sts-sponsors team mailing list archive

Thread
Date
[Bug 1903776] Re: Changed ubuntu-keyring paths breaks upgrade to focal.

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Simon Poirier <1903776@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Mar 2022 00:07:06 -0000
Reply-to: Bug 1903776 <1903776@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
I also verified landscape-client 19.12-0ubuntu10.1 from impish-proposed.
I used the same landscape-server-quickstart from ppa:landscape/19.10 as previously, with the same database query to enable upgrading.

Again, upgrade tool downloaded and validated successfully on the proposed version, with the upgrade successful and the
logs confirming the success:

# tail -f /var/log/landscape/release-upgrader.log 
2022-03-29 19:58:48,927 DEBUG    [MainThread] Started firing run.
2022-03-29 19:58:48,927 DEBUG    [MainThread] Finished firing run.
2022-03-29 19:58:49,793 INFO     [MainThread] Successfully fetched upgrade-tool files
2022-03-29 19:58:49,817 INFO     [MainThread] Successfully verified upgrade-tool tarball
2022-03-29 20:09:34,616 INFO     [MainThread] Queuing message with release upgrade results to exchange urgently.
2022-03-29 20:09:35,028 DEBUG    [MainThread] Started firing stop.
2022-03-29 20:09:35,028 DEBUG    [MainThread] Finished firing stop.  

** Tags removed: verification-needed verification-needed-focal verification-needed-impish
** Tags added: verification-done verification-done-focal verification-done-impish

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1903776

Title:
  Changed ubuntu-keyring paths breaks upgrade to focal.

Status in Landscape Client:
  Fix Committed
Status in landscape-client package in Ubuntu:
  Fix Released
Status in landscape-client source package in Bionic:
  Fix Committed
Status in landscape-client source package in Focal:
  Fix Committed
Status in landscape-client source package in Groovy:
  Won't Fix
Status in landscape-client source package in Hirsute:
  Won't Fix
Status in landscape-client source package in Impish:
  Fix Committed
Status in landscape-client source package in Jammy:
  Fix Released

Bug description:
  [Impact]

   * When launching an Ubuntu release-upgrade through landscape-client, the
     upgrade-tool fails GPG verification due to trusted apt key having changed
     location as of 18.04 LTS.

   * The proposed patch extends gpg lookup path to include all
     /etc/apt/trusted.gpg.d/*.gpg files in addition to /etc/apt/trusted.gpg
     when verifying the upgrade-tool signature.

  [Test Case]

   * Install and register the landscape-client against a landscape-server
     on a series supporting an upgrade.

   * Wait for it to sync up packages.

   * On the computer packages page, there is a link at the bottom to request a
     release upgrade of that machine, if a supported version is available.

   * The upgrade fails and /var/log/landscape/release-upgrader.log will indicate
     a failed gpg verification.

  [Where problems could occur]

   * One thing which has been considered in this fix is how someone could have
     worked around the issue by re-creating the old key path. The fix covers
     such a case by still reading the deprecated trusted.gpg file.

   * Although some care has been taken to only load valid gpg keys from apt
     trusted keychain, there could be unforeseen scenarios where invalid data
     gets read from the keychain. In such a case, the strict nature of gpg would
     reject the signature verification, thus being no worse than without the fix.

   * The affected callsite is used for verifying the release-upgrader code prior
     to running it. One bad thing which we could imagine with this code path is
     falsely accepting an invalid file signature, which may create a security
     issue. This would likely take shape of injecting a gpg key, without
     having root access, in the search path.

  [Other Info]

   * There is no way to directly verify this issue on 20.10 Groovy and later
     (without faking a release) due to the lack of upgrade path to a supported
     LTS. The ubuntu-keyring package having the same file layout, the same
     validation failure is however to be expected if left unpatched.

  [Original description]

  Since bionic, ubuntu-keyring removed `/etc/apt/trusted.gpg` in favor
  of `/etc/apt/trusted.gpg.d/`

  This breaks signature verification for the upgrade-tool.
  Trying to release-upgrade through landscape yields a failure on signature check:

  2020-11-10 15:47:51,019 WARNING  [MainThread] Invalid signature for upgrade-tool tarball: /usr/bin/gpg failed (out='', err='gpg: keybox '/etc/apt/trusted.gpg' created
  gpg: Signature made Fri Oct 16 03:28:09 2020 UTC
  gpg:                using RSA key 3B4FE6ACC0B21F32
  gpg: Can't check signature: No public key

To manage notifications about this bug go to:
https://bugs.launchpad.net/landscape-client/+bug/1903776/+subscriptions