Bug 394662

Summary: GPG keys are imported "everytime" yast update starts
Product: [openSUSE] openSUSE 11.1 Reporter: Forgotten User ZhJd0F0L3x <forgotten_ZhJd0F0L3x>
Component: libzyppAssignee: Lukas Ocilka <locilka>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P2 - High CC: dmacvicar, jdsn, locilka, lslezak, ma, security-team
Version: Factory   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: screenshot
screenshot
patch for piwo.ycp
yast2 logs
yast2 logs after starting "yast2 update" and (again) confirming all the keys

Description Forgotten User ZhJd0F0L3x 2008-05-27 11:55:22 UTC 
Created attachment 218284 [details]
screenshot

I'm doing system updates with "yast2 update" on a regular basis, and almost every time i get key import dialogs like the attached screenshot.

I would think that "Import" means that the key is now known to the system, but apparently it means something like "forget" ;-)
Comment 1 Forgotten User ZhJd0F0L3x 2008-05-28 09:55:51 UTC 
Created attachment 218548 [details]
screenshot

now i even needed to import the "SuSE Package Signing Key <build@suse.de>", even though i think this should already be on my system.
Comment 2 Lukas Ocilka 2008-05-29 07:45:54 UTC 
Those dialogs you see are >>YaST<< but YaST starts only by libzypp callbacks. Those two screenshots are different, of course, as they offer to import a different key.

In my opinion, it always offer to import a different key. But hard to say without logs. Anyway, keys are managed by libyzpp.
Comment 3 Forgotten User ZhJd0F0L3x 2008-05-29 10:59:30 UTC 
I'm quite sure that during the last 10 updates, i imported the same "build@suse.de" key at least 5 times.

What logs are needed? I'll attach them after it happens the next time.
Comment 4 Lukas Ocilka 2008-05-29 11:01:26 UTC 
You can attach them right now

See http://en.opensuse.org/Bugs/YaST
Comment 5 Ladislav Slezák 2008-05-29 14:39:47 UTC 
The problem is that yast2 piwo (I assume this module is called) doesn't initialize the target system so the keys are not read at start.

(I think the logs are not needed anymore.)
Comment 6 Ladislav Slezák 2008-05-29 14:41:39 UTC 
Created attachment 218908 [details]
patch for piwo.ycp
Comment 7 Michael Andres 2008-05-29 14:59:10 UTC 
*** Bug 395052 has been marked as a duplicate of this bug. ***
Comment 8 Ladislav Slezák 2008-05-30 06:28:33 UTC 
The patch has been submitted in yast2-registration-2.16.7.
Comment 9 Forgotten User ZhJd0F0L3x 2008-06-23 17:41:20 UTC 
root@stoetzler:~# rpm -q yast2-registration
yast2-registration-2.16.7-5

However, i still saw this as i wanted to update from 11.0 to factory.
Will attach y2logs.
Comment 10 Forgotten User ZhJd0F0L3x 2008-06-23 18:03:32 UTC 
Created attachment 223839 [details]
yast2 logs
Comment 11 J. Daniel Schmidt 2008-07-08 17:20:25 UTC 
According to the log, you were asked to import the key during the installation itself, right? The "piwo" module is fixed. 

This issue seems to be related to the installation process. Lukas, please have a look.
Comment 12 Marcus Meissner 2008-07-08 20:22:23 UTC 
isnt this bug 401259  fior which we released a libzypp update yesterday?
Comment 13 Lukas Ocilka 2008-07-08 20:37:01 UTC 
Possibly, but I can't tell myself.
Comment 14 Michael Andres 2008-07-09 15:30:41 UTC 
(In reply to comment #12 from Marcus Meissner)
> isnt this bug 401259  fior which we released a libzypp update yesterday?

No, that's unrelated. 

It's the same workflow problem as above. At the time a key is needed to verify some file, the target is not initialized. We don't know the trusted keys, so we have to ask:

2008-06-23 19:37:57 
[liby2] genericfrontend.cc(main):561 Launched YaST2 component 'y2base' 'update' '-S' 'qt'

2008-06-23 19:38:10
Going to verify signature for /var/cache/zypp/raw/stable-x860CNf0N/content with /var/cache/zypp/raw/stable-x860CNf0N/content.asc

2008-06-23 19:38:24
User wants to trust key A84EDAE89C800ACA SuSE Package Signing Key <build@suse.de>

...

2008-06-23 19:38:41
Pkg Builtin called: TargetInit

2008-06-23 19:38:41
Syncronizing keys with zypp keyring


Target should be initialized (this does not mean you also have to load the solvables into the pool). Just checks the database and initializes the keys.
Comment 15 Lukas Ocilka 2008-07-09 15:33:28 UTC 
So, piwo is fixed (see comment #11) and the rest works as designed. No need to play bugzilla-ping-pong...
Comment 16 Forgotten User ZhJd0F0L3x 2008-07-18 11:31:17 UTC 
Still happens on FACTORY today.
Comment 17 Forgotten User ZhJd0F0L3x 2008-07-18 11:38:43 UTC 
Created attachment 228715 [details]
yast2 logs after starting "yast2 update" and (again) confirming all the keys
Comment 18 Michael Andres 2008-07-23 13:12:16 UTC 
Executing:

  grep -i 'initializeTarget\|verifyFileSignatureWorkflow' y2log

I see no verifyFileSignatureWorkflow being executed __after__ initializeTarget.


Yast initializes the repos before the target:

13:29:44 [Pkg] Packages.ycp                Builtin called: SourceStartCache
13:29:44 [Pkg] PkgFunctions.cc(CreateRepoManager) ...
13:32:04 [Pkg] clients/update_proposal.ycp Builtin called: TargetInit


This is correct on installation (software selection done without target),
but on update we should make the target available earlier.

@Lucas: A matter of update_proposal.ycp?
Comment 19 Lukas Ocilka 2008-07-23 13:15:12 UTC 
Well, I'd say this is more generic problem. I see the very same issue in several YaST modules ... Lado?
Comment 20 Lukas Ocilka 2008-07-24 09:40:30 UTC 
I've just checked that the request to import the keys is not shown every time even with the same code and system used (yast2 update). Which really seems to move the responsibility to lower libraries.
Comment 21 Michael Andres 2008-07-25 11:51:31 UTC 
(In reply to comment #20 from Lukas Ocilka)
> I've just checked that the request to import the keys is not shown every time
> even with the same code and system used (yast2 update).

Depends on whether we have to actually download and verify metadata. This might also be influenced by the repo.refresh.delay value in zypp.conf. Check for new metadata will not happen more often than repo.refresh.delay (def. 10) minutes.


Most probably pkg-bindings face the same problem as libzypp: The application has to indicate where the target system is located, as soon as we are allowed to access it. So we can't simply auto-launch the Target without this knowledge.

Currently this is indicated by a call to TargetInit, passing the location of 
the target system as argument.
Comment 22 Ladislav Slezák 2008-07-30 08:32:14 UTC 
So update should initialize the target at the beginning if it's running in an installed system.
Comment 23 Lukas Ocilka 2008-08-04 11:18:03 UTC 
Index: run_update.ycp
===================================================================
--- run_update.ycp      (revision 49620)
+++ run_update.ycp      (working copy)
@@ -18,6 +18,7 @@
     import "ProductControl";
     import "Wizard";
     import "Update";
+    import "Installation";
 
     // check whether having the packager for ourselves
     if (! PackageLock::Check ())
@@ -41,6 +42,10 @@
     list<map> stage_mode = [$["stage": "normal",  "mode": Mode::mode() ]];
     ProductControl::AddWizardSteps(stage_mode);
 
+    // bnc #394662
+    // initialize target ASAP
+    Pkg::TargetInit (Installation::destdir, true);
+
     symbol ret = ProductControl::Run();
 
     Wizard::CloseDialog ();


yast2-update-2.17.1
Comment 25 OBSbugzilla Bot 2020-10-27 10:10:47 UTC 
This is an autogenerated message for OBS integration:
This bug (394662) was mentioned in
https://build.opensuse.org/request/show/844234 Factory / yast2-registration