After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 750049 - Reading keyring directory '/usr/share/ostree/trusted.gpg.d' No such file or directory
Reading keyring directory '/usr/share/ostree/trusted.gpg.d' No such file or d...
Status: RESOLVED FIXED
Product: ostree
Classification: Infrastructure
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: OSTree maintainer(s)
OSTree maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2015-05-28 16:06 UTC by Jeff Ortel
Modified: 2015-06-10 16:37 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Proposed patch (1.66 KB, patch)
2015-05-28 20:28 UTC, Matthew Barnes 		committed Details | Review
Followup patch (6.27 KB, patch)
2015-06-05 17:03 UTC, Matthew Barnes 		none Details | Review
Followup patch (6.68 KB, patch)
2015-06-05 19:16 UTC, Matthew Barnes 		committed Details | Review

Description Jeff Ortel 2015-05-28 16:06:25 UTC 
Using the latest master and working with the remote specific GPG keyrings.  I'm getting an error that /usr/share/ostree/trusted.gpg.d does not exist (which it does not).  When a remote specific keyring exists, should ostree still be trying to use keyrings in this directory?

I built (master) and installed by RPM: ostree-2015.6.82.gad3a47d-3.fc21.x86_64

Here are some additional information:

$ cat config
[core]
repo_version=1
mode=archive-z2

[remote "jeff"]
url=file:///opt/content/ostree/el7
gpg-verify=true
tls-permissive=true

$ ll
total 28
-rw-r--r--   1 apache apache  126 May 27 11:12 config
-rw-r--r--   1 apache apache 2223 May 27 11:21 jeff.trustedkeys.gpg
drwxr-sr-x 258 apache apache 4096 Mar  3 15:14 objects
drwxr-sr-x   4 apache apache 4096 Mar  3 15:14 refs
drwxr-sr-x   2 apache apache 4096 Mar  3 15:15 state
drwxr-sr-x   3 apache apache 4096 May 27 11:21 tmp
drwxr-sr-x   2 apache apache 4096 Mar  3 15:14 uncompressed-objects-cache

$ sudo -u apache ostree --repo=content remote gpg-import jeff -k /tmp/j.asc
Imported 1 GPG key to remote "jeff"

$ sudo -u apache ostree --repo=content pull jeff rhel-atomic-host/7/x86_64/standard

error: Reading keyring directory '/usr/share/ostree/trusted.gpg.d' No such file or directory
Comment 1 Matthew Barnes 2015-05-28 20:28:18 UTC 
Created attachment 304201 [details] [review]
Proposed patch

Untested, but pretty sure this should fix it.
Comment 2 Colin Walters 2015-06-04 21:53:14 UTC 
It would make sense indeed to skip adding the global trusted keyring if a remote-specific keyring exists.

This patch looks fine to me, although I'll note that if you're using the Fedora RPM package, that directory should always exist:

%{_datadir}/ostree/trusted.gpg.d

If it doesn't, I'm assuming you installed via "sudo make install" or similar?
Comment 3 Colin Walters 2015-06-04 21:55:56 UTC 
Comment on attachment 304201 [details] [review]
Proposed patch

I've pushed this, but let's keep the bug open for skipping the global keyring if a remote has a keyring.
Comment 4 Matthew Barnes 2015-06-04 22:31:51 UTC 
Roger.  I need a break from the other stuff anyway.  :)
Comment 5 Matthew Barnes 2015-06-05 17:03:44 UTC 
Created attachment 304661 [details] [review]
Followup patch

Changes the policy on when to use the global keyring.
Comment 6 Matthew Barnes 2015-06-05 19:16:17 UTC 
Created attachment 304670 [details] [review]
Followup patch

Didn't get that quite right; forgot to actually check for a remote-specific keyring file.
Comment 7 Colin Walters 2015-06-09 22:15:48 UTC 
Review of attachment 304670 [details] [review]:

I don't understand the relationship between:

 - A remote not having a keyring
 - remote_name == NULL

in this code.  I'm not saying it's wrong, just that I don't
understand =)  Can you explain?

So for example, let's pretend that OS vendor ExampleOS had
been doing keys in /usr/share.  Their system config has set up
their OS by default to have a remote with gpg-verify=true,
but no remote-specific keyring.

AFAICS, scan_commit_object() will call _ostree_repo_verify_commit_internal()
with a non-NULL pull_data->remote_name.

So wouldn't that break?

I'd have expected to see some call inside ostree-repo.c like
remote_keyring = remote_get_keyring()
if (remote_keyring != NULL) {
  verify_with(remote_keyring)
} else {
  verify_with(global_keyring)
Comment 8 Colin Walters 2015-06-09 22:18:19 UTC 
Review of attachment 304670 [details] [review]:

Ah, you even said that, yet I somehow managed to read the wrong patch!

The second patch makes more sense to me.  Minor, but might as well skip calling _add_keyring if the file doesn't exist.  Otherwise looks reasonable to me.
Comment 9 Matthew Barnes 2015-06-09 22:52:00 UTC 
Sorry for the confusion.  I forgot to mark the first patch as obsolete when I submitted the second patch, and then Bugzilla wouldn't let me do it afterward.

(Aside: would you be willing to add Giuseppe and I as ostree developers in Bugzilla, if only for stupid crap like that?)


> The second patch makes more sense to me.  Minor, but might as well skip
> calling _add_keyring if the file doesn't exist.  Otherwise looks reasonable
> to me.

Makes sense, will fix.
Comment 10 Colin Walters 2015-06-10 01:54:17 UTC 
(In reply to Matthew Barnes from comment #9)
> Sorry for the confusion.  I forgot to mark the first patch as obsolete when
> I submitted the second patch, and then Bugzilla wouldn't let me do it
> afterward.
> 
> (Aside: would you be willing to add Giuseppe and I as ostree developers in
> Bugzilla, if only for stupid crap like that?)

Done.
Comment 11 Matthew Barnes 2015-06-10 16:34:02 UTC 
(In reply to Colin Walters from comment #10)
> Done.

Thanks!

Pushed with the suggested change:
https://git.gnome.org/browse/ostree/commit/?id=9f1b50d41c2704653f78735bc678f80bbe192a63