 2022, 21:04 GMT
BTW, pacman-key adds the option "lock-never" since it introduced the "--init" switch:

https://gitlab.archlinux.org/pacman/pacman/-/commit/0c9e86bab17691bf17c4251b2e16d65f517b88c8
Comment by Allan McRae (Allan) - Tuesday, 15 November 2022, 23:39 GMT
I can not find the discussion around why lock-never was added, but there was a reason at the time... There have been big changes in the GPG implementation in the last 11 years, so I guess it should be removed.

Looking for the pacman lock file only prevents archlinux-keyring-wkd-sync starting while pacman is running, and not the other way round.

I also not that pacman-key does no specific locking...
Comment by Christian Hesse (eworm) - Wednesday, 16 November 2022, 09:42 GMT
So you think we can change this in pacman? Can we be sure this works without new issues?

Will you do the change?
Comment by Allan McRae (Allan) - Wednesday, 16 November 2022, 11:03 GMT
> Can we be sure this works without new issues?

Nope...
Comment by Christian Hesse (eworm) - Monday, 21 November 2022, 13:57 GMT
Dropped the option from my configuration some days ago... No ill effects since then.
Comment by Christian Hesse (eworm) - Wednesday, 07 December 2022, 12:20 GMT
Situation is unchanged, all fine. I guess we should risk to change that setting.
Comment by Toolybird (Toolybird) - Thursday, 21 September 2023, 00:01 GMT
So it seems this needs to go "upstream" to [1]. Who wants to do the honors?

[1] https://gitlab.archlinux.org/pacman/pacman

Loading...