I verified landscape-client 19.12-0ubuntu4.3 from focal-proposed. I used landscape-server-quickstart from ppa:landscape/19.10 and registered the proposed client against it. Then I had to enable the upcoming upgrade tool to the server:
# sudo -u landscape psql landscape-standalone-main -c "insert into meta_release (code_name, name, version, date, supported, upgrade_tool_tarball_url, upgrade_tool_signature_url, lts) VALUES ('jammy', 'Jammy Jellyfish', '22.04 LTS', now(), 't', 'http://archive.ubuntu.com/ubuntu/dists/jammy/main/dist-upgrader-all/current/jammy.tar.gz', 'http://archive.ubuntu.com/ubuntu/dists/jammy/main/dist-upgrader-all/current/jammy.tar.gz.gpg', 't')" # sudo -u landscape psql landscape-standalone-main -c "update meta_release set upgrade_id=(select id from meta_release where code_name='jammy') where code_name in ('focal', 'impish')" Launching the release upgrade activity from the web UI, the client machine was able to download and validate the upgrade tool and upgraded to jammy succesfully. -- You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1903776 Title: Changed ubuntu-keyring paths breaks upgrade to focal. Status in Landscape Client: Fix Committed Status in landscape-client package in Ubuntu: Fix Released Status in landscape-client source package in Bionic: Fix Committed Status in landscape-client source package in Focal: Fix Committed Status in landscape-client source package in Groovy: Won't Fix Status in landscape-client source package in Hirsute: Won't Fix Status in landscape-client source package in Impish: Fix Committed Status in landscape-client source package in Jammy: Fix Released Bug description: [Impact] * When launching an Ubuntu release-upgrade through landscape-client, the upgrade-tool fails GPG verification due to trusted apt key having changed location as of 18.04 LTS. * The proposed patch extends gpg lookup path to include all /etc/apt/trusted.gpg.d/*.gpg files in addition to /etc/apt/trusted.gpg when verifying the upgrade-tool signature. [Test Case] * Install and register the landscape-client against a landscape-server on a series supporting an upgrade. * Wait for it to sync up packages. * On the computer packages page, there is a link at the bottom to request a release upgrade of that machine, if a supported version is available. * The upgrade fails and /var/log/landscape/release-upgrader.log will indicate a failed gpg verification. [Where problems could occur] * One thing which has been considered in this fix is how someone could have worked around the issue by re-creating the old key path. The fix covers such a case by still reading the deprecated trusted.gpg file. * Although some care has been taken to only load valid gpg keys from apt trusted keychain, there could be unforeseen scenarios where invalid data gets read from the keychain. In such a case, the strict nature of gpg would reject the signature verification, thus being no worse than without the fix. * The affected callsite is used for verifying the release-upgrader code prior to running it. One bad thing which we could imagine with this code path is falsely accepting an invalid file signature, which may create a security issue. This would likely take shape of injecting a gpg key, without having root access, in the search path. [Other Info] * There is no way to directly verify this issue on 20.10 Groovy and later (without faking a release) due to the lack of upgrade path to a supported LTS. The ubuntu-keyring package having the same file layout, the same validation failure is however to be expected if left unpatched. [Original description] Since bionic, ubuntu-keyring removed `/etc/apt/trusted.gpg` in favor of `/etc/apt/trusted.gpg.d/` This breaks signature verification for the upgrade-tool. Trying to release-upgrade through landscape yields a failure on signature check: 2020-11-10 15:47:51,019 WARNING [MainThread] Invalid signature for upgrade-tool tarball: /usr/bin/gpg failed (out='', err='gpg: keybox '/etc/apt/trusted.gpg' created gpg: Signature made Fri Oct 16 03:28:09 2020 UTC gpg: using RSA key 3B4FE6ACC0B21F32 gpg: Can't check signature: No public key To manage notifications about this bug go to: https://bugs.launchpad.net/landscape-client/+bug/1903776/+subscriptions -- Mailing list: https://launchpad.net/~sts-sponsors Post to : sts-sponsors@lists.launchpad.net Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp