[ 
https://issues.apache.org/jira/browse/HBASE-22852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16912670#comment-16912670
 ] 

Rushabh S Shah commented on HBASE-22852:
----------------------------------------

Thanks [~busbey] for the directions. I did a bunch of research on how to kill 
gpg-agent process. As you correctly mentioned that are few ways.
1. To pass --no-autostart option while  running gpg commands. This option is 
recommended if your gpg agent is running on remote machine. I don't think this 
option is useful to us.
{noformat}
       --no-autostart
              Do not start the gpg-agent or the dirmngr if it has not yet been 
started and its service is required.  This option is mostly useful on machines 
where  the  connection  to  gpg-
              agent has been redirected to another machines.  If dirmngr is 
required on the remote machine, it may be started manually using gpgconf 
--launch dirmngr.
{noformat}
2. killall gpg-agent: This will kill all gpg agents which we don't want either.
3. gpgconf --homedir <home-dir> --kill gpg-agent: IMO this is what we want. We 
want to kill the gpg-agent process which was started with the specified gpg 
homedir.
 
Please advise.

Also I found one potential bug in the manner we are verifying the keys.


{code}
cache-apache-project-artifact.sh
...
...
if [ -n "${keys}" ]; then
  echo "verifying artifact signature"
  gpg --homedir "${working_dir}/.gpg" --verify "${working_dir}/artifact.asc"
  echo "signature good."
fi
{code}

We are not verifying if verify step succeeded or not. For hadoop-common-2.8.5 
and hadoop-common-2.7.0 artifacts this command is failing but since we are not 
checking the exit code, we are blindly marking is as "signature good".
{noformat}
gpg --homedir "/Users/rushabh.shah/gpg-test/.gpg" --verify 
"/Users/rushabh.shah/gpg-test/artifact.asc"
verifying artifact signature
gpg: no signed data
gpg: can't hash datafile: No data
{noformat}
I ran the above command for hadoop-common-2.8.5 artifacts. 

>From the above error, looks we need to pass-in the data file also. Then I 
>downloaded hadoop-2.8.5.tar.gz  from  
>https://archive.apache.org/dist/hadoop/common/hadoop-2.8.5/
Then I ran the following command and it succeeded.
{noformat}
(base) rushabhshah-ltm:gpg-test rushabh.shah$ gpg --homedir 
"/Users/rushabh.shah/gpg-test/.gpg" --verify 
"/Users/rushabh.shah/gpg-test/artifact.asc" ~/Desktop/hadoop-2.8.5.tar.gz 
gpg: Signature made Sun Sep  9 21:57:53 2018 PDT
gpg:                using RSA key B5AD1CE552293533
gpg: Good signature from "Junping Du (CODE SIGNING KEY) 
<[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5851 C913 A22D 23E6 9B47  FA66 B5AD 1CE5 5229 3533
{noformat}

Please let me know if my analysis is incorrect.

> hbase nightlies leaking gpg-agents
> ----------------------------------
>
>                 Key: HBASE-22852
>                 URL: https://issues.apache.org/jira/browse/HBASE-22852
>             Project: HBase
>          Issue Type: Bug
>          Components: build
>            Reporter: Allen Wittenauer
>            Priority: Major
>
> FYI, just triggered yetus master, which includes code to find and kill 
> long-running processes still attached to the Jenkins workspace directory.  It 
> came up with this:
> https://builds.apache.org/view/S-Z/view/Yetus/job/yetus-github-multibranch/job/master/134/console
> {code}
> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
>  jenkins    752  0.0  0.0  93612   584 ?        Ss   Aug12   0:00 gpg-agent 
> --homedir 
> /home/jenkins/jenkins-slave/workspace/HBase_Nightly_HBASE-20952/downloads-hadoop-2/.gpg
>  --use-standard-socket --daemon
>  Killing 752 ***
> {code}
> (repeat 10s of times, which slightly different dates, pids, versions, etc)
> Also, be aware that any other process running on the node (such as the other 
> executor) has extremely easy access to whatever gpg creds you are using...



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Reply via email to