Description of problem: libgcrypt-1.8.1-3 broke gnupg2 in semaphoreci.com containers, causing rpm upstream CI to fail since early December (finally managed to chase it down to libgcrypt from CI log diffs): [luser@7b66b7853447 ~]$ gpg2 --import *.secret gpg: directory '/home/luser/.gnupg' created gpg: keybox '/home/luser/.gnupg/pubring.kbx' created gpg: /home/luser/.gnupg/trustdb.gpg: trustdb created gpg: key 4344591E1964C5FC: public key "rpm.org RSA testkey <rsa>" imported gpg: error getting the KEK: End of file Downgrading to libgcrypt-1.8.1-1.fc27 reliably makes it work, and upgrading reliably breaks it again. I can't reproduce this on my local Fedora system, but then the semaphoreci.com containers are running on an old kernel: [luser@7b66b7853447 ~]$ uname -r 3.13.0-32-generic ...which makes me suspect the fallback logic in the patch added for bug 1380866 isn't quite right. Unfortunately strace is not permitted in the container :( Version-Release number of selected component (if applicable): libgcrypt-1.8.1-3.fc27 How reproducible: Always Steps to Reproduce: 1. run a kernel with no getrandom() support (note this is my assumption only) 2. gpg2 --import *.secret Actual results: [luser@7b66b7853447 ~]$ gpg2 --import *.secret; echo $? gpg: directory '/home/luser/.gnupg' created gpg: keybox '/home/luser/.gnupg/pubring.kbx' created gpg: /home/luser/.gnupg/trustdb.gpg: trustdb created gpg: key 4344591E1964C5FC: public key "rpm.org RSA testkey <rsa>" imported gpg: error getting the KEK: End of file gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 2 Expected results: [luser@7b66b7853447 ~]$ gpg2 --import *.secret; echo $? gpg: directory '/home/luser/.gnupg' created gpg: keybox '/home/luser/.gnupg/pubring.kbx' created gpg: /home/luser/.gnupg/trustdb.gpg: trustdb created gpg: key 4344591E1964C5FC: public key "rpm.org RSA testkey <rsa>" imported gpg: key 4344591E1964C5FC: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 0 Additional info: Rawhide is obviously also affected.
I am afraid that without strace I am unable to fix it. I reviewed the patch again and I do not see the error. It should simply fall back to reading /dev/urandom if the syscall returns -1 and sets errno to ENOSYS. Perhaps the errno is set to something else, but to what value?
I added some crude fprintf() logging to get around the strace limit, but it does seem to return ENOSYS as expected. However dropping this last hunk of the patch makes it work: @@ -246,9 +257,7 @@ _gcry_rndlinux_gather_random (void (*add _gcry_post_syscall (); } while (ret == -1 && errno == EINTR); - if (ret == -1 && errno == ENOSYS) - ; /* The syscall is not supported - fallback to /dev/urandom. */ - else + if (1) { /* The syscall is supported. Some sanity checks. */ if (ret == -1) log_fatal ("unexpected error from getrandom: %s\n",
Right, there is a logical error in the patch. I'll fix it.
Just tested it, I can verify this commit fixes my case: https://src.fedoraproject.org/rpms/libgcrypt/c/e4efa24217b8586def20b1970b649f408928e839?branch=master
libgcrypt-1.8.3-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ea5beb4cf
libgcrypt-1.8.3-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6788454ab6
libgcrypt-1.8.3-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6788454ab6
libgcrypt-1.8.3-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ea5beb4cf
libgcrypt-1.8.3-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
libgcrypt-1.8.3-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.