Opened 13 months ago

Closed 4 months ago

#20757 closed defect (fixed)

git-gpg-wrapper is incompatible with git ≥ 2.10.0-rc0

Reported by: dcf Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-gitian, tbb-rbm, TorBrowserTeam201708R
Cc: boklm, gk, tom Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Lately I've been getting this error every time in verify-tags.sh:

$ ./verify-tags.sh ../../gitian-builder/inputs/ versions
gpg: keybox '/tmp/tmp.TYcPEvMC3B/trustedkeys.gpg' created
gpg: /tmp/tmp.TYcPEvMC3B/trustdb.gpg: trustdb created
gpg: key ECE921DA863B95F7: public key "Moritz Bartl <moritz@headstrong.de>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
~/gitian-builder/inputs ~/gitian-builder/inputs
object 400dd62230d7c219b44ee2e83362a52c5e96806e
type commit
tag v0.3.1
tagger moba <m@b> 1455184284 +0100

new pgp subkey
gpg: keybox '/tmp/tmp.TYcPEvMC3B/pubring.kbx' created
gpg: Signature made Thu 11 Feb 2016 01:51:24 AM PST
gpg:                using RSA key 733018FA13A3DE49
gpg: Can't check signature: No public key
tbb-windows-installer: verification of tag v0.3.1 against /home/david/tor-browser-bundle/gitian/gpg/tbb-windows-installer.gpg failed!

I previously noticed it in comment:14:ticket:20023.

I reproduced it just now with 234b76caf9, but it's been happening even before that.

I'm using Debian stretch/sid. My gitian-builder/inputs/tbb-windows-installer is at commit 400dd62230. My local gpg key was sha256sum:

8db030a7aa217e38fa86e141c540977b408d5029e6907811e4d88f3f1c23e9b7  gpg/tbb-windows-installer.gpg

Child Tickets

Change History (12)

comment:1 Changed 13 months ago by gk

Cc: gk added
Keywords: tbb-gitian added

I guess this is may be due to gpg2 now being the default?

comment:2 in reply to:  1 Changed 12 months ago by dcf

Replying to gk:

I guess this is may be due to gpg2 now being the default?

My gpg is indeed gpg2.

$ gpg --version
gpg (GnuPG) 2.1.16
libgcrypt 1.7.3-beta

comment:3 Changed 6 months ago by dcf

I think I found the cause. It is not related to gnupg1 versus gnupg2. Rather, it is caused by this commit in git, which added --keyid-format=long to gpg command lines, breaking the format expected by git-gpg-wrapper.

git-gpg-wrapper is expecting a command line that looks like

--status-fd=1 --verify /tmp/.git_vtag_tmpkVQwPB -

but instead it is receiving a line that looks like

--status-fd=1 --keyid-format=long --verify /tmp/.git_vtag_tmpkVQwPB -

You can check it yourself by adding a line echo "$@" 1>&2 at the top of git-gpg-wrapper.

If I hack git-gpg-wrapper to adjust the offsets, then tag verification finally works again for me.

 # an expired key.
 # https://bugs.torproject.org/19737
 set -e
-if [ $# -eq 4 ] && [ "$1" = '--status-fd=1' ] \
-        && [ "$2" = '--verify' ]
+if [ $# -eq 5 ] && [ "$1" = '--status-fd=1' ] \
+        && [ "$3" = '--verify' ]
 then
-    gpgv "$1" "$3" "$4" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /'
+    gpgv "$1" "$4" "$5" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /'
     exit ${PIPESTATUS[0]}
 else
     exec gpg "$@"

According to the Debian changelog, the version of git that added --keyid-format=long was 2.10.0-rc0.

Last edited 6 months ago by dcf (previous) (diff)

comment:4 Changed 6 months ago by dcf

Summary: Failure to verify tbb-windows-installer v3.1.0git-gpg-wrapper is incompatible with git ≥ 2.10.0-rc0

comment:5 Changed 6 months ago by boklm

Keywords: TorBrowserTeam201706 added

comment:6 in reply to:  3 Changed 6 months ago by arma

Replying to dcf:

I think I found the cause. It is not related to gnupg1 versus gnupg2. Rather, it is caused by this commit in git

Wow. Good find.

comment:7 Changed 6 months ago by gk

Keywords: TorBrowserTeam201707 added; TorBrowserTeam201706 removed

Moving Tickets to July 2017.

comment:8 Changed 5 months ago by gk

Keywords: TorBrowserTeam201708 added; TorBrowserTeam201707 removed

Moving our Tickets to August.

comment:9 Changed 5 months ago by boklm

This probably also affects tor-browser-build.git where we use a similar git gpg wrapper.

comment:10 Changed 5 months ago by boklm

Keywords: tbb-rbm added

comment:11 Changed 4 months ago by boklm

Cc: tom added
Keywords: TorBrowserTeam201708R added; TorBrowserTeam201708 removed
Status: newneeds_review

comment:12 Changed 4 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Looks good to me. This is fixed now in tor-browser-build (commit cdb545afe64aa22364f2a7e08e0afe27a1f60129 on master) and in tor-browser-bundle (commit 6b1c63cc05cd28a55a241296808eef448bdf96f3 on master and commit ddfbe17d6b6a83fc3c7fda2e6737d33221f8539c on maint-7.0).

Note: See TracTickets for help on using tickets.