Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1801338 - Changes to gpgv options used in debmirror 2.33 break gpg signature verification.
Summary: Changes to gpgv options used in debmirror 2.33 break gpg signature verification.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: debmirror
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Sergio Basto
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-10 16:53 UTC by Donald Ledford
Modified: 2020-03-16 16:06 UTC (History)
2 users (show)

Fixed In Version: debmirror-2.30-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-16 16:06:11 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Donald Ledford 2020-02-10 16:53:26 UTC 
Description of problem: The 2.33-1 update to debmirror breaks syncing DEB repos with gpg signature verification enabled.

Version-Release number of selected component (if applicable): 2.33-1.el7

How reproducible: Update debmirror from 2.32-1 to 2.33-1 and attempt to sync a DEB repo with signature verification enabled.

Steps to Reproduce:
1. Update debmirror to 2.33-1
2. Sync DEB mirror with GPG signature verification turned on.

Actual results: 
debmirror reports an error with the message:
gpgv: invalid option "--output"
.temp/.tmp/dists/xenial/Release.gpg signature does not verify.

Expected results:
The repo syncs without errors.

Wordaround:
Downgrade debmirror from 2.33 to 2.32.

Additional info:
This appears to be happening because the version of GPG in CentOS 7, 2.0.22, does not have the "--output" option.

Line 2255 in debmirror 2.33 is:
my @gpgv = qw(gpgv --output - --status-fd);

The gpgv call in debmirror 2.32 is made on line 2160 and does not contain the "--output" option:
my @gpgv = qw(gpgv --status-fd 1);

Rebasing GPG2 for CentOS/RHEL 7 to a newer 2.2.x release would resolve this issue but it's probably easier to back the change out of debmirror.
Comment 1 Donald Ledford 2020-02-10 16:56:33 UTC 
Sorry, I meant 2.30-1 not 2.32-1 in the above comment.
Comment 2 Sergio Basto 2020-02-12 07:19:10 UTC 
Thank you for the report 

use mean just remove "--output -" fixes the problem ?
Comment 3 Donald Ledford 2020-02-12 16:48:43 UTC 
I'm not sure that just removing "--output -" would resolve the issue. 

It appears the code changes between 2.30 and 2.33 added lines to dynamically change the "--status-fd" FD number at runtime. The code appears to check the gpgv STDOUT for a good signature message. If --status-fd isn't 1 or 2 the Perl code may not get the gpgv command output to check. I'm guessing that "--output -" was added so the output is always sent to STDOUT and other messages can be sent to other FD descriptors with the dynamic "--status-fd" FD option.

The code change for this functionality was done in commit 3b5c84e534e52f51e0a6373223483f1130d45e3e in response to Debian bug 918304. The first release of debmirror with these changes was version 2.31.

See here: https://salsa.debian.org/debian/debmirror/commit/3b5c84e534e52f51e0a6373223483f1130d45e3e

and here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918304

I'll be honest, I'm not a programmer and Perl isn't a language I'm super familiar with so I'm guessing on the above analysis.

I reverted the debmirror package to 2.30-1 and pinned it on my production system to work around this bug. My repos are still syncing correctly with the 2.30-1 package and GPG signature verification turned on.
Comment 4 Sergio Basto 2020-02-15 03:01:55 UTC 
OK, no worries,  maybe the best is rollback to debmirror-2.30 in el7 , isn't it .

Thanks for the report
Comment 5 Fedora Update System 2020-03-01 23:07:51 UTC 
debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-9d014c4edf
Comment 6 Fedora Update System 2020-03-16 16:06:11 UTC 
debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.