Univention Bugzilla – Bug 51576
u-archive-key update removes /etc/apt/trusted.gpg, breaks signature validation
Last modified: 2020-10-12 11:57:03 CEST
Regression from Bug #51250: When installing univention-archive-key in version 9.0.0-3A~4.4.0.202005130936, the file /etc/apt/trusted.gpg is removed after the update, only /etc/apt/trusted.gpg~ exists. This breaks signature validation for at least UCS release updates. Installing the previous u-archive-key packageversion brings the file back, updating to the latest errata4.4-4 version removes the file again. updater.log: **** Starting univention-updater with parameter=['/usr/share/univention-updater/univention-updater', 'net', '--updateto', '4.4-5', '--silent'] Version=4.4 Patchlevel=4 starting net mode --->DBG:update_available(mode=net, cdrom_mount_point=/media/cdrom, iso=None) Checking network repository Update to = 4.4-5 **** Downloading scripts at Thu Jun 25 11:34:04 2020 Error: Update aborted due to verification error: Verification error: Invalid signature: gpgv: keyblock resource '/etc/apt/trusted.gpg': Datei oder Verzeichnis nicht gefunden gpgv: Signature made Mi 24 Jun 2020 22:32:14 CEST gpgv: using RSA key 36602BA86B8BFD3C gpgv: Good signature from "Univention Corporate Server 4.x <packages@univention.de>"
modules/univention/updater/tools.py: 111 # collect trusted keys of apt-key 112 APT = "/etc/apt" 113 keys = [os.path.join(APT, "trusted.gpg")] 114 apt = os.path.join(APT, "trusted.gpg.d") 115 keys += [os.path.join(apt, key) for key in os.listdir(apt) if key.endswith('.gpg')] 116 117 # build command line 118 cmd = ["/usr/bin/gpgv"] 119 for key in keys: 120 cmd += ["--keyring", key] 121 cmd += [sig_name, "-"] The file /etc/apt/trusted.gpg no longer exists after we removed out UCS 4 archive siginging key - it is optional and only exists if some key was manually imported, which now no longer is the case. The verification function should only use key files which exists. It also should support *.asc files (ascii armored pgp keys).
[4.4-4] e27c1daa9e Bug #51576 up: Fix signature validation base/univention-updater/debian/changelog | 6 +++ base/univention-updater/debian/rules | 1 + base/univention-updater/debian/ucslint.overrides | 4 +- .../modules/univention/updater/tools.py | 16 ++------ base/univention-updater/tests/test_toools.py | 43 ++++++++++++++++++++++ 5 files changed, 54 insertions(+), 16 deletions(-) Package: univention-updater Version: 14.0.2-13A~4.4.0.202006251249 Branch: ucs_4.4-0 Scope: errata4.4-4 [4.4-4] c81fb1f0c3 Bug #51576: univention-updater 14.0.2-13A~4.4.0.202006251249 doc/developer-reference/updater.xml | 2 +- doc/errata/staging/univention-updater.yaml | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) QA: PYTHONPATH=modules python2.7 tests/test_toools.py -v OK: univention-archive-key = 8.0.0-1A~4.3.0.201712120205 OK: univention-archive-key = 9.0.0-3A~4.4.0.202005130936 Cherry-pick to 4.4-5: d9ccf124af648944e57fdf49c4345269b6af9807 (I picked the wrong message!) Package: univention-updater Version: 14.0.3-1A~4.4.0.202006251303 Branch: ucs_4.4-0 Scope: ucs4.4-5
OK: signature check uses apt-key verify OK: unittest for signature verification OK: yaml Verified
<http://errata.software-univention.de/ucs/4.4/642.html>