Comments (8)
This looks like to be https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852019
from jenkins-debian-glue.
could so far debug this as i am able now to properly validate manually on shell.
the issue seems to be the used keyring file which somewhere seems to be set to:
~/.gnupg/trustedkeys.kbx
but then at validating gpgv uses keyfile:
~/.gnupg/pubkeys.kbx
per default.
so by generating a key with setting --keyring /var/lib/jenkins/.gnupg/trustedkeys.kbx
then exporting and importing it (without option --keyring) to pubkeys.kbx lets us properly use gpgv *.dsc
in the jobs -source workspace.
i just could not figure out how to copy and import the key into the cowbuilder image to be used there for proper validation.
reading through the debian bug, which i also found while googling - just wasnt sure if applicable, i came up with the question to use gpg2 for j-d-g also ?
from jenkins-debian-glue.
Thanks for sharing your finding regarding the keyring, I'm wondering whether we should document this somewhere, like in j-d-g's FAQ?
Regarding usage in cowbuilder image: you need to do this inside /var/cache/pbuilder/base*.cow
to make sure it's persistent, once the gpg *.dsc
works there when checked manually it should™ also work in automated/build mode.
Unless I'm mistaken usage of gpg2 should just-work and be a transparent replacement from j-d-g's PoV.
from jenkins-debian-glue.
how would i make that in /var/cache/pbuilder/base*.cow
? as far as i understood, it is beeing generated when jobs run? so i thought about putting following commands somewhere to be used on generating.
putting this as shell command to be run before building does not work, so im looking for a place where to put this in so its beeing executed the right moment.
sudo -u jenkins cat >foo <<EOF
%echo Generating a basic OpenPGP key
# Debian wants stronger RSA keys that are at least 4096 bits and preferring SHA2.
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: Jenkins Debian Glue
#Name-Comment: automated key for signing # Debian recommends to let comment field empty
Name-Email: jenkins@$HOSTNAME
Expire-Date: 0
#Passphrase: ${jenkinspass}
%no-protection
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOF
# generate gpg key for user jenkins
sudo -u jenkins gpg --no-default-keyring --keyring /var/lib/jenkins/.gnupg/trustedkeys.kbx --batch --generate-key foo
# export key as user jenkins for user root, import key as user root
sudo -u jenkins gpg --no-default-keyring --keyring /var/lib/jenkins/.gnupg/trustedkeys.kbx --export-secret-keys > /var/lib/jenkins/.gnupg/.private.key
gpg --no-default-keyring --keyring /root/.gnupg/trustedkeys.kbx --import /var/lib/jenkins/.gnupg/.private.key
# import gpg key also into default pubring.kbx for user jenkins and root
sudo -u jenkins gpg --import /var/lib/jenkins/.gnupg/.private.key
gpg --import /var/lib/jenkins/.gnupg/.private.key
from jenkins-debian-glue.
I'm also fighting with that problem ATM...
The trustedkeys.kbx
file is the default file searched by gpgv
but when it is run through dpkg-source
(what is done during build process for source package extraction), the keyring is explicitely set to something like:
$VAR1 = [
'gpgv',
'--keyring',
'/var/lib/jenkins/.gnupg/trustedkeys.gpg',
'--keyring',
'/usr/share/keyrings/debian-keyring.gpg',
'--keyring',
'/usr/share/keyrings/debian-maintainers.gpg',
'../nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc'
];
See /usr/share/perl5/Dpkg/Source/Package.pm:
...
sub check_signature {
my $self = shift;
my $dsc = $self->get_filename();
my @exec;
if (find_command('gpgv2')) {
push @exec, 'gpgv2';
} elsif (find_command('gpgv')) {
push @exec, 'gpgv';
} elsif (find_command('gpg2')) {
push @exec, 'gpg2', '--no-default-keyring', '-q', '--verify';
} elsif (find_command('gpg')) {
push @exec, 'gpg', '--no-default-keyring', '-q', '--verify';
}
if (scalar(@exec)) {
if (length $ENV{HOME} and -r "$ENV{HOME}/.gnupg/trustedkeys.gpg") {
push @exec, '--keyring', "$ENV{HOME}/.gnupg/trustedkeys.gpg";
}
foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) {
if (-r $vendor_keyring) {
push @exec, '--keyring', $vendor_keyring;
}
}
push @exec, $dsc;
# Added by me for debugging
use Data::Dumper;
print Dumper(\@exec);
...
The first keyring is the one of the $HOME/.gnupg
. So, because cowbuilder is run through SUDO
, I've changed my /etc/sudoers.d/jenkins
conffile to include the HOME
environment variable as follows:
## Deployed via jenkins_debian_glue.pp
# Make sure DEB_* options reach cowbuilder, like e.g.:
# export DEB_BUILD_OPTIONS="parallel=8" /usr/bin/build-and-provide-package
Defaults env_keep+="HOME DEB_* DIST ARCH ADT"
# for *-binaries job
jenkins ALL=NOPASSWD: /usr/sbin/cowbuilder, /usr/sbin/chroot
# for *-piuparts job
jenkins ALL=NOPASSWD: /usr/sbin/piuparts, /usr/sbin/debootstrap, /usr/bin/piuparts_wrapper
This is to be sure that the keyring will be searched in the $HOME
of my jenkins
user and not the root
user...
gpgv
is really confusing us because even if the keyring is set to something other than default, and if that keyring doesn't exits, the confusing error message will be logged:
jenkins@jenkins:~$ sudo DEB_DIST_ID=debian DIST=stretch ARCH=amd64 ADT=skip cowbuilder --login --basepath /var/cache/pbuilder/base-stretch-amd64.cow --configfile=/etc/jenkins/pbuilderrc
I: Copying COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.20163
I: forking: cp -al /var/cache/pbuilder/base-stretch-amd64.cow /var/cache/pbuilder/build/cow.20163
I: removed stale ilistfile /var/cache/pbuilder/build/cow.20163/.ilist
I: Invoking pbuilder
I: forking: pbuilder login --configfile /etc/jenkins/pbuilderrc --buildplace /var/cache/pbuilder/build/cow.20163 --mirror http://deb.debian.org/debian --distribution stretch --no-targz --internal-chrootexec 'chroot /var/cache/pbuilder/build/cow.20163 cow-shell'
W: /var/lib/jenkins/.pbuilderrc does not exist
Distribution set to stretch
Mirror set to http://deb.debian.org/debian
Components set to main contrib non-free
Build dependencies resolver set to /usr/lib/pbuilder/pbuilder-satisfydepends-apt
I: Running in no-targz mode
I: copying local configuration
W: --override-config is not set; not updating apt.conf Read the manpage for details.
I: mounting /proc filesystem
I: mounting /sys filesystem
I: creating /{dev,run}/shm
I: mounting /dev/pts filesystem
I: redirecting /dev/ptmx to /dev/pts/ptmx
I: mounting /dev/pts/0 over /dev/console
I: Mounting /var/lib/jenkins
I: policy-rc.d already exists
I: using eatmydata during job
I: Obtaining the cached apt archive contents
I: entering the shell
root@jenkins:/# cd /var/lib/jenkins/.gnupg/
root@jenkins:~/.gnupg# rm -rf ./tmp && dpkg-source --require-valid-signature -x ../nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc /var/lib/jenkins/.gnupg/tmp
dpkg-source: info: extracting openssl1.0 in /var/lib/jenkins/.gnupg/tmp
dpkg-source: info: unpacking openssl1.0_1.0.2p.orig.tar.gz
dpkg-source: info: unpacking openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz
dpkg-source: info: applying config-hurd.patch
dpkg-source: info: applying debian-targets.patch
dpkg-source: info: applying engines-path.patch
dpkg-source: info: applying man-dir.patch
dpkg-source: info: applying man-section.patch
dpkg-source: info: applying no-rpath.patch
dpkg-source: info: applying no-symbolic.patch
dpkg-source: info: applying pic.patch
dpkg-source: info: applying valgrind.patch
dpkg-source: info: applying shared-lib-ext.patch
dpkg-source: info: applying stddef.patch
dpkg-source: info: applying version-script.patch
dpkg-source: info: applying c_rehash-compat.patch
dpkg-source: info: applying block_diginotar.patch
dpkg-source: info: applying block_digicert_malaysia.patch
dpkg-source: info: applying disable_freelist.patch
dpkg-source: info: applying soname.patch
dpkg-source: info: applying disable_sslv3_test.patch
dpkg-source: info: applying Mark-3DES-and-RC4-ciphers-as-weak.patch
root@jenkins:~/.gnupg# mv trustedkeys.gpg trustedkeys.gpg-
root@jenkins:~/.gnupg# rm -rf ./tmp && dpkg-source --require-valid-signature -x ../nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc /var/lib/jenkins/.gnupg/tmp
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/var/lib/jenkins/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Fri Nov 9 09:51:34 2018 UTC
gpgv: using RSA key 8D1AB58E0F4B31E7B27B3C361548CEA469A0BDC9
gpgv: Can't check signature: No public key
dpkg-source: error: failed to verify signature on ../nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
root@jenkins:~/.gnupg# logout
I: Copying back the cached apt archive contents
I: unmounting /var/lib/jenkins filesystem
I: unmounting dev/console filesystem
I: unmounting dev/ptmx filesystem
I: unmounting dev/pts filesystem
I: unmounting dev/shm filesystem
I: unmounting proc filesystem
I: unmounting sys filesystem
I: Cleaning COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.20163
jenkins@jenkins:~$
As you can see above, I can verify the source package when login in pbuilder environment manually (through cowbuilder) if the trustedkeys.gpg
file exists (that's the file in which I've added my key as expected by dpkg-source)... However, once I delete that file, I receive the confusing error about the trustedkeys.kbx
file.
To resume, right now, I'm able to login manually in the pbuilder environment through cownbuilder, then mount my jenkins
user $HOME
into the chroot, then verify the source package as expected through dpkg-source
when extracting it. However, when I do the same thing via j-d-g, I receive the confusing error message, even if my jenkins
user $HOME
get mounted as expected... I'm still investigating.
Regarding my pbuilderrc
conffile, it look as follows:
root@jenkins:/etc/jenkins# cat pbuilderrc
# pbuilder configuration file automatically passed-in by j-d-g
# See https://manpages.debian.org/stretch/pbuilder/pbuilderrc.5.en.html
# Only for cowbuilder (update process)
# cowbuilder doesn't care about the DIST variable and fallback to 'sid' if no
# --distribution is passed-in...
DISTRIBUTION=$DIST
echo "Distribution set to ${DISTRIBUTION}"
# We care only about error messages from pbuilder
#LOGLEVEL=E
# Set mirror and components to use, according distributor ID
if [ "$DEB_DIST_ID" = "debian" ]; then
MIRRORSITE="http://deb.debian.org/debian"
COMPONENTS="main contrib non-free"
else
MIRRORSITE="http://fr.archive.ubuntu.com/ubuntu"
COMPONENTS="main restricted universe multiverse"
fi
echo "Mirror set to ${MIRRORSITE}"
echo "Components set to ${COMPONENTS}"
# Setup dependencies resolver according distribution codename and architecture
# - aptitude resolver doesn't work with qemu-user-static
# - apt resolver is not provided by jessie, trusty and xenial
case "$DISTRIBUTION" in
jessie|trusty|xenial) case "$ARCH" in
i386|amd64) PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends-aptitude" ;;
*) PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends-classic" ;;
esac ;;
*) PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends-apt" ;;
esac
echo "Build dependencies resolver set to ${PBUILDERSATISFYDEPENDSCMD}"
BINDMOUNTS="/var/lib/jenkins"
Unless I'm mistaken usage of gpg2 should just-work and be a transparent replacement from j-d-g's PoV.
From my point of view, this has nothing to do with j-d-g... dpkg-source call is part of cowbuilder / pbuilder build process... and gpgv
get called as second choice by the underlying /usr/share/perl5/Dpkg/Source/Package.pm
Perl package... (see above for the workflow).
Making the changes persistent is not a good solution because you have to do that for all variants (all you cows).. What we want here is to make our GPG key available for the verification of the source package during build process, when it get extracted. The right solution from my point of view is to make sure that the key is added in the trustedkeys.gpg
file of the jenkins
user, then make sure that the $HOME
point to the jenkins
user (as explained above), and then to mount the jenkins
user $HOME
inside the chroot at runtime through --bindmount
option or BINDMOUNTS environment variable.
Now, if you want persit with the @mika solution, you can make your changes persistent by copying your files in the unmounted cow(s) which you can find in the /var/cache/builder directory. For instance: /var/cache/pbuilder/base-stretch-amd64.cow/
from jenkins-debian-glue.
I think, I did figured out...
So, by default, dpkg-source is run as self-created pbuilder
user and of course, that user cannot access the /var/lib/jenkins/.gnupg
directory:
jenkins@jenkins:~$ LANG=C sudo DEB_DIST_ID=debian DIST=stretch ARCH=amd64 ADT=skip GNUPGHOME=/var/lib/jenkins/.gnupg cowbuilder --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --build /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc --basepath /var/cache/pbuilder/base-stretch-amd64.cow --bindmounts "/var/lib/jenkins" --configfile=/etc/jenkins/pbuilderrc
I: Copying COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.10920
I: forking: cp -al /var/cache/pbuilder/base-stretch-amd64.cow /var/cache/pbuilder/build/cow.10920
I: removed stale ilistfile /var/cache/pbuilder/build/cow.10920/.ilist
I: forking: chroot /var/cache/pbuilder/build/cow.10920 cowdancer-ilistcreate /.ilist 'find . -xdev -path ./home -prune -o \( \( -type l -o -type f \) -a -links +1 -print0 \) | xargs -0 stat --format '%d %i ''
I: Invoking pbuilder
I: forking: pbuilder build --bindmounts /var/lib/jenkins --configfile /etc/jenkins/pbuilderrc --buildplace /var/cache/pbuilder/build/cow.10920 --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --mirror http://deb.debian.org/debian --architecture amd64 --distribution stretch --extrapackages 'eatmydata ' --no-targz --internal-chrootexec 'chroot /var/cache/pbuilder/build/cow.10920 cow-shell' /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
W: /var/lib/jenkins/.pbuilderrc does not exist
Distribution set to stretch
Mirror set to http://deb.debian.org/debian
Components set to main contrib non-free
Build dependencies resolver set to /usr/lib/pbuilder/pbuilder-satisfydepends-apt
I: Running in no-targz mode
I: pbuilder: network access will be disabled during build
I: Current time: Fri Nov 9 21:16:21 CET 2018
I: pbuilder-time-stamp: 1541794581
I: copying local configuration
W: --override-config is not set; not updating apt.conf Read the manpage for details.
I: mounting /proc filesystem
I: mounting /sys filesystem
I: creating /{dev,run}/shm
I: mounting /dev/pts filesystem
I: redirecting /dev/ptmx to /dev/pts/ptmx
I: Mounting /var/lib/jenkins
I: policy-rc.d already exists
I: using eatmydata during job
I: Obtaining the cached apt archive contents
I: Copying source file
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc]
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p.orig.tar.gz]
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz]
I: Extracting source
/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
openssl1.0-1.0.2p
Unshare : unshare -n -- /usr/lib/pbuilder/pbuilder-unshare-wrapper
Chrootexec: chroot /var/cache/pbuilder/build/cow.10920 cow-shell eatmydata
Sutouser : LD_PRELOAD= LOGNAME=pbuilder USER=pbuilder /sbin/start-stop-daemon --start --pidfile /dev/null --chuid pbuilder --startas /bin/sh
$VAR1 = {
'PBUILDER_PKGLIBDIR' => '/usr/lib/pbuilder',
'SUDO_COMMAND' => '/usr/sbin/cowbuilder --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --build /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc --basepath /var/cache/pbuilder/base-stretch-amd64.cow --bindmounts /var/lib/jenkins --configfile=/etc/jenkins/pbuilderrc',
'SUDO_GID' => '112',
'USERNAME' => 'root',
'_' => '/usr/bin/unshare',
'GNUPGHOME' => '/var/lib/jenkins/.gnupg',
'USER' => 'pbuilder',
'SUDO_USER' => 'jenkins',
'PATH' => '/usr/sbin:/usr/bin:/sbin:/bin',
'LD_LIBRARY_PATH' => '/usr/lib/libeatmydata',
'MAIL' => '/var/mail/root',
'SUDO_UID' => '108',
'ARCH' => 'amd64',
'LD_PRELOAD' => '',
'DEBIAN_FRONTEND' => 'noninteractive',
'DEB_DIST_ID' => 'debian',
'PBUILDER_OPERATION' => 'build',
'SHELL' => '/bin/bash',
'COWDANCER_ILISTFILE' => '/.ilist',
'HOME' => '/var/lib/jenkins',
'LC_ALL' => 'C',
'LS_COLORS' => 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:',
'OLDPWD' => '/',
'ADT' => 'skip',
'PBUILDER_SYSCONFDIR' => '/etc',
'LOGNAME' => 'pbuilder',
'PBCURRENTCOMMANDLINEOPERATION' => 'build',
'COWDANCER_REUSE' => 'yes',
'PWD' => '/build',
'TERM' => 'xterm-256color',
'SHLVL' => '2',
'LANG' => 'C',
'PBUILDER_PKGDATADIR' => '/usr/share/pbuilder',
'DIST' => 'stretch'
};
ls: cannot open directory '/var/lib/jenkins/.gnupg': Permission denied
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/var/lib/jenkins/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Fri Nov 9 09:51:34 2018 UTC
gpgv: using RSA key 8D1AB58E0F4B31E7B27B3C361548CEA469A0BDC9
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
dpkg-source: info: extracting openssl1.0 in openssl1.0-1.0.2p
dpkg-source: info: unpacking openssl1.0_1.0.2p.orig.tar.gz
dpkg-source: info: unpacking openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz
dpkg-source: info: applying config-hurd.patch
dpkg-source: info: applying debian-targets.patch
dpkg-source: info: applying engines-path.patch
dpkg-source: info: applying man-dir.patch
dpkg-source: info: applying man-section.patch
dpkg-source: info: applying no-rpath.patch
dpkg-source: info: applying no-symbolic.patch
dpkg-source: info: applying pic.patch
dpkg-source: info: applying valgrind.patch
dpkg-source: info: applying shared-lib-ext.patch
dpkg-source: info: applying stddef.patch
dpkg-source: info: applying version-script.patch
dpkg-source: info: applying c_rehash-compat.patch
dpkg-source: info: applying block_diginotar.patch
dpkg-source: info: applying block_digicert_malaysia.patch
dpkg-source: info: applying disable_freelist.patch
dpkg-source: info: applying soname.patch
dpkg-source: info: applying disable_sslv3_test.patch
dpkg-source: info: applying Mark-3DES-and-RC4-ciphers-as-weak.patch
I: unmounting /var/lib/jenkins filesystem
I: unmounting dev/ptmx filesystem
I: unmounting dev/pts filesystem
I: unmounting dev/shm filesystem
I: unmounting proc filesystem
I: unmounting sys filesystem
I: Cleaning COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.10920
I'll post the solution in few minutes.
from jenkins-debian-glue.
Solution
Assuming that your GPG key is owned by the jenkins
user.
1. Create the pbuilder
user:
jenkins@jenkins:~$ su -c "useradd -c 'Pbuilder build user' -m -U -s /bin/bash pbuilder"
Note that this user is only created to avoid building package as root
user. The purpose of that user is to make the keyring available for the source package signature verification during the build process.
2. Export the GPG key into the trustedkeys.gpg
keyring and copy that keyring into the pbuilder
user ~/.gnupg
directory:
jenkins@jenkins:~$ gpg --export <KEY_ID> | gpg --no-default-keyring --keyring ~/trustedkeys.gpg --import -
jenkins@jenkins:~$ su
root@jenkins:/var/lib/jenkins# su -c 'gpg -k && cp -a /var/lib/jenkins/trustedkeys.gpg ~/.gnupg/trustedkeys.gpg' pbuilder
root@jenkins:/var/lib/jenkins# exit
jenkins@jenkins:~$ rm trustedkeys.gpg*
Note regarding the trustedkeys.gpg
keyring
If you export your GPG key with a GPG version >= 2.1, the trustedkeys.gpg
keyring will be in new format (keybox). Therefore, older GPG versions will not be able to read it, leading to signature verification failure when building for older distributions. The best is to export the key in older format to make it readable by all GPG versions. That is really an important point as GPG versions >= 2.1 isn't available in older distributions (Debian <= 9.0, Ubuntu < 17.10). Basically, you need to:
- Export the key in ASCII-armored format and import it into the
trustedkeys.gpg
keyring using older GPG (< 2.1) version - Copy the trustedkeys.gpg keyring which will be readable by all GPG versions.
3. In your /etc/jenkins/pbuilderrc
file, add:
BUILDUSERNAME=pbuilder
BUILDUSERID=$(getent passwd pbuilder | awk -F ':' '{print $3}')
HOME=$(getent passwd pbuilder | awk -F ':' '{print $6}')
BINDMOUNTS=$HOME
Then, you're done.
Result
jenkins@jenkins:~$ LANG=C sudo DEB_DIST_ID=ubuntu DIST=trusty ARCH=amd64 ADT=skip cowbuilder build --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --build /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc --basepath /var/cache/pbuilder/base-trusty-amd64.cow --configfile=/etc/jenkins/pbuilderrc
I: Copying COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.27728
I: forking: cp -al /var/cache/pbuilder/base-trusty-amd64.cow /var/cache/pbuilder/build/cow.27728
I: removed stale ilistfile /var/cache/pbuilder/build/cow.27728/.ilist
I: forking: chroot /var/cache/pbuilder/build/cow.27728 cowdancer-ilistcreate /.ilist 'find . -xdev -path ./home -prune -o \( \( -type l -o -type f \) -a -links +1 -print0 \) | xargs -0 stat --format '%d %i ''
I: Invoking pbuilder
I: forking: pbuilder build --configfile /etc/jenkins/pbuilderrc --buildplace /var/cache/pbuilder/build/cow.27728 --buildresult /var/lib/jenkins/nuxwin-testing/workspace/binaries --mirror http://fr.archive.ubuntu.com/ubuntu --architecture amd64 --distribution trusty --no-targz --internal-chrootexec 'chroot /var/cache/pbuilder/build/cow.27728 cow-shell' /var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc
W: /root/.pbuilderrc does not exist
Distribution set to trusty
Mirror set to http://fr.archive.ubuntu.com/ubuntu
Components set to main restricted universe multiverse
Build dependencies resolver set to /usr/lib/pbuilder/pbuilder-satisfydepends-aptitude
I: Running in no-targz mode
I: pbuilder: network access will be disabled during build
I: Current time: Sun Nov 11 20:01:19 CET 2018
I: pbuilder-time-stamp: 1541962879
I: copying local configuration
W: --override-config is not set; not updating apt.conf Read the manpage for details.
I: mounting /proc filesystem
I: mounting /sys filesystem
I: creating /{dev,run}/shm
I: mounting /dev/pts filesystem
I: redirecting /dev/ptmx to /dev/pts/ptmx
I: Mounting /home/pbuilder
I: policy-rc.d already exists
I: Obtaining the cached apt archive contents
I: Copying source file
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.dsc]
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p.orig.tar.gz]
I: copying [/var/lib/jenkins/nuxwin-testing/openssl-git/openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz]
I: Extracting source
dpkg-source: info: extracting openssl1.0 in openssl1.0-1.0.2p
dpkg-source: info: unpacking openssl1.0_1.0.2p.orig.tar.gz
dpkg-source: info: unpacking openssl1.0_1.0.2p-2+0~20181109095126.150+stretch~1.gbp767715.debian.tar.xz
dpkg-source: info: applying config-hurd.patch
dpkg-source: info: applying debian-targets.patch
dpkg-source: info: applying engines-path.patch
dpkg-source: info: applying man-dir.patch
dpkg-source: info: applying man-section.patch
dpkg-source: info: applying no-rpath.patch
dpkg-source: info: applying no-symbolic.patch
dpkg-source: info: applying pic.patch
dpkg-source: info: applying valgrind.patch
dpkg-source: info: applying shared-lib-ext.patch
dpkg-source: info: applying stddef.patch
dpkg-source: info: applying version-script.patch
dpkg-source: info: applying c_rehash-compat.patch
dpkg-source: info: applying block_diginotar.patch
dpkg-source: info: applying block_digicert_malaysia.patch
dpkg-source: info: applying disable_freelist.patch
dpkg-source: info: applying soname.patch
dpkg-source: info: applying disable_sslv3_test.patch
dpkg-source: info: applying Mark-3DES-and-RC4-ciphers-as-weak.patch
...
I: unmounting /home/pbuilder filesystem
I: unmounting dev/ptmx filesystem
I: unmounting dev/pts filesystem
I: unmounting dev/shm filesystem
I: unmounting proc filesystem
I: unmounting sys filesystem
I: Cleaning COW directory
I: forking: rm -rf /var/cache/pbuilder/build/cow.27728
jenkins@jenkins:~$
from jenkins-debian-glue.
gpgv
supports ~/.gnupg/trustedkeys.kbx
but dpkg-source
apparently only supports ~/.gnupg/trustedkeys.gpg
.
from jenkins-debian-glue.
Related Issues (20)
- Source build fails after Git repo change HOT 5
- Permission problem - denied to create directory in fakeroot /etc/ HOT 1
- pbuilder-satisfydepends: line 29: Segmentation fault HOT 3
- Error: Architecture $arch as given to --architecture is not know. HOT 3
- The generate-reprepro-codename script is too restrictive HOT 2
- Combine common functionality in scripts/generate-{git|svn}-snapshot HOT 12
- add support for vendor profiles HOT 8
- Determine the architecture(s) during the source build for a dynamic matrix of architectures for the binary job HOT 3
- qemu-debootstrap: Sorry, I don't know how to support arch (mips64) HOT 1
- /etc/sudoers.d/jenkins file only provided by j-d-g pp plugin
- Reprepro root dir only created by j-d-g pp plugin HOT 1
- cowbuilder (update) doesn't care about the $DIST variable but $DISTRIBUTION HOT 1
- Please add a git archive method HOT 1
- generate-reprepro-codename seems to use SUDO_CMD superfluously HOT 2
- puppet: jenkins-debian-glue user setup is broken
- Failed Loading plugin Pipeline v2.6 (workflow-aggregator) HOT 6
- Preperation of orig.tar.gz with --git-overlay enabled HOT 5
- Consider migrating j-d-g to a group/organization-like project and clarify maintenance and support situation HOT 8
- Automatic puppet deployment is broken HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jenkins-debian-glue.