Red Hat Bugzilla – Bug 142201
.spec file assumes existence of $HOME/.gnupg without checking
Last modified: 2015-01-04 17:13:46 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: The kernel-2.6.9.spec file inside kernel-2.6.9-1.681_FC3.src.rpm assumes that $HOME/.gnupg exists, without checking. Thus a rebuild warns for each module: "gpg: can't create `$HOME/.gnupg/random_seed': No such file or directory", and module signatures don't work. Version-Release number of selected component (if applicable): kernel-2.6.9-1.681_FC3 How reproducible: Always Steps to Reproduce: 1. rpm --install kernel-2.6.9-1.681_FC3.src.rpm 2. mv $HOME/.gnupg $HOME/SAVE.gnupg 3. rpmbuild -ba --target i686 kernel-2.6.9.spec >rpm.out 2>&1 4. examine rpm.out for "gpg: can't create `$HOME/.gnupg/random_seed' ..." Actual Results: Each module elicits the warning "gpg: can't create `$HOME/.gnupg/random_seed': No such file or directory", and module signatures don't work. Expected Results: The %build recipe [and perhaps earlier] should check explicitly for $HOME/.gnupg, and if not found then abort with a diagnostic message. Additional info:
Hmmm..... The .spec file has top-level gpg commands that specify "--homedir /tmp": ----- gpg --homedir /tmp --batch --gen-key %{SOURCE11} gpg --homedir /tmp --export --keyring ./kernel.pub Red > extract.pub ---- but BUILD/kernel-2.6.9/linux-2.6.9/scripts/modsign/modsign.sh has: ----- gpg --no-greeting $KEYFLAGS -b $module.out || exit $? ----- and $KEYFLAGS does not contain any --homedir flag. Why don't _all_ gpg commands used by the build process use BUILD/kernel-2.6.9 as their home directory? Both /tmp and $HOME seem to be bad choices: /tmp for unpredictable collisions with other random processes, and $HOME for not being controlled by the .spec.
Does adding these lines to the specfile help?: ... -gpg --homedir /tmp --batch --gen-key %{SOURCE11} -gpg --homedir /tmp --export --keyring ./kernel.pub Red > extract.pub +gpg --homedir . --batch --gen-key %{SOURCE11} +gpg --homedir . --export --keyring ./kernel.pub Red > extract.pub ... # gpg sign the modules %if %{signmodules} gcc -o scripts/modsign/mod-extract scripts/modsign/mod-extract.c -Wall + KEYFLAGS="--no-default-keyring --homedir .." + KEYFLAGS="$KEYFLAGS --secret-keyring ../kernel.sec" + KEYFLAGS="$KEYFLAGS --keyring ../kernel.pub" + export KEYFLAGS for i in ` find $RPM_BUILD_ROOT/lib/modules/$KernelVer -name "*.ko" -type f` ; do sh ./scripts/modsign/modsign.sh $i Red mv -f $i.signed $i done %endif ...
With those additions to the .spec, now the complaint [for each module] is ----- gpg: WARNING: unsafe permissions on homedir ".." ----- because in general the gpg home directory should have permissions 0700 (rwx------) [no access to anyone except the owner]. So maybe a directory BUILD/gnupg-modulesigning-home-directory could be used. Also, I prefer to cleanup the shell environment when variables become unneeded: ----- sh ./scripts/modsign/modsign.sh $i Red mv -f $i.signed $i done + unset KEYFLAGS %endif -----
fixed in rawhide cvs