Bug 142201 - .spec file assumes existence of $HOME/.gnupg without checking
.spec file assumes existence of $HOME/.gnupg without checking
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Jones
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-07 21:49 EST by John Reiser
Modified: 2015-01-04 17:13 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-10 20:12:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Reiser 2004-12-07 21:49:09 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
The kernel-2.6.9.spec file inside kernel-2.6.9-1.681_FC3.src.rpm
assumes that $HOME/.gnupg exists, without checking.  Thus a rebuild
warns for each module: "gpg: can't create `$HOME/.gnupg/random_seed':
No such file or directory", and module signatures don't work.

Version-Release number of selected component (if applicable):
kernel-2.6.9-1.681_FC3

How reproducible:
Always

Steps to Reproduce:
1. rpm --install kernel-2.6.9-1.681_FC3.src.rpm
2. mv $HOME/.gnupg $HOME/SAVE.gnupg
3. rpmbuild -ba --target i686 kernel-2.6.9.spec >rpm.out 2>&1
4. examine rpm.out for "gpg: can't create `$HOME/.gnupg/random_seed' ..."
    

Actual Results:  Each module elicits the warning "gpg: can't create
`$HOME/.gnupg/random_seed': No such file or directory", and module
signatures don't work.

Expected Results:  The %build recipe [and perhaps earlier] should
check explicitly for $HOME/.gnupg, and if not found then abort with a
diagnostic message.

Additional info:
Comment 1 John Reiser 2004-12-07 22:58:58 EST
Hmmm.....   The .spec file has top-level gpg commands that specify
"--homedir /tmp":
-----
gpg --homedir /tmp --batch --gen-key %{SOURCE11}
gpg --homedir /tmp --export --keyring ./kernel.pub Red > extract.pub
----

but BUILD/kernel-2.6.9/linux-2.6.9/scripts/modsign/modsign.sh has:
-----
gpg --no-greeting $KEYFLAGS -b $module.out || exit $?
-----
and $KEYFLAGS does not contain any --homedir flag.

Why don't _all_ gpg commands used by the build process use
BUILD/kernel-2.6.9 as their home directory?  Both /tmp and $HOME seem
to be bad choices: /tmp for unpredictable collisions with other random
processes, and $HOME for not being controlled by the .spec.


Comment 2 David Howells 2004-12-08 09:34:44 EST
Does adding these lines to the specfile help?:  
 
... 
-gpg --homedir /tmp --batch --gen-key %{SOURCE11}  
-gpg --homedir /tmp --export --keyring ./kernel.pub Red > extract.pub 
+gpg --homedir . --batch --gen-key %{SOURCE11}  
+gpg --homedir . --export --keyring ./kernel.pub Red > extract.pub 
... 
     # gpg sign the modules 
 %if %{signmodules} 
     gcc -o scripts/modsign/mod-extract scripts/modsign/mod-extract.c -Wall 
+    KEYFLAGS="--no-default-keyring --homedir .." 
+    KEYFLAGS="$KEYFLAGS --secret-keyring ../kernel.sec" 
+    KEYFLAGS="$KEYFLAGS --keyring ../kernel.pub" 
+    export KEYFLAGS 
     for i in ` find $RPM_BUILD_ROOT/lib/modules/$KernelVer -name "*.ko" -type 
f` ; do 
  sh ./scripts/modsign/modsign.sh $i Red 
         mv -f $i.signed $i 
     done 
 %endif 
... 
Comment 3 John Reiser 2004-12-08 12:36:27 EST
With those additions to the .spec, now the complaint [for each module] is
-----
gpg: WARNING: unsafe permissions on homedir ".."
-----
because in general the gpg home directory should have permissions 0700
(rwx------) [no access to anyone except the owner].  So maybe a
directory  BUILD/gnupg-modulesigning-home-directory  could be used.

Also, I prefer to cleanup the shell environment when variables become
unneeded:
-----
  sh ./scripts/modsign/modsign.sh $i Red 
         mv -f $i.signed $i 
     done 
+    unset KEYFLAGS
 %endif 
-----
Comment 5 Dave Jones 2005-01-01 23:31:54 EST
fixed in rawhide cvs

Note You need to log in before you can comment on or make changes to this bug.