Re: All gnupg tests broken on el4 [Re: [ANNOUNCE] Git v2.3.0-rc2]

[Junio C Hamano]

"Tom G. Christensen"  writes:

> On 29/01/15 16:43, Jeff King wrote:
>
>> Another option is to just declare that version old and broken, and skip
>> the tests (either by checking its version, or just checking after we
>> import the keys that we can actually _use_ them).
>>
> That would seem a bit heavy-handed as it is otherwise working fine
> with the old gnupg.

Thanks, both, for tracking this one down.

I am tempted to say that we should do both.  This "export public
key, even though new importers do not need" fix to make things
usable with 1.2.6, and the other one to catch and skip breakages
when future versions of GPG breaks us in whichever way we do not
anticipate now.


--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: All gnupg tests broken on el4 [Re: [ANNOUNCE] Git v2.3.0-rc2]

[Tom G. Christensen]

On 29/01/15 16:43, Jeff King wrote:

Weird. The pubkeys are there in keyring.gpg; I wonder why the older
version of gpg has trouble extracting them (and how one was _supposed_
to export secret keys at that time).



Importing the unmodified keyring.gpg with 1.2.6 yields this:
$ gpg --homedir "$GNUPGHOME" --import /tmp/keyring.gpg
gpg: keyring `/home/tgc/gpghome/secring.gpg' created
gpg: keyring `/home/tgc/gpghome/pubring.gpg' created
gpg: key CDDE430D: secret key imported
gpg: key B7227189: secret key imported
gpg: Total number processed: 2
gpg:   secret keys read: 2
gpg:   secret keys imported: 2
$ gpg --homedir "$GNUPGHOME" --list-keys
$ gpg --homedir "$GNUPGHOME" --list-secret-keys
/home/tgc/gpghome/secring.gpg
-
sec  1024D/CDDE430D 2007-06-07 C O Mitter 
ssb  2048g/7703B0E5 2007-06-07

sec  2048R/B7227189 2013-03-22 Eris Discordia 
ssb  2048R/29472784 2013-03-22
$


So if I understand you correctly, the tests should pass with the patch
below?



Yes, adding the pubkeys as a separate entity makes gpg 1.2.6 understand 
things fine.


gnupg 1.2.6 with the patched keyring:
$ gpg --homedir "$GNUPGHOME" --import /tmp/keyring.gpg
gpg: keyring `/home/tgc/gpghome/secring.gpg' created
gpg: keyring `/home/tgc/gpghome/pubring.gpg' created
gpg: key CDDE430D: secret key imported
gpg: key B7227189: secret key imported
gpg: /home/tgc/gpghome/trustdb.gpg: trustdb created
gpg: key CDDE430D: public key "C O Mitter " imported
gpg: key B7227189: public key "Eris Discordia " 
imported

gpg: Total number processed: 4
gpg:   imported: 2  (RSA: 1)
gpg:   secret keys read: 2
gpg:   secret keys imported: 2
$ gpg --homedir "$GNUPGHOME" --list-keys
/home/tgc/gpghome/pubring.gpg
-
pub  1024D/CDDE430D 2007-06-07 C O Mitter 
sub  2048g/7703B0E5 2007-06-07

pub  2048R/B7227189 2013-03-22 Eris Discordia 
sub  2048R/29472784 2013-03-22
$

The patch should work as posted, though I have only tested the new 
keyring by hand as shown above.



It feels a bit hacky, and I wish I knew more about why the current file
doesn't work (i.e., if we did "gpg --export-secret-keys" with v1.2.6,
would it produce different output that can be read by both versions?).


I grabbed the binary keyrings from 1e3eefb^ and pointed gpg 1.2.6 at them.

$ gpg --homedir "$GNUPGHOME" --armor --export-secret-keys CDDE430D  > 
CDDE430D.secret.key

$ gpg --homedir "$PWD/gpghome3" --import CDDE430D.secret.key
gpg: keyring `/home/tgc/gpghome3/secring.gpg' created
gpg: keyring `/home/tgc/gpghome3/pubring.gpg' created
gpg: key CDDE430D: secret key imported
gpg: Total number processed: 1
gpg:   secret keys read: 1
gpg:   secret keys imported: 1
$ gpg --homedir "$PWD/gpghome3" --list-keys
$

No public key imported however the pubkey *was* exported to 
CDDE430D.secret.key


Importing that same keyfile using gnupg 1.4.5 on an RHEL5 host:
$ gpg --homedir "$PWD/gpghome" --import /tmp/CDDE430D.secret.key
gpg: keyring `/home/tgc/gpghome/secring.gpg' created
gpg: keyring `/home/tgc/gpghome/pubring.gpg' created
gpg: key CDDE430D: secret key imported
gpg: /home/tgc/gpghome/trustdb.gpg: trustdb created
gpg: key CDDE430D: public key "C O Mitter " imported
gpg: Total number processed: 1
gpg:   imported: 1
gpg:   secret keys read: 1
gpg:   secret keys imported: 1
$ gpg --homedir "/home/tgc/gpghome" --list-keys
/home/tgc/gpghome/pubring.gpg
-
pub   1024D/CDDE430D 2007-06-07
uid  C O Mitter 
sub   2048g/7703B0E5 2007-06-07
$

So gnupg 1.2.6 can export fine but cannot correctly import the same.


Another option is to just declare that version old and broken, and skip
the tests (either by checking its version, or just checking after we
import the keys that we can actually _use_ them).

That would seem a bit heavy-handed as it is otherwise working fine with 
the old gnupg.




-tgc


--
Tom G. Christensen - Systemmedarbejder - IT-drift
Statsbiblioteket - Victor Albecks Vej 1 - 8000 Aarhus C
Tlf: (+45) 8946 2027 - Fax: (+45) 8946 2029
CVR/SE: 10100682 - EAN: 5798000791084
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: All gnupg tests broken on el4 [Re: [ANNOUNCE] Git v2.3.0-rc2]

[Jeff King]

On Thu, Jan 29, 2015 at 10:43:20AM -0500, Jeff King wrote:

> It feels a bit hacky, and I wish I knew more about why the current file
> doesn't work (i.e., if we did "gpg --export-secret-keys" with v1.2.6,
> would it produce different output that can be read by both versions?).
> Another option is to just declare that version old and broken, and skip
> the tests (either by checking its version, or just checking after we
> import the keys that we can actually _use_ them).

That would look like this:

-- >8 --
Subject: [PATCH] t/lib-gpg: sanity-check that we can actually sign

Some older versions of gpg (reportedly v1.2.6 from RHEL4)
cannot import the keyrings found in our test suite, and thus
cannot even make a signature. We can detect this case by
doing a test-sign before declaring the GPG prerequisite
fulfilled.

Signed-off-by: Jeff King 
---
 t/lib-gpg.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index d88da29..a87747a 100755
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -34,6 +34,8 @@ else
"$TEST_DIRECTORY"/lib-gpg/keyring.gpg &&
gpg --homedir "${GNUPGHOME}" 2>/dev/null --import-ownertrust \
"$TEST_DIRECTORY"/lib-gpg/ownertrust &&
+   gpg --homedir "${GNUPGHOME}" /dev/null 2>&1 \
+   --sign -u commit...@example.com &&
test_set_prereq GPG
;;
esac
-- 
2.3.0.rc1.287.g761fd19



--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: All gnupg tests broken on el4 [Re: [ANNOUNCE] Git v2.3.0-rc2]

[Jeff King]

On Thu, Jan 29, 2015 at 02:11:05PM +0100, Tom G. Christensen wrote:

> All signed commit tests fail on RHEL4 which is a regression from 2.2.2.
> 
> From t4202.42:
> 
> ++ git tag -s -m signed_tag_msg signed_tag
> gpg: key CDDE430D: secret key without public key - skipped
> gpg: skipped `C O Mitter ': secret key not available
> gpg: signing failed: secret key not available
> error: gpg failed to sign the data
> error: unable to sign the tag
> error: last command exited with $?=128
> 
> There are indeed no public keys available after commit 1e3eef which seems to
> be contrary to the commit log:
> 
>Instead import public and secret keys for one key pair from a text
>file that holds ASCII-armored export of them.
> 
> 
> I extracted the pubkeys as ascii armored text from the old binary keyrings
> and added them to the new keyring.gpg and then the tests pass.
> 
> This is apparently only a problem for older gnupg versions (RHEL4 has gnupg
> 1.2.6) since it did not fail on RHEL5 (gnupg 1.4.5).

Weird. The pubkeys are there in keyring.gpg; I wonder why the older
version of gpg has trouble extracting them (and how one was _supposed_
to export secret keys at that time).

So if I understand you correctly, the tests should pass with the patch
below?

It feels a bit hacky, and I wish I knew more about why the current file
doesn't work (i.e., if we did "gpg --export-secret-keys" with v1.2.6,
would it produce different output that can be read by both versions?).
Another option is to just declare that version old and broken, and skip
the tests (either by checking its version, or just checking after we
import the keys that we can actually _use_ them).

-- >8 --
Subject: [PATCH] t/lib-gpg: include separate public keys in keyring.gpg

Since 1e3eefb (tests: replace binary GPG keyrings with
ASCII-armored keys, 2014-12-12), we import our test GPG keys
from a single file. Each keypair in the import stream
contains both the secret and public keys. However, older
versions of gpg reportedly fail to import the public half of
the key. We can solve this by including duplicates of the
public keys separately. The duplicates are ignored by modern
gpg, and this makes older versions work.

Reported by Tom G. Christensen  on
gpg 1.2.6 (from RHEL4).

Signed-off-by: Jeff King 
---
 t/lib-gpg.sh  |  2 ++
 t/lib-gpg/keyring.gpg | 54 +++
 2 files changed, 56 insertions(+)

diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index d88da29..16e0d3f 100755
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -23,6 +23,8 @@ else
# To write armored exported key to keyring:
#   gpg --homedir /tmp/gpghome --export-secret-keys \
#   --armor 0xDEADBEEF >> lib-gpg/keyring.gpg
+   #   gpg --homedir /tmp/gpghome --export \
+   #   --armor 0xDEADBEEF >> lib-gpg/keyring.gpg
# To export ownertrust:
#   gpg --homedir /tmp/gpghome --export-ownertrust \
#   > lib-gpg/ownertrust
diff --git a/t/lib-gpg/keyring.gpg b/t/lib-gpg/keyring.gpg
index fb1f048..d4754a1 100644
--- a/t/lib-gpg/keyring.gpg
+++ b/t/lib-gpg/keyring.gpg
@@ -86,3 +86,57 @@ 
Z9Ei+zj6JD5Pcdi3BJhQo9WOLOVEJ0NHmewTYqk9QVXH/0v1Hdl4LMJtgcbdbDWk
 BOW78WUxzhu0YJTLKy+iKCjg5HS5dx6OC+e4aEEgfhNPCMkbvDsJjtQ=
 =hieJ
 -END PGP PRIVATE KEY BLOCK-
+-BEGIN PGP PUBLIC KEY BLOCK-
+Version: GnuPG v1
+
+mQGiBEZnyykRBACzCPjIpTYNL7Y2tQqlEGTTDlvZcWNLjF5f7ZzuyOqNOidLUgFD
+36qch1LZLSZkShdR3Gae+bsolyjxrlFuFP0eXRPMtqK20aLw7WZvPFpEV1ThMne+
+PRJjYrvghWw3L0VVIAIZ8GXwrVBuU99uEjHEI0ojYloOvFc2jVPgSaoBvwCg48Tj
+fol2foSoJa7XUu9yAL8szg8D/RUsTzNF+I9hSRHl7MYKFMYoKEY9BDgrgAujp7YY
+8qdGsiUb0Ggyzp2kRjZFt4lpcvKhGfHn5GEjmtk+fRbD5qPfMqKFW+T0NPfYlYmL
+JJ4fs4qZ8Lx7x6iG6X51u+YNwsQuIGjMCC3CeNi3F7or651kkNYASbaQ1NROkCIN
+NudyA/0aasvoZUoNJAc2cP5Ifs6WhXMWLfMR2p2XbfKwKNYneec60usnSComcKqh
+sJVk0Gytvr3FOYVhRkXnKAbx+0W2urFP8OFVBTEKO6Ts2VygWGgneQYoHnqzwlUE
+yjOjlr+lyf7u2s/KAxpKA6jnttEdRZAmzWkhuox1wwAUkr27/bQiQyBPIE1pdHRl
+ciA8Y29tbWl0dGVyQGV4YW1wbGUuY29tPoheBBMRAgAeBQJGZ8spAhsDBgsJCAcD
+AgMVAgMDFgIBAh4BAheAAAoJEBO29R7N3kMNdB0AoL3Z/7A6tORuY8R/676oD8a/
+oHFDAJ9DXbwlcKLcykwHy0jYqajXm1iCebkCDQRGZ8tOEAgAzrl5P1Pr6CDR8mf5
+DGGzcUUM+PEroA4FLdKJ5ZaZc7qy1lmmW9vuvb6xdinwcwee2c5fdNE+iUjHV2x2
+S/dbfDzJTN/0uajZcw+xnf+KxZ0Rs4gDSs7cHXHBtA7u8ShYd4Hu7JggXpiwgfSk
+yrGQiZyLAHW2ck8H07Go8eUP8fLIeva+iPqeYQZo9BaPz92R/J6debpeY1lRkv+y
+WTq1GE3C/hxbdBAuHf2duLP2uq9kwoVdfzCRjgV1CQmMIbCrMb7vIlzIe96bb3+K
+r/+NEtmB2I3wHBXcwJMnIOnz9Zv933KNlxSbVF23BGLB+F9D7OanKymbs7Eg18fr
+mt/t/wAEDQgAtGIxGz944Pn2OtheY9JlBRuIAuVskm24/Zz03dZnk6CuEOIBb5IM
+g36GAPKcn1vsLZ0TfE1q53jNpcAAXjgngnRsCjZm1mglqPD4ZfBpl+Hhnuc80fAR
+xsUPj+5c8KP2M+Rws4moaZRjVpd3KCi3ceflT/OjwnE9DzdhslCGTMA5n8cajAs2
+oqAaQssefVf2prLQLGV9NB4Q3lFnKXdvipHMaAYAsW+iF7JkhTDVNuNGlufeSqUm
+igRBjTZXBcVd8sj8vDOCWKUfqxJyS+zRYcotn7QvpvcKAkc3ZGxntDHAIGLVp6ay
++vrkV4Ren8BjFobl25Ruy6Abw+CgnTpuwYhJBBgRAgAJBQJGZ8tOAhsMAAoJEBO2