[
https://issues.apache.org/jira/browse/HBASE-22852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16912670#comment-16912670
]
Rushabh S Shah commented on HBASE-22852:
----------------------------------------
Thanks [~busbey] for the directions. I did a bunch of research on how to kill
gpg-agent process. As you correctly mentioned that are few ways.
1. To pass --no-autostart option while running gpg commands. This option is
recommended if your gpg agent is running on remote machine. I don't think this
option is useful to us.
{noformat}
--no-autostart
Do not start the gpg-agent or the dirmngr if it has not yet been
started and its service is required. This option is mostly useful on machines
where the connection to gpg-
agent has been redirected to another machines. If dirmngr is
required on the remote machine, it may be started manually using gpgconf
--launch dirmngr.
{noformat}
2. killall gpg-agent: This will kill all gpg agents which we don't want either.
3. gpgconf --homedir <home-dir> --kill gpg-agent: IMO this is what we want. We
want to kill the gpg-agent process which was started with the specified gpg
homedir.
Please advise.
Also I found one potential bug in the manner we are verifying the keys.
{code}
cache-apache-project-artifact.sh
...
...
if [ -n "${keys}" ]; then
echo "verifying artifact signature"
gpg --homedir "${working_dir}/.gpg" --verify "${working_dir}/artifact.asc"
echo "signature good."
fi
{code}
We are not verifying if verify step succeeded or not. For hadoop-common-2.8.5
and hadoop-common-2.7.0 artifacts this command is failing but since we are not
checking the exit code, we are blindly marking is as "signature good".
{noformat}
gpg --homedir "/Users/rushabh.shah/gpg-test/.gpg" --verify
"/Users/rushabh.shah/gpg-test/artifact.asc"
verifying artifact signature
gpg: no signed data
gpg: can't hash datafile: No data
{noformat}
I ran the above command for hadoop-common-2.8.5 artifacts.
>From the above error, looks we need to pass-in the data file also. Then I
>downloaded hadoop-2.8.5.tar.gz from
>https://archive.apache.org/dist/hadoop/common/hadoop-2.8.5/
Then I ran the following command and it succeeded.
{noformat}
(base) rushabhshah-ltm:gpg-test rushabh.shah$ gpg --homedir
"/Users/rushabh.shah/gpg-test/.gpg" --verify
"/Users/rushabh.shah/gpg-test/artifact.asc" ~/Desktop/hadoop-2.8.5.tar.gz
gpg: Signature made Sun Sep 9 21:57:53 2018 PDT
gpg: using RSA key B5AD1CE552293533
gpg: Good signature from "Junping Du (CODE SIGNING KEY)
<[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5851 C913 A22D 23E6 9B47 FA66 B5AD 1CE5 5229 3533
{noformat}
Please let me know if my analysis is incorrect.
> hbase nightlies leaking gpg-agents
> ----------------------------------
>
> Key: HBASE-22852
> URL: https://issues.apache.org/jira/browse/HBASE-22852
> Project: HBase
> Issue Type: Bug
> Components: build
> Reporter: Allen Wittenauer
> Priority: Major
>
> FYI, just triggered yetus master, which includes code to find and kill
> long-running processes still attached to the Jenkins workspace directory. It
> came up with this:
> https://builds.apache.org/view/S-Z/view/Yetus/job/yetus-github-multibranch/job/master/134/console
> {code}
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> jenkins 752 0.0 0.0 93612 584 ? Ss Aug12 0:00 gpg-agent
> --homedir
> /home/jenkins/jenkins-slave/workspace/HBase_Nightly_HBASE-20952/downloads-hadoop-2/.gpg
> --use-standard-socket --daemon
> Killing 752 ***
> {code}
> (repeat 10s of times, which slightly different dates, pids, versions, etc)
> Also, be aware that any other process running on the node (such as the other
> executor) has extremely easy access to whatever gpg creds you are using...
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
