Bug 51576 - u-archive-key update removes /etc/apt/trusted.gpg, breaks signature validation
u-archive-key update removes /etc/apt/trusted.gpg, breaks signature validation
Product: UCS
Classification: Unclassified
Component: General
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-4-errata
Assigned To: Philipp Hahn
Erik Damrose
Depends on:
  Show dependency treegraph
Reported: 2020-06-25 11:42 CEST by Erik Damrose
Modified: 2020-10-12 11:57 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.143
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020101221000168
Bug group (optional): Regression
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2020-06-25 11:42:20 CEST
Regression from Bug #51250: When installing univention-archive-key in version 9.0.0-3A~, the file /etc/apt/trusted.gpg is removed after the update, only /etc/apt/trusted.gpg~ exists. This breaks signature validation for at least UCS release updates.

Installing the previous u-archive-key packageversion brings the file back, updating to the latest errata4.4-4 version removes the file again.

**** Starting univention-updater with parameter=['/usr/share/univention-updater/univention-updater', 'net', '--updateto', '4.4-5', '--silent']
starting net mode
--->DBG:update_available(mode=net, cdrom_mount_point=/media/cdrom, iso=None)
Checking network repository
Update to = 4.4-5
**** Downloading scripts at Thu Jun 25 11:34:04 2020
Error: Update aborted due to verification error:
Verification error: Invalid signature: gpgv: keyblock resource '/etc/apt/trusted.gpg': Datei oder Verzeichnis nicht gefunden
gpgv: Signature made Mi 24 Jun 2020 22:32:14 CEST
gpgv:                using RSA key 36602BA86B8BFD3C
gpgv: Good signature from "Univention Corporate Server 4.x <packages@univention.de>"
Comment 1 Philipp Hahn univentionstaff 2020-06-25 11:47:17 CEST
   111     # collect trusted keys of apt-key
   112     APT = "/etc/apt"
   113     keys = [os.path.join(APT, "trusted.gpg")]
   114     apt = os.path.join(APT, "trusted.gpg.d")
   115     keys += [os.path.join(apt, key) for key in os.listdir(apt) if key.endswith('.gpg')]                                                                                                                                                                                 
   117     # build command line
   118     cmd = ["/usr/bin/gpgv"]
   119     for key in keys:
   120         cmd += ["--keyring", key]
   121     cmd += [sig_name, "-"]

The file /etc/apt/trusted.gpg no longer exists after we removed out UCS 4 archive siginging key - it is optional and only exists if some key was manually imported, which now no longer is the case.

The verification function should only use key files which exists.

It also should support *.asc files (ascii armored pgp keys).
Comment 2 Philipp Hahn univentionstaff 2020-06-25 13:06:37 CEST
[4.4-4] e27c1daa9e Bug #51576 up: Fix signature validation
 base/univention-updater/debian/changelog           |  6 +++
 base/univention-updater/debian/rules               |  1 +
 base/univention-updater/debian/ucslint.overrides   |  4 +-
 .../modules/univention/updater/tools.py            | 16 ++------
 base/univention-updater/tests/test_toools.py       | 43 ++++++++++++++++++++++
 5 files changed, 54 insertions(+), 16 deletions(-)

Package: univention-updater
Version: 14.0.2-13A~
Branch: ucs_4.4-0
Scope: errata4.4-4

[4.4-4] c81fb1f0c3 Bug #51576: univention-updater 14.0.2-13A~
 doc/developer-reference/updater.xml        |  2 +-
 doc/errata/staging/univention-updater.yaml | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

QA: PYTHONPATH=modules python2.7 tests/test_toools.py -v
OK: univention-archive-key = 8.0.0-1A~
OK: univention-archive-key = 9.0.0-3A~

Cherry-pick to 4.4-5: d9ccf124af648944e57fdf49c4345269b6af9807
(I picked the wrong message!)

Package: univention-updater
Version: 14.0.3-1A~
Branch: ucs_4.4-0
Scope: ucs4.4-5
Comment 3 Erik Damrose univentionstaff 2020-06-25 15:48:06 CEST
OK: signature check uses apt-key verify
OK: unittest for signature verification
OK: yaml
Comment 4 Erik Damrose univentionstaff 2020-06-25 16:02:42 CEST