Builder fails to verify Qubes Manager because it can't find the signing key

[ben-grande]

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

Try to build R4.2 Dom0.

Steps to reproduce

HEAD is 7c37bb7bd65ad3a183790ad07344729504bc0930.

builder.yml:

include:
  - example-configs/qubes-os-r4.2.yml
  - example-configs/qubes-os-r4.2-maintainers.yml
#  - example-configs/github.yml
#  - example-configs/github-maintainers.yml

git:
  baseurl: https://github.com
  prefix: QubesOS/qubes-
  branch: main

backend-vmm: xen
debug: true
verbose: true
qubes-release: r4.2
timeout: 3600

skip-git-fetch: false
fetch-versions-only: true

distributions:
  - host-fc37

+components:
  - release-configs:
      packages: false

executor:
  type: qubes
  options:
    dispvm: "dvm-qubes-builder"

stages:
  - fetch
  - pre:
      executor:
        type: local
  - prep
  - build
  - post:
      executor:
        type: local
  - verify
  - sign:
      executor:
        type: local
  - publish:
      executor:
        type: local
  - upload:
      executor:
        type: local

gpg-client: qubes-gpg-client-wrapper

sign-key:
  rpm: 77EEEF6D0386962AEA8CF84A9B8273F80AC219E6

repository-publish:
  components: current-testing

#repository-upload-remote-host:
#  rpm: user@yum.qubes-os.org:/some/path
#  deb: user@deb.qubes-os.org:/another/path

Run:

./qb package fetch

Log:

21:05:32,290 [executor:qubes:disp6299] Executing '/usr/bin/qvm-run-vm -- disp6299 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'cd /builder && /builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-manager.git /builder/manager /builder/keyring /builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --maintainer 7D22413EF3DB07612CF738087D779BFA6C806F69 --fetch-versions-only''.
21:05:43,534 [executor:qubes:disp6299] output: --> Verifying tags...
21:05:43,534 [executor:qubes:disp6299] output: args: (2, ['gpg', '--import', PosixPath('/builder/plugins/fetch/keys/7D22413EF3DB07612CF738087D779BFA6C806F69.asc')])
21:05:43,534 [executor:qubes:disp6299] output: stdout: b''
21:05:43,534 [executor:qubes:disp6299] output: stderr: b"gpg: can't open '/builder/plugins/fetch/keys/7D22413EF3DB07612CF738087D779BFA6C806F69.asc': No such file or directory\ngpg: Total number processed: 0\n"
Error: Failed to run '/usr/bin/qvm-run-vm -- disp6299 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'cd /builder && /builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-manager.git /builder/manager /builder/keyring /builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --maintainer 7D22413EF3DB07612CF738087D779BFA6C806F69 --fetch-versions-only'' (status=1).

Longer log:

21:03:04,597 [executor:qubes:disp1818] Executing '/usr/bin/qvm-run-vm -- disp1818 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'cd /builder && /builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-infrastructure.git /builder/infrastructure /builder/keyring /builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --fetch-versions-only''.
21:03:06,569 [executor:qubes:disp1818] output: --> Verifying tags...
21:03:06,569 [executor:qubes:disp1818] output: ---> Good tag 8c9109e4b794e74d956950ab18b001b6b049c753.
21:03:06,571 [executor:qubes:disp1818] output: Enough distinct tag signatures. Found 1, mandatory minimum is 1.
21:03:06,571 [executor:qubes:disp1818] output: --> Merging...
21:03:06,571 [executor:qubes:disp1818] output: --> Updating submodules
21:03:13,168 [fetch] ['rm -f -- /builder/infrastructure/hash /builder/infrastructure/vtags', 'cd -- /builder', "git -C /builder/infrastructure rev-parse 'HEAD^{}' >> /builder/infrastructure/hash", "git -C /builder/infrastructure tag --points-at HEAD --list 'v*' >> /builder/infrastructure/vtags"]
21:03:36,693 [executor:qubes:disp5291] Executing '/usr/bin/qvm-run-vm -- disp5291 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'rm -f -- /builder/infrastructure/hash /builder/infrastructure/vtags && cd -- /builder && git -C /builder/infrastructure rev-parse '"'"'HEAD^{}'"'"' >> /builder/infrastructure/hash && git -C /builder/infrastructure tag --points-at HEAD --list '"'"'v*'"'"' >> /builder/infrastructure/vtags''.
21:03:45,484 [fetch] repo-templates: source already fetched. Updating.
21:04:12,508 [executor:qubes:disp5535] Executing '/usr/bin/qvm-run-vm -- disp5535 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'cd /builder && /builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-repo-templates.git /builder/repo-templates /builder/keyring /builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --fetch-versions-only''.
21:04:19,644 [executor:qubes:disp5535] output: --> Verifying tags...
21:04:19,645 [executor:qubes:disp5535] output: ---> Good tag 14cfd4a7e72dc841d8a905b6e2241e9c4fabb5cb.
21:04:19,645 [executor:qubes:disp5535] output: ---> Good tag c056fcbe28cd6a9e81db491adfd4bea2a577f366.
21:04:19,645 [executor:qubes:disp5535] output: Enough distinct tag signatures. Found 1, mandatory minimum is 1.
21:04:19,645 [executor:qubes:disp5535] output: --> Merging...
21:04:30,615 [fetch] meta-packages: source already fetched. Updating.
21:04:57,183 [executor:qubes:disp9837] Executing '/usr/bin/qvm-run-vm -- disp9837 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'cd /builder && /builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-meta-packages.git /builder/meta-packages /builder/keyring /builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --fetch-versions-only''.
21:04:59,230 [executor:qubes:disp9837] output: No version tag.
21:05:32,290 [executor:qubes:disp6299] Executing '/usr/bin/qvm-run-vm -- disp6299 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'cd /builder && /builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-manager.git /builder/manager /builder/keyring /builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --maintainer 7D22413EF3DB07612CF738087D779BFA6C806F69 --fetch-versions-only''.
21:05:43,534 [executor:qubes:disp6299] output: --> Verifying tags...
21:05:43,534 [executor:qubes:disp6299] output: args: (2, ['gpg', '--import', PosixPath('/builder/plugins/fetch/keys/7D22413EF3DB07612CF738087D779BFA6C806F69.asc')])
21:05:43,534 [executor:qubes:disp6299] output: stdout: b''
21:05:43,534 [executor:qubes:disp6299] output: stderr: b"gpg: can't open '/builder/plugins/fetch/keys/7D22413EF3DB07612CF738087D779BFA6C806F69.asc': No such file or directory\ngpg: Total number processed: 0\n"
Error: Failed to run '/usr/bin/qvm-run-vm -- disp6299 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'cd /builder && /builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-manager.git /builder/manager /builder/keyring /builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --maintainer 7D22413EF3DB07612CF738087D779BFA6C806F69 --fetch-versions-only'' (status=1).
Traceback (most recent call last):
  File "/home/user/src/qubes-builderv2/qubesbuilder/cli/cli_base.py", line 65, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
    rv.append(sub_ctx.command.invoke(sub_ctx))
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/click/decorators.py", line 38, in new_func
    return f(get_current_context().obj, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/src/qubes-builderv2/qubesbuilder/cli/cli_package.py", line 62, in fetch
    _component_stage(
  File "/home/user/src/qubes-builderv2/qubesbuilder/cli/cli_package.py", line 40, in _component_stage
    p.run(stage=stage_name)
  File "/home/user/src/qubes-builderv2/qubesbuilder/plugins/fetch/__init__.py", line 168, in run
    executor.run(cmd, copy_in, copy_out, environment=self.environment)
  File "/home/user/src/qubes-builderv2/qubesbuilder/executors/qubes.py", line 306, in run
    raise ExecutorError(
qubesbuilder.executors.ExecutorError: Failed to run '/usr/bin/qvm-run-vm -- disp6299 env -- VERBOSE=1 DEBUG=1 BACKEND_VMM=xen bash -c 'cd /builder && /builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/QubesOS/qubes-manager.git /builder/manager /builder/keyring /builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1 --maintainer 7D22413EF3DB07612CF738087D779BFA6C806F69 --fetch-versions-only'' (status=1).

Expected behavior

Verifies the qubes-manager repository.

Actual behavior

Fails to verify qubes-manager repository.

[fepitre]

It's not a bug, it's an example configuration file which is not used at all. The referenced key is not put into the directory where keys are used for verifying tag. The bug here is to include this file into an example configuration file.

[fepitre]

The correct configuration file to use is: https://github.com/QubesOS/qubes-builderv2/blob/main/example-configs/qubes-os-r4.2.yml

[ben-grande]

Would a PR to remove the file example-configs/qubes-os-r4.2-dom0.yml be the fix?

[fepitre]

No, we just need to add some comments inside configurations files.