Bug 478975

Summary:	public GPG key not added into the product's initrd
Product:	[openSUSE] openSUSE 11.1	Reporter:	Jigish Gohil <cyberorg>
Component:	YaST2	Assignee:	Jiří Suchomel <jsuchome>
Status:	RESOLVED FIXED	QA Contact:	Jiri Srain <jsrain>
Severity:	Normal
Priority:	P5 - None	CC:	lslezak, puzel
Version:	Final
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	maint:released:sle11:23218
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	patch for /usr/share/YaST2/modules/ProductCreator.ycp

Description Jigish Gohil 2009-02-24 08:36:04 UTC

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009012700 SUSE/3.0.6-0.1.2 Firefox/3.0.6

Installation from iso created using yast2 product-creator fails with the error:

cd:/content invalid signature

Relevant gpg signing parts from the y2log is attached.



Reproducible: Always




2009-02-24 13:53:54 <1> prime(19568) [YCP] GPG.ycp:57 gpg command: gpg --detach-sign -u '6CB7435E' --no-tty --command-fd=0 -a '/mnt/sdb1/suse//CyberOrg_v1.0/Addons///repodata/
repomd.xml' < '/tmp/YaST2-19568-J8kNKY/stdin'
2009-02-24 13:54:12 <1> prime(19568) [YCP] GPG.ycp:57 gpg command: gpg -a --export '6CB7435E' > '/mnt/sdb1/suse//CyberOrg_v1.0/Addons///repodata/repomd.xml.key'
2009-02-24 13:54:12 <1> prime(19568) [Pkg] ProductCreator.ycp:2357 Pkg Builtin called: SourceGeneralData
2009-02-24 13:54:12 <1> prime(19568) [YCP] GPG.ycp:57 gpg command: gpg -a --export '6CB7435E' > '/mnt/sdb1/suse//CyberOrg_v1.0///content.key'
2009-02-24 13:54:12 <1> prime(19568) [YCP] GPG.ycp:57 gpg command: gpg -a --export '6CB7435E' > '/mnt/sdb1/suse//CyberOrg_v1.0///media.1/products.key'
2009-02-24 13:54:12 <1> prime(19568) [YCP] GPG.ycp:57 gpg command: gpg -a --export '6CB7435E' > '/mnt/sdb1/suse//CyberOrg_v1.0///gpg-pubkey-6cb7435e.asc'
2009-02-24 13:54:12 <1> prime(19568) [YCP] ProductCreator.ycp:772 exported public key 6CB7435E: true
2009-02-24 13:54:12 <1> prime(19568) [YCP] ProductCreator.ycp:794 Generating SHA1 sums: (cd '/mnt/sdb1/suse//CyberOrg_v1.0///suse/setup/descr' && find . -type f -exec sha1sum 
\{\} \; | sed -e 's#^\(.\{40\}\)  ./#META SHA1 \1  #' | grep -v '^.\{40\}  directory.yast$' | LC_ALL=C sort -k 2)
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:798 Result: $["exit":0, "stderr":"", "stdout":"META SHA1 295b8e910b847fddf8916af1a68f3b7cb8b3c4ed  packages.DU.gz
\nMETA SHA1 3dd993a7c21dfc69c381e7a1ca241e3576c42830  packages.FL.gz\nMETA SHA1 4ea957656797c50fbcae40ab5c7fcc88f52dd4ba  packages.es.gz\nMETA SHA1 5c8c130e9e6382204dbb1a17463
9f428273b0724  directory.yast\nMETA SHA1 5dc4b7a7325dfe97d0ab33799bdb7f5e5644ef58  packages.cs.gz\nMETA SHA1 5dc4b7a7325dfe97d0ab33799bdb7f5e5644ef58  packages.sk.gz\nMETA SHA
1 5f417913acac48e7601c8317074d092e0592ae03  packages.gz\nMETA SHA1 6d35b6155505cab1896119a843dbbcdd14d3554a  patterns\nMETA SHA1 708627e31fabe2bb88b6e05c9c4dc65cddbbac0a  pack
ages.fr.gz\nMETA SHA1 a207b5aa10ac5192e516bf50bee4cbe7e95ec5a2  dvd-11.1-71.1.i586.pat.gz\nMETA SHA1 ac6fc542c10c97058acd35bc7cd24590e83eb8e9  MD5SUMS\nMETA SHA1 d64ce6a4529f9
ca66196fb960aee8049d1a64527  packages.hu.gz\nMETA SHA1 d7c438db580e88fa7e3c552be5887725e5d67acf  packages.de.gz\nMETA SHA1 e19f9319c8781302a037323a1829b1d5989aeee4  packages.e
n.gz\n"]
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:810 Generating SHA1 key sums: (cd '/mnt/sdb1/suse//CyberOrg_v1.0//' && find . -type f -name 'gpg-pubkey-*.asc' -e
xec sha1sum \{\} \; | sed -e 's#^\(.\{40\}\)  ./#KEY SHA1 \1  #' | LC_ALL=C sort -k 2)
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:814 Result: $["exit":0, "stderr":"", "stdout":"KEY SHA1 04544096c5c3b0ed7b01a83d79e048307c2af919  gpg-pubkey-a191
2208-446a0899.asc\nKEY SHA1 06ff5171362496c0db84beeccd29967f580350b2  gpg-pubkey-9c800aca-481f343a.asc\nKEY SHA1 17162a96933229a9771ee10c0976bdc047a2f53d  gpg-pubkey-0dfb3188-
41ed929b.asc\nKEY SHA1 2288e5849740566e4fb65b7c9dc0c7e4f43b1039  gpg-pubkey-56b4177a-47965b33.asc\nKEY SHA1 47f6492d127ae9f6aac353a2dd23752fc0ed4f8d  gpg-pubkey-3d25d3d9-36e12
d04.asc\nKEY SHA1 89d4bcd20a281553fd1d4ec1708603ebf88f1a59  gpg-pubkey-7e2e3b05-4816488f.asc\nKEY SHA1 9c75fe769f727174f4e37dea23076cf1baed7c97  gpg-pubkey-3dbdc284-49144c3f.a
sc\nKEY SHA1 e8e2b2c88d01095dba66a222b9d5b8cf979bc8ec  gpg-pubkey-6cb7435e.asc\nKEY SHA1 f6accbb18d705bfc104c893cf7dfca1247a33f3c  gpg-pubkey-307e3d54-481f30aa.asc\n"]
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:855 Updated content file /mnt/sdb1/suse//CyberOrg_v1.0///content: true
2009-02-24 13:54:13 <1> prime(19568) [YCP] GPG.ycp:57 gpg command: gpg --detach-sign -u '6CB7435E' --no-tty --command-fd=0 -a '/mnt/sdb1/suse//CyberOrg_v1.0///content' < '/tmp
/YaST2-19568-J8kNKY/stdin'
2009-02-24 13:54:13 <1> prime(19568) [YCP] GPG.ycp:57 gpg command: gpg --detach-sign -u '6CB7435E' --no-tty --command-fd=0 -a '/mnt/sdb1/suse//CyberOrg_v1.0///media.1/products
' < '/tmp/YaST2-19568-J8kNKY/stdin'
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:784 Signed source: true
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:2304 Updating directory.yast ...
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:863 executing: /bin/rm -f '/mnt/sdb1/suse//CyberOrg_v1.0///directory.yast'; cd '/mnt/sdb1/suse//CyberOrg_v1.0//';
 ls | grep -v -e '^\.$' -e '^\.\.$' > '/mnt/sdb1/suse//CyberOrg_v1.0///directory.yast'
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:868 result: 0
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:863 executing: /bin/rm -f '/mnt/sdb1/suse//CyberOrg_v1.0///media.1/directory.yast'; cd '/mnt/sdb1/suse//CyberOrg_
v1.0///media.1'; ls | grep -v -e '^\.$' -e '^\.\.$' > '/mnt/sdb1/suse//CyberOrg_v1.0///media.1/directory.yast'
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:868 result: 0
2009-02-24 13:54:13 <1> prime(19568) [YCP] ProductCreator.ycp:2150 Searching for 'initrd' in /mnt/sdb1/suse//CyberOrg_v1.0/boot...
2009-02-24 13:54:14 <1> prime(19568) [YCP] ProductCreator.ycp:2209 Found initrds: ["boot/i386/loader/initrd"]
2009-02-24 13:54:14 <1> prime(19568) [YCP] ProductCreator.ycp:1984 Adding GPG key 6CB7435E to initrd /mnt/sdb1/suse//CyberOrg_v1.0/boot/i386/loader/initrd
2009-02-24 13:54:14 <1> prime(19568) [YCP] ProductCreator.ycp:1998 Uncompressing initrd: /mnt/sdb1/suse//CyberOrg_v1.0/boot/i386/loader/initrd
2009-02-24 13:54:14 <1> prime(19568) [YCP] ProductCreator.ycp:863 executing: cd '/mnt/sdb1/suse//CyberOrg_v1.0/boot/i386/loader' && gunzip < '/mnt/sdb1/suse//CyberOrg_v1.0/boo
t/i386/loader/initrd' > '/mnt/sdb1/suse//CyberOrg_v1.0/boot/i386/loader/initrd.cpio'
2009-02-24 13:54:16 <1> prime(19568) [YCP] ProductCreator.ycp:868 result: 0
2009-02-24 13:54:16 <1> prime(19568) [YCP] GPG.ycp:57 gpg command: gpg --export '6CB7435E' > '/mnt/sdb1/suse//CyberOrg_v1.0/boot/i386/loader/gpg-6CB7435E.gpg'
2009-02-24 13:54:16 <1> prime(19568) [YCP] ProductCreator.ycp:863 executing: cd '/mnt/sdb1/suse//CyberOrg_v1.0/boot/i386/loader' && echo 'gpg-6CB7435E.gpg' | cpio -o -H newc -
A -F '/mnt/sdb1/suse//CyberOrg_v1.0/boot/i386/loader/initrd.cpio'
2009-02-24 13:54:16 <3> prime(19568) [bash] ShellCommand.cc(shellcommand):78 2 blocks
2009-02-24 13:54:16 <1> prime(19568) [YCP] ProductCreator.ycp:868 result: 0

Comment 1 Jiří Suchomel 2009-03-02 08:41:37 UTC

Steffen, that "cd:/content invalid signature" is a message from linuxrc: what does it exactly mean? What checks does linuxrc do for checking the signature?

Comment 2 Steffen Winterfeldt 2009-03-02 10:08:47 UTC

Well, it runs gpg for the check.

content.asc must be a valid signature. The bug was reported before (don't have
the number) and I thought it was fixed. The product creator either has
to create and add a valid key to the initrd or add 'insecure=1' to
the boot options.

Comment 3 Jiří Suchomel 2009-03-02 12:43:39 UTC

I don't know what "valid" means here. Product Creator just exports the users's key with gpg -a --export, I don't know what can break.

What call of gpg do you use to check (which fails here)?

Comment 4 Steffen Winterfeldt 2009-03-02 14:00:15 UTC

Did you check that you really added the key to the keyring in the initrd?

Comment 5 Jiří Suchomel 2009-03-02 14:14:50 UTC

Well, it's added to archive this way, not exactly added into the keyring:

 echo 'gpg-A626BDEE.gpg' | cpio -o -H newc -A -F '/tmp/product/minimal/boot/i386/loader/initrd.cpio

This probably worked before, was anything changed?

Comment 6 Steffen Winterfeldt 2009-03-02 14:36:36 UTC

That file's for zypp, not linuxrc. add it to /installkey.gpg.
See also bug 421571.

Comment 7 Jiří Suchomel 2009-03-03 12:26:15 UTC

Yes, this seems to work. Thanks Petr for gpg help.

Comment 8 Jiří Suchomel 2009-03-03 12:34:13 UTC

Created attachment 276694 [details]
patch for /usr/share/YaST2/modules/ProductCreator.ycp

Try adding this patch to /usr/share/YaST2/modules/ProductCreator.ycp, run 'ycpc -c  /usr/share/YaST2/modules/ProductCreator.ycp' and create the product again.

Comment 19 Swamp Workflow Management 2009-03-17 14:20:29 UTC

The SWAMPID for this issue is 23210.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/23210)

Comment 20 Jiří Suchomel 2009-03-18 13:19:15 UTC

patchinfo created, package submitted

Comment 21 Swamp Workflow Management 2009-05-04 22:09:18 UTC

Update released for: yast2-product-creator
Products:
SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)

Comment 22 Swamp Workflow Management 2009-05-05 00:38:01 UTC

Update released for: yast2-product-creator
Products:
openSUSE 11.1 (i586)