FS#77634 - [archlinux-keyring] archlinux-keyring-wkd-sync fails the systemd unit if keys vanished from wkd

Attached to Project: Arch Linux
Opened by Erich Eckner (deepthought) - Friday, 24 February 2023, 12:54 GMT
Last edited by David Runge (dvzrv) - Saturday, 25 February 2023, 18:39 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
David Runge (dvzrv)
Levente Polyak (anthraxx)
Morten Linderud (Foxboron)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

It appears, some keys vanished from the WKD, which makes the script exit!=0, which makes the systemd unit fail. There should somehow be a mechanism to deliberately remove keys from the list (from distribution side).

# LC_ALL=C /usr/bin//archlinux-keyring-wkd-sync | grep -v '^Refreshing \|^uid \|^sub \|^pub \|Skipping \|^\s*[A-F0-9]\{40\}$\|^\s*$'
gpg: error retrieving 'djgera@archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'ibiru@archlinux.org' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'ronald@archlinux.org' via WKD: No data
gpg: error reading key: No data

and consistently, /usr/bin//archlinux-keyring-wkd-sync exits with code 3.

updating the keyring does not help (it's the newest version in above logs, already).

As a side effect, the wkd on archlinux.org will get hammered by all the retrying systemd units on all the archlinux machines, that have obsolete keys in their keyrings.

Additional info:
* package version(s)
archlinux-keyring 20230130-1

Steps to reproduce:
systemctl status archlinux-keyring-wkd-sync.service
This task depends upon

Closed by  David Runge (dvzrv)
Saturday, 25 February 2023, 18:39 GMT
Reason for closing:  Upstream
Additional comments about closing:  Closed in favor of https://gitlab.archlinux.org/archlinux/a rchlinux-keyring/-/issues/218
Comment by Christian Hesse (eworm) - Friday, 24 February 2023, 22:24 GMT
So why did these keys vanish from WKD?

The WKD is populated from a Gitlab pipeline, no? Who is responsible for that and can have a look?
Comment by David Runge (dvzrv) - Friday, 24 February 2023, 23:13 GMT
It seems that the keys in question are (now) skipped in `make wkd` as they have SHA-1 self signatures.
This is in line with sequoia's upstream decision to no longer support these types of keys. I was not aware, that the wkd export would be affected by this though.

I guess one way to go about it would be to blacklist the keys in question (as they are no longer used for any packaging anyways) in the script.

Loading...