search

amazonlinux / amazon-linux-2023

Amazon Linux 2023
https://aws.amazon.com/linux/amazon-linux-2023/
Other
540 stars 40 forks source link

[Bug] - cannot execute gpgv2 - dangling symlink #414

Open danie-dejager opened 1 year ago

danie-dejager commented 1 year ago

Describe the bug I want to build some RPM files from source packages. These want to do gpg verification using gpgv2 but it fails. Interestingly I do have the file on disk but I cannot access it at all.

To Reproduce

  1. I'm running the latest Docker image 2023.1.20230725.0
  2. I verified that gpgv2 is provided by gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86_64 and is installed
  3. Listing the file from /usr/bin: 
    # ll gpgv*
lrwxrwxrwx 1 root root 4 Jun  5 12:46 gpgv2 -> gpgv

    No matter from where I run it I will get: bash: gpgv2: command not found

Expected behavior I should be able to execute gpgv2 to verify source gpg signed files. The binary is not installed though as I show in the screenshot below.

Screenshots image

danie-dejager commented 1 year ago

I had to install gnupg2 yum install gnupg2.x86_64 --allowerasing

image

ozbenh commented 1 year ago

The right command is actually:

sudo dnf swap gnupg2-minimal gnupg2

That said, we should probably not have a dangling symlink, so I'll mark this as a bug for us to track

danie-dejager commented 1 year ago

Thanks for that. Is gpgv2 supposed to be a part of the minimal package?

ozbenh commented 1 year ago

gpgv2 is just a link to gpgv which isn't currently part of our minimal package. The question is wether it should be, I'll let @stewartsmith chime in on that one

stewartsmith commented 1 year ago

Yeah, we also just hit this on an internal thing too, so I'll now very much look at that thing which is a bug that's entirely my fault :)

I think the right correction here is to remove the symlink from the gnupg2-minimal package, and then everything should "just work" when it needs gpgv.

ozbenh commented 1 year ago

Shouldn't we have gpgv in minimal though ? I would think we probably should...

stewartsmith commented 1 year ago

We might want to look at the disk space usage of doing that, as gpg itself is ~1MB, and gpgv is an additional ~500k. Arguably I wish we could move everything doing signature verification over to gpgv rather than gpg, as that significantly reduces the footprint needed to verify signatures.

Unfortunately, our main use cases for it are:

  1. gpg signature verification of source tarballs when we build RPMs
  2. RPM signature verification

For (1), it's probably going to nearly "just work" if we go and replace all the BuildRequires: gnupg2 in the spec files, although this should probably be first done in Fedora.

For (2), it's probably difficult to do in existing RPM given gpgme et-al, and perhaps not worth it considering newer RPM moves to rpm-sequoia instead.