virt-builder-repository not signing with gpg

[aberends]

First download the Fedora 38 image to cache:

$ virt-builder fedora-38 --arch x86_64 --format raw --hostname f38t01.tux.lan --network --output f38 --root-password password:secret123
[   1.1] Downloading: http://builder.libguestfs.org/fedora-38.xz
[   2.1] Planning how to build this image
[   2.1] Uncompressing
[   7.8] Opening the new disk
[  13.4] Setting a random seed
[  13.4] Setting the hostname: f38t01.tux.lan
[  13.5] Setting passwords
[  14.5] SELinux relabelling
[  26.9] Finishing off
                   Output file: f38
                   Output size: 6.0G
                 Output format: raw
            Total usable space: 5.9G
                    Free space: 4.6G (77%)

$ ls -l ~/.cache/virt-builder/fedora-38.x86_64.1
-rw-r--r--. 1 allard allard 687953248 Jul 10 17:44 /home/allard/.cache/virt-builder/fedora-38.x86_64.1

Copy and decompress the image:

$ mkdir ~/images

$ cd ~/images

$ cp ~/.cache/virt-builder/fedora-38.x86_64.1 .
$ mv fedora-38.x86_64.1 fedora-38.xz
$ unxz fedora-38.xz

$ ls -l fedora-38
-rw-r--r--. 1 allard allard 6442450944 Jul 10 19:48 fedora-38

$ cat << '_EOF_' > index
[fedora-38]
name=Fedora 38 Server
osinfo=fedora38
arch=x86_64
file=fedora-38
_EOF_

Create gpg2 keypairs:

nuc1$ cat << '_EOF_' > /tmp/gpg_specs
%echo Generating a basic OpenPGP key
%no-protection
Key-Type: edDSA
Key-Curve: Ed25519
Key-Usage: sign
Subkey-Type: ecdh
Subkey-Curve: Curve25519
Subkey-Usage: encrypt
Name-Real: Allard Berends
Name-Comment: Image signing
Name-Email: allard.berends@somewhere.nl
Expire-Date: 10y
# Note, an empty passphrase does not help if one wants to
# export the private key.
#Passphrase: ""
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
_EOF_

nuc1$ gpg --yes --batch --generate-key /tmp/gpg_specs
gpg: Generating a basic OpenPGP key
gpg: revocation certificate stored as '/home/allard/.gnupg/openpgp-revocs.d/0192986E6195FF558E7C963B4F23196D81E1609D.rev'
gpg: done

Get the fingerprint of the secret key:

nuc1$ gpg --list-secret-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2033-07-07
/home/allard/.gnupg/pubring.kbx
-------------------------------
sec   ed25519 2023-07-10 [SC] [expires: 2033-07-07]
      0192986E6195FF558E7C963B4F23196D81E1609D
uid           [ultimate] Allard Berends (Image signing) <allard.berends@somewhere.nl>
ssb   cv25519 2023-07-10 [E] [expires: 2033-07-07]

Now run the command to create the local repository with a
signed index:

$ virt-builder-repository ~/images --gpg-key 0192986E6195FF558E7C963B4F23196D81E1609D --no-compression --gpg '/usr/bin/gpg'
virt-builder-repository: Found new images: fedora-38
[   9.5] Preparing fedora-38
[  19.1] Extracting data from the image...
[  22.7] Signing index with the GPG key 0192986E6195FF558E7C963B4F23196D81E1609D
sh: line 1: /usr/bin/gpg/index.gpg: Not a directory
virt-builder-repository: error: failed to export the GPG key
0192986E6195FF558E7C963B4F23196D81E1609D

If reporting bugs, run virt-builder-repository with debugging enabled and
include the complete output:

  virt-builder-repository -v -x [...]

The problem seems to be that the Ocaml code does not pick up
the right gpg binary, which is /usr/bin/gpg, being the same
as /usr/bin/gpg2.

Even when I run the command with the option "--gpg
'/usr/bin/gpg'" I get the same result. Unfortunately I don't
understand Ocaml so I am unable to fix the code. Or, maybe I
fail to recognize how I should really run the
virt-builder-repository command.

[aberends]

I know I have to run the command with -x -v, but that exceeds the comment limit of 65536 by far. As far as I can see what is going on the command tries to run "gpg/index.gpg" instead of /usr/bin/gpg.

[rwmjones]

Which version of guestfs tools and where did you get it from?

[aberends]

Fedora 35:

# cat /etc/redhat-release
Fedora release 35 (Thirty Five)

# rpm -q guestfs-tools
guestfs-tools-1.48.2-1.fc35.x86_64

# virt-builder-repository --version
virt-builder-repository 1.48.2
.. from the RPM above

Fedora 38:

# cat /etc/redhat-release
Fedora release 38 (Thirty Eight)

# rpm -q guestfs-tools
guestfs-tools-1.50.1-1.fc38.x86_64

# virt-builder-repository --version
virt-builder-repository 1.50.1
.. from the RPM above ..

[anshulmgupta]

@rwmjones I have been trying to build the guestfs-tools using the libguestfs I already build but I keep getting the build errors. I wanted to check if you have any documentation to build the guestfs-tools which provides virt-filesystems like command. Currently the libguestfs build provides below tools

-rwxr-xr-x 1 ubuntu ubuntu 3002048 Aug 25 06:15 guestfish
-rwxr-xr-x 1 ubuntu ubuntu     935 Aug 25 06:15 virt-tar-out
-rwxr-xr-x 1 ubuntu ubuntu     933 Aug 25 06:15 virt-tar-in
-rwxr-xr-x 1 ubuntu ubuntu     937 Aug 25 06:15 virt-copy-out
-rwxr-xr-x 1 ubuntu ubuntu     935 Aug 25 06:15 virt-copy-in
-rwxr-xr-x 1 ubuntu ubuntu  231248 Aug 25 06:15 virt-rescue
-rwxr-xr-x 1 ubuntu ubuntu  179664 Aug 25 06:15 guestmount
-rwxr-xr-x 1 ubuntu ubuntu   40888 Aug 25 06:15 guestunmount```
Thank you.

[rwmjones]

I know I have to run the command with -x -v, but that exceeds the comment limit of 65536 by far. As far as I can see what is going on the command tries to run "gpg/index.gpg" instead of /usr/bin/gpg.

Yes, looking at the code I can see this could never work:

https://github.com/rwmjones/guestfs-tools/blob/09506a379aaba38771b0d4c837e4c451be8cd56e/builder/repository_main.ml#L554

I will push a fix shortly.

[rwmjones]

@rwmjones I have been trying to build the guestfs-tools using the libguestfs I already build but I keep getting the build errors. I wanted to check if you have any documentation to build the guestfs-tools which provides virt-filesystems like command. Currently the libguestfs build provides below tools

Does this have something to do with this bug? If not please open a new bug.