Bug 1801338

Summary:	Changes to gpgv options used in debmirror 2.33 break gpg signature verification.
Product:	[Fedora] Fedora EPEL	Reporter:	Donald Ledford <ledfordd>
Component:	debmirror	Assignee:	Sergio Basto <sergio>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	epel7	CC:	puiterwijk, sergio
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	debmirror-2.30-4.el7 debmirror-2.35-1.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-11-30 00:43:35 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Donald Ledford 2020-02-10 16:53:26 UTC

Description of problem: The 2.33-1 update to debmirror breaks syncing DEB repos with gpg signature verification enabled.

Version-Release number of selected component (if applicable): 2.33-1.el7

How reproducible: Update debmirror from 2.32-1 to 2.33-1 and attempt to sync a DEB repo with signature verification enabled.

Steps to Reproduce:
1. Update debmirror to 2.33-1
2. Sync DEB mirror with GPG signature verification turned on.

Actual results: 
debmirror reports an error with the message:
gpgv: invalid option "--output"
.temp/.tmp/dists/xenial/Release.gpg signature does not verify.

Expected results:
The repo syncs without errors.

Wordaround:
Downgrade debmirror from 2.33 to 2.32.

Additional info:
This appears to be happening because the version of GPG in CentOS 7, 2.0.22, does not have the "--output" option.

Line 2255 in debmirror 2.33 is:
my @gpgv = qw(gpgv --output - --status-fd);

The gpgv call in debmirror 2.32 is made on line 2160 and does not contain the "--output" option:
my @gpgv = qw(gpgv --status-fd 1);

Rebasing GPG2 for CentOS/RHEL 7 to a newer 2.2.x release would resolve this issue but it's probably easier to back the change out of debmirror.

Comment 1 Donald Ledford 2020-02-10 16:56:33 UTC

Sorry, I meant 2.30-1 not 2.32-1 in the above comment.

Comment 2 Sergio Basto 2020-02-12 07:19:10 UTC

Thank you for the report 

use mean just remove "--output -" fixes the problem ?

Comment 3 Donald Ledford 2020-02-12 16:48:43 UTC

I'm not sure that just removing "--output -" would resolve the issue. 

It appears the code changes between 2.30 and 2.33 added lines to dynamically change the "--status-fd" FD number at runtime. The code appears to check the gpgv STDOUT for a good signature message. If --status-fd isn't 1 or 2 the Perl code may not get the gpgv command output to check. I'm guessing that "--output -" was added so the output is always sent to STDOUT and other messages can be sent to other FD descriptors with the dynamic "--status-fd" FD option.

The code change for this functionality was done in commit 3b5c84e534e52f51e0a6373223483f1130d45e3e in response to Debian bug 918304. The first release of debmirror with these changes was version 2.31.

See here: https://salsa.debian.org/debian/debmirror/commit/3b5c84e534e52f51e0a6373223483f1130d45e3e

and here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918304

I'll be honest, I'm not a programmer and Perl isn't a language I'm super familiar with so I'm guessing on the above analysis.

I reverted the debmirror package to 2.30-1 and pinned it on my production system to work around this bug. My repos are still syncing correctly with the 2.30-1 package and GPG signature verification turned on.

Comment 4 Sergio Basto 2020-02-15 03:01:55 UTC

OK, no worries,  maybe the best is rollback to debmirror-2.30 in el7 , isn't it .

Thanks for the report

Comment 5 Fedora Update System 2020-03-01 23:07:51 UTC

debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-9d014c4edf

Comment 6 Fedora Update System 2020-03-16 16:06:11 UTC

debmirror-2.30-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Sergio Basto 2021-09-17 13:47:13 UTC

(In reply to Sergio Basto from comment #2)
> Thank you for the report 
> 
> use mean just remove "--output -" fixes the problem ?

OK, I'm sending  debmirror-2.35-1.el7 to testing with mentioned patch since I got other person which says that is working and 
debmirror-2.35 is need to pick up the new cnf metadata that ubuntu 20.04 requires.

Comment 8 Fedora Update System 2021-09-17 13:51:00 UTC

FEDORA-EPEL-2021-f005e1b879 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f005e1b879

Comment 9 Fedora Update System 2021-09-17 14:19:00 UTC

FEDORA-EPEL-2021-f005e1b879 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f005e1b879

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2021-11-30 00:43:35 UTC

FEDORA-EPEL-2021-f005e1b879 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.