|Summary:||Changes to gpgv options used in debmirror 2.33 break gpg signature verification.|
|Product:||[Fedora] Fedora EPEL||Reporter:||Donald Ledford <ledfordd>|
|Component:||debmirror||Assignee:||Sergio Basto <sergio>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||debmirror-2.30-4.el7||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2020-03-16 16:06:11 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Donald Ledford 2020-02-10 16:53:26 UTC
Description of problem: The 2.33-1 update to debmirror breaks syncing DEB repos with gpg signature verification enabled. Version-Release number of selected component (if applicable): 2.33-1.el7 How reproducible: Update debmirror from 2.32-1 to 2.33-1 and attempt to sync a DEB repo with signature verification enabled. Steps to Reproduce: 1. Update debmirror to 2.33-1 2. Sync DEB mirror with GPG signature verification turned on. Actual results: debmirror reports an error with the message: gpgv: invalid option "--output" .temp/.tmp/dists/xenial/Release.gpg signature does not verify. Expected results: The repo syncs without errors. Wordaround: Downgrade debmirror from 2.33 to 2.32. Additional info: This appears to be happening because the version of GPG in CentOS 7, 2.0.22, does not have the "--output" option. Line 2255 in debmirror 2.33 is: my @gpgv = qw(gpgv --output - --status-fd); The gpgv call in debmirror 2.32 is made on line 2160 and does not contain the "--output" option: my @gpgv = qw(gpgv --status-fd 1); Rebasing GPG2 for CentOS/RHEL 7 to a newer 2.2.x release would resolve this issue but it's probably easier to back the change out of debmirror.
Comment 1 Donald Ledford 2020-02-10 16:56:33 UTC
Sorry, I meant 2.30-1 not 2.32-1 in the above comment.
Comment 2 Sergio Basto 2020-02-12 07:19:10 UTC
Thank you for the report use mean just remove "--output -" fixes the problem ?
Comment 3 Donald Ledford 2020-02-12 16:48:43 UTC
I'm not sure that just removing "--output -" would resolve the issue. It appears the code changes between 2.30 and 2.33 added lines to dynamically change the "--status-fd" FD number at runtime. The code appears to check the gpgv STDOUT for a good signature message. If --status-fd isn't 1 or 2 the Perl code may not get the gpgv command output to check. I'm guessing that "--output -" was added so the output is always sent to STDOUT and other messages can be sent to other FD descriptors with the dynamic "--status-fd" FD option. The code change for this functionality was done in commit 3b5c84e534e52f51e0a6373223483f1130d45e3e in response to Debian bug 918304. The first release of debmirror with these changes was version 2.31. See here: https://salsa.debian.org/debian/debmirror/commit/3b5c84e534e52f51e0a6373223483f1130d45e3e and here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918304 I'll be honest, I'm not a programmer and Perl isn't a language I'm super familiar with so I'm guessing on the above analysis. I reverted the debmirror package to 2.30-1 and pinned it on my production system to work around this bug. My repos are still syncing correctly with the 2.30-1 package and GPG signature verification turned on.
Comment 4 Sergio Basto 2020-02-15 03:01:55 UTC
OK, no worries, maybe the best is rollback to debmirror-2.30 in el7 , isn't it . Thanks for the report
Comment 5 Fedora Update System 2020-03-01 23:07:51 UTC
debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-9d014c4edf
Comment 6 Fedora Update System 2020-03-16 16:06:11 UTC
debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.