Hi, Quoting John Paul Adrian Glaubitz (2016-06-14 23:42:45) > I recently accidentally upgraded gnupg in my experimental chroots to > version 2.x. This upgrade rendered the chroots unusable with sbuild, > attempting to build a package will fail with the following error: > > gpg: /«BUILDDIR»/resolver-X436Nh/gpg/trustdb.gpg: trustdb created > gpg: Warning: not using 'Sbuild Signer' as default key: No secret key > gpg: all values passed to '--default-key' ignored > gpg: no default secret key: No secret key > gpg: signing failed: No secret key > Failed to sign dummy archive Release file. > > Downgrading gnupg to 1.4.x resolves the problem again.
thanks a lot for reporting this! I can now reproduce this outside of sbuild in
the following way.
In a Debian unstable chroot with gnupg 1.4.20-6 I set up a new keypair and
$GNUPGHOME by issuing the following commands:
$ export GNUPGHOME=/tmp/gpg
$ mkdir /tmp/apt_archive
$ mkdir --mode=0700 /tmp/gpg
$ cat > /tmp/gpgbatch <<EOF
> Key-Type: RSA
> Key-Length: 1024
> Name-Real: Sbuild Signer
> Name-Comment: Sbuild Build Dependency Archive Key
> Name-Email: buildd-tools-de...@lists.alioth.debian.org
> Expire-Date: 0
> %secring /tmp/apt_archive/sbuild-key.sec
> %pubring /tmp/apt_archive/sbuild-key.pub
> %commit
> EOF
$ gpg --no-options --no-default-keyring --batch --gen-key /tmp/gpgbatch
I then copy /tmp/gpg and /tmp/apt_archive to a Debian unstable chroot with
experimental enabled and the gnupg package upgraded to version 2.1.12-1. I
create a dummy Release file in /tmp/apt_archive/Release and then run:
$ gpg --yes --no-default-keyring --homedir /tmp/gpg \
--secret-keyring /tmp/apt_archive/sbuild-key.sec \
--keyring /tmp/apt_archive/sbuild-key.pub \
--default-key 'Sbuild Signer' -abs --digest-algo SHA512 \
-o /tmp/apt_archive/Release.gpg /tmp/apt_archive/Release
This results in:
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/tmp/gpg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: /tmp/gpg/trustdb.gpg: trustdb created
gpg: Warning: not using 'Sbuild Signer' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
Thanks to Daniel Kahn Gillmor in #debian-gnupg, a solution that would solve
this problem and at the same time that keys generated with gnupg 2.1.12-1
outside the chroot are not compatible with 1.4.20-6 (or earlier) inside the
chroot would be to always use gpg --export, gpg --export-secret-keys, and gpg
--import.
I'll work on a fix which lets sbuild-update generate plain keys using the above
method and store it in /var/lib/sbuild/apt-keys under a different file name.
Then sbuild can do the right thing depending on which keys it finds in that
directory while still being compatible with the old keys.
Thanks!
cheers, josch
signature.asc
Description: signature
