Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An implicit key store path breaks tdnf signature validation in scenarios including CI/CD #2812

Open
bureado opened this issue Apr 20, 2022 · 2 comments
Open

An implicit key store path breaks tdnf signature validation in scenarios including CI/CD #2812

bureado opened this issue Apr 20, 2022 · 2 comments

Comments

@bureado
Copy link

bureado commented Apr 20, 2022
edited
Loading

An install trigger in tdnf imports the packages.microsoft.com public PGP keys using rpm --import.

Separately, a post-transaction scriptlet from mariner-repos imports said keys to root's default GPG homedir.

It appears that tdnf (more specifically the repogpgcheck plugin by virtue of gpgme) uses the keys in GPG's homedir path (e.g., derived from HOME) instead of the ones targeted by rpm --import (e.g., /etc/pki/rpm-gpg/...) as one would expect transitively from checkSig().

Critically, this means that operations that fail a gpg --verify also fail tdnf's repogpgcheck. One salient example of this is setting HOME to anything other than the implicit path established in the mariner-repos scriptlet (namely, /root/.gnupg by virtue of the gpg --import) which is not an uncommon pattern in CI/CD scenarios. This particular one breaks tdnf operations in GitHub Actions both with 1.0 and 2.0 container images.

(If you're here because you can't tdnf install in a GitHub Action or similar containerized build environment you might want to set GNUPGHOME to /root/.gnupg)

Short of refactoring repogpgcheck to use RPM bindings, another solution that comes to mind is to force-set GNUPGHOME for CBL-Mariner container images. This sounds drastic, but might be a consequence of the decision of using gpg --import in the mariner-repos scriptlet. That operation implies /root/.gnupg, which is then no longer referenced. Encoding it as an environment variable in container images would be one way to make that explicit. (So are other approaches: set it for the image itself, set it just for tdnf executions, or set it in the gpgme_* invocations.)

Also see #2752
@bureado
Copy link
Author

bureado commented Apr 20, 2022

Here's a quick patch to tdnf to set home_dir before verify as an example. It would need proper get_engine on the context to populate e.g., the executable path. It can be made more sophisticated by trying a list of known keyring paths, etc.

@wasker
Copy link

wasker commented May 2, 2022

Our team doesn't use GH Actions, but we ran into the same issue when we were migrating off Alpine to Mariner. We were explicitly setting HOME to /tmp for the container, which was breaking tdnf as this bug describes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bureado @wasker