Bug 142201 - .spec file assumes existence of $HOME/.gnupg without checking
Summary: .spec file assumes existence of $HOME/.gnupg without checking
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel   
(Show other bugs)
Version: 3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2004-12-08 02:49 UTC by John Reiser
Modified: 2015-01-04 22:13 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-01-11 01:12:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description John Reiser 2004-12-08 02:49:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The kernel-2.6.9.spec file inside kernel-2.6.9-1.681_FC3.src.rpm
assumes that $HOME/.gnupg exists, without checking.  Thus a rebuild
warns for each module: "gpg: can't create `$HOME/.gnupg/random_seed':
No such file or directory", and module signatures don't work.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. rpm --install kernel-2.6.9-1.681_FC3.src.rpm
2. mv $HOME/.gnupg $HOME/SAVE.gnupg
3. rpmbuild -ba --target i686 kernel-2.6.9.spec >rpm.out 2>&1
4. examine rpm.out for "gpg: can't create `$HOME/.gnupg/random_seed' ..."

Actual Results:  Each module elicits the warning "gpg: can't create
`$HOME/.gnupg/random_seed': No such file or directory", and module
signatures don't work.

Expected Results:  The %build recipe [and perhaps earlier] should
check explicitly for $HOME/.gnupg, and if not found then abort with a
diagnostic message.

Additional info:

Comment 1 John Reiser 2004-12-08 03:58:58 UTC
Hmmm.....   The .spec file has top-level gpg commands that specify
"--homedir /tmp":
gpg --homedir /tmp --batch --gen-key %{SOURCE11}
gpg --homedir /tmp --export --keyring ./kernel.pub Red > extract.pub

but BUILD/kernel-2.6.9/linux-2.6.9/scripts/modsign/modsign.sh has:
gpg --no-greeting $KEYFLAGS -b $module.out || exit $?
and $KEYFLAGS does not contain any --homedir flag.

Why don't _all_ gpg commands used by the build process use
BUILD/kernel-2.6.9 as their home directory?  Both /tmp and $HOME seem
to be bad choices: /tmp for unpredictable collisions with other random
processes, and $HOME for not being controlled by the .spec.

Comment 2 David Howells 2004-12-08 14:34:44 UTC
Does adding these lines to the specfile help?:  
-gpg --homedir /tmp --batch --gen-key %{SOURCE11}  
-gpg --homedir /tmp --export --keyring ./kernel.pub Red > extract.pub 
+gpg --homedir . --batch --gen-key %{SOURCE11}  
+gpg --homedir . --export --keyring ./kernel.pub Red > extract.pub 
     # gpg sign the modules 
 %if %{signmodules} 
     gcc -o scripts/modsign/mod-extract scripts/modsign/mod-extract.c -Wall 
+    KEYFLAGS="--no-default-keyring --homedir .." 
+    KEYFLAGS="$KEYFLAGS --secret-keyring ../kernel.sec" 
+    KEYFLAGS="$KEYFLAGS --keyring ../kernel.pub" 
+    export KEYFLAGS 
     for i in ` find $RPM_BUILD_ROOT/lib/modules/$KernelVer -name "*.ko" -type 
f` ; do 
  sh ./scripts/modsign/modsign.sh $i Red 
         mv -f $i.signed $i 

Comment 3 John Reiser 2004-12-08 17:36:27 UTC
With those additions to the .spec, now the complaint [for each module] is
gpg: WARNING: unsafe permissions on homedir ".."
because in general the gpg home directory should have permissions 0700
(rwx------) [no access to anyone except the owner].  So maybe a
directory  BUILD/gnupg-modulesigning-home-directory  could be used.

Also, I prefer to cleanup the shell environment when variables become
  sh ./scripts/modsign/modsign.sh $i Red 
         mv -f $i.signed $i 
+    unset KEYFLAGS

Comment 5 Dave Jones 2005-01-02 04:31:54 UTC
fixed in rawhide cvs

Note You need to log in before you can comment on or make changes to this bug.