Bug 1153676

Summary: All GPG-related operations are broken in seahorse
Product: [Fedora] Fedora Reporter: Michael Catanzaro <mcatanzaro+wrong-account-do-not-cc>
Component: seahorseAssignee: Matthias Clasen <mclasen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 20CC: bcl, debarshir, jamielinux, kparal, mclasen, pachoramos1, rdieter, robatino, stefw, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: seahorse-3.14.0-2.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-10 06:35:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043129    

Description Michael Catanzaro 2014-10-16 14:04:05 UTC 
Description of problem: In seahorse, attempting to do anything more complicated than creating a GPG key fails with the error message "General error." Downgrading gnupg2 from 2.0.25-1.fc20.x86_64 to 2.0.22-1.fc20.x86_64 fixes the issue, so filing against gnupg2.


Version-Release number of selected component (if applicable): 2.0.25-1.fc20.x86_64


How reproducible: Always


Steps to Reproduce:
1. Create a GPG key with Seahorse
2. Attempt to (a) change the expiration date of the key, or (b) sign it with another key, using Seahorse

Actual results: "General Error"


Expected results: Operation succeeds


Additional info: Going forward, we in GNOME will need to figure out how to respond to protocol changes in gnupg (we've discussed ripping out our gpg agent and using the gnupg pinentry interface instead), but I'm filing this bug against gnupg because (a) the relevant changes really need to be reverted for F20, since you shouldn't break other apps mid-release, and (b) it would be really helpful to revert this for F21 as well, since fixing this on the GNOME side is not trivial and sans an unexpected volunteer, it's unlikely we'll be able to do so in the next couple of months. (My opinion is that if we can't get this working in time for F22, then we should consider removing GPG functionality from seahorse, since it's not reasonable to indefinitely block gnupg development for GNOME's needs.)

Also, as a heads up: I need to verify that this problem also occurs in F21 in addition to F20, but once I've done so I'm going to propose it as a F21 final blocker under the menu sanity criterion, since seahorse doesn't pass a basic functionality test.
Comment 1 Tomas Mraz 2014-10-16 15:30:03 UTC 
Reverting it means there will be unfixed security issues present - namely the CVE-2014-4617 will be.
Comment 2 Stef Walter 2014-10-16 15:31:44 UTC 
I think there's a work around that could be implemented in seahorse ... to force use of GnuPG 1.4.x for now.
Comment 3 Tomas Mraz 2014-10-16 15:32:41 UTC 
As this issue is moderate only I would say we can afford to have it unfixed on F19 and F20, but I am against reverting on F21.
Comment 4 Michael Catanzaro 2014-10-16 22:44:47 UTC 
(In reply to Stef Walter from comment #2)
> I think there's a work around that could be implemented in seahorse ... to
> force use of GnuPG 1.4.x for now.

If that fixes seahorse, then we don't need any changes in gnupg at all, correct?
Comment 5 Michael Catanzaro 2014-10-17 00:31:43 UTC 
On F21, simply creating a GPG key with seahorse is broken.  Proposing as a F21 final blocker:

"All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test."

"Basic functionality means that the app must at least be broadly capable of its most basic expected operations"

Seahorse is a tool for creating and managing stored passwords, OpenSSH, and GnuPG keys. Everything GnuPG-related is currently broken.
Comment 6 Kamil Páral 2014-11-05 18:30:57 UTC 
Discussed at 2014-11-05 blocker review meeting [1]. Accepted as a blocker. This bug is a clear violation of the Basic functionality final criterion [2]. It needs to be resolved in one way or other (downgrading seahorse to use gnupg1, removing gnupg functionality from seahorse, removing seahorse from default installation, reverting patches in gnupg2, ...).

[1] http://meetbot.fedoraproject.org/fedora-blocker-review/2014-11-05/
[2] https://fedoraproject.org/wiki/Fedora_21_Final_Release_Criteria#Default_application_functionality
Comment 7 Michael Catanzaro 2014-11-05 20:31:57 UTC 
(In reply to Kamil Páral from comment #6)
> (downgrading seahorse to use gnupg1

^ Stef has a seahorse patch for this, so no changes are needed in gnupg at this time. I just ask the gnupg maintainers to watch out for any future gnupg1 updates that could similarly break seahorse, especially in a stable release.
Comment 8 Fedora Update System 2014-11-05 20:34:00 UTC 
seahorse-3.14.0-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-14337/seahorse-3.14.0-2.fc21
Comment 9 Brian Lane 2014-11-05 21:55:51 UTC 
In my opinion it is better to keep gnupg updated and fix any packages that break as a result than it is to continue to use a version with known vulnerabilities.
Comment 10 Tomas Mraz 2014-11-06 09:20:23 UTC 
I agree with bcl here. Also the downgrade to gnupg1 should be taken only as a temporary measure for F21 and for F22 it should be fixed to work with gnupg2 correctly or the gpg agent functionality should be dropped from it.
Comment 11 Fedora Update System 2014-11-10 06:35:44 UTC 
seahorse-3.14.0-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.