Closed jokay closed 1 year ago
Let's start by aborting if the gpg key can't be imported
I think there was no change on gpg handling in v33. the only change i can think of is
Hi there,
Get your issue fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible.
Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this.
To get started, please read our guide on creating a minimal reproduction.
We may close the issue if you, or someone else, haven't created a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.
Good luck,
The Renovate team
@jokay can you please confirm this is a regression?
you can do that by rolling back to the version that worked for you "32.241.10" and try to run again
we basically changed nothing that could've done that error in fact i was reading https://cumulusconstructor.com/when-gpg-import-doesnt-work/ and your issue seems like a common issue unrelated to renovate
I upgrade from 32.241.10
to 33.2.0
(only change is the tag of the renovate/renovate
docker image) and got the same errors.
After downgrading to 32.241.11
everything is working again. For me, it seems to be some kind of regression. Maybe just some dependency within the renovate/renovate
image was updated, too?
Edit: Not sure if it helps, but below is my current K8s configuration for this bot:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: renovate
data:
config.json: |-
{
"platform": "gitlab",
"endpoint": "https://example.org/api/v4",
"autodiscover": true,
"dryRun": null,
"gitAuthor": "Renovate Bot <renovate-bot@example.org>",
"onboardingConfig": {
"$schema" : "https://docs.renovatebot.com/renovate-schema.json",
"extends" : [
"local>example/renovate//presets/default"
]
}
}
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: renovate
spec:
schedule: '7,13,23,31,42,55 * * * *'
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
containers:
- name: renovate
image: renovate/renovate:33.2.0
env:
- name: RENOVATE_CONFIG_FILE
value: /opt/renovate-config/config.json
envFrom:
- secretRef:
name: renovate
volumeMounts:
- name: config-volume
mountPath: /opt/renovate-config
readOnly: true
restartPolicy: Never
volumes:
- name: config-volume
configMap:
name: renovate
---
apiVersion: v1
kind: Secret
metadata:
name: renovate
namespace: renovate
labels:
app: renovate
annotations:
gitrepo: https://example.org/example/renovate
owner: admin@example.org
type: Opaque
stringData:
GITHUB_COM_TOKEN: 'some_github_token'
RENOVATE_GIT_PRIVATE_KEY: '-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nline1\nline2\nline3\nline4\nline5\nline6\nline7\n-----END PGP PRIVATE KEY BLOCK-----'
RENOVATE_SECRETS: |-
{
"DOCKER_HUB_PASSWORD": "some_docker_hub_password",
"DOCKER_HUB_USERNAME": "some_docker_hub_username",
"NEXUS_PASSWORD": "some_nexus_password"
}
RENOVATE_TOKEN: 'some_renovate_token'
I'm not able to reproduce this error. This is what I did:
config.js
Result:
DEBUG: Executing command (repository=renovate-tests/nvm20)
"command": "gpg --import /var/folders/q_/8zp8yd4169nbwftw00ywxdlw0000gr/T/git-private.key"
DEBUG: exec completed (repository=renovate-tests/nvm20)
"cmd": "gpg --import /var/folders/q_/8zp8yd4169nbwftw00ywxdlw0000gr/T/git-private.key",
"durationMs": 31,
"stdout": "",
"stderr": "gpg: key 692BE958B9A018CC: public key \"Rhys Arkins <rhys@arkins.net>\" imported\ngpg: Total number processed: 1\ngpg: imported: 1\n"
DEBUG: Private key import result (repository=renovate-tests/nvm20)
"stdout": "",
"stderr": "gpg: key 692BE958B9A018CC: public key \"Rhys Arkins <rhys@arkins.net>\" imported\ngpg: Total number processed: 1\ngpg: imported: 1\n"
Please make sure to post DEBUG logs in case that helps
Hi there,
We have found that there's a problem with the logs. Depending on which situation applies follow one, some or all of these instructions.
If you haven't posted any log yet, we need you to find and copy/paste the log into the issue template.
This is for renovate/renovate:34.1.0-slim
which fails.
The used OpenPGP key is ECC (not RSA), not sure if this changes anything? 🤷🏼♂️
This is for renovate/renovate:32.241.10-slim
which works.
From 32.241.10:
$ gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/ubuntu/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Same from 34.1.0:
$ gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/ubuntu/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
So doesn't seem to be caused by any difference to gpg
I have been able to reproduce. The key needed to be supplied in env with \n
. This \n
was not being coerced into real newlines. Fix is in #18563
Thx a lot for your effort 💪🏼
Thanks for reporting, and sorry for the disruption it caused
:tada: This issue has been resolved in version 34.1.3 :tada:
The release is available on:
34.1.3
Your semantic-release bot :package::rocket:
How are you running Renovate?
Self-hosted
If you're self-hosting Renovate, tell us what version of Renovate you run.
33.1.0
If you're self-hosting Renovate, select which platform you are using.
GitLab self-hosted
If you're self-hosting Renovate, tell us what version of the platform you run.
GitLab CE 15.5
Was this something which used to work for you, and then stopped?
It used to work, and then stopped
Describe the bug
It was working using renovate 32.241.10 (and GitLab 15.4).
Started to fail with 33.0.2 and auto-closed PRs due to this problem.
Relevant debug logs
Logs
``` WARN: gitPrivateKey: error importing (repository=demo/sample-repo, branch=renovate/docker-io-postgres-14-5-alpine) "err": { "name": "ExecError", "cmd": "/bin/sh -c gpg --import /tmp/git-private.key", "stderr": "gpg: directory '/home/ubuntu/.gnupg' created\ngpg: keybox '/home/ubuntu/.gnupg/pubring.kbx' created\ngpg: no valid OpenPGP data found.\ngpg: Total number processed: 0\n", "stdout": "", "options": { "cwd": "/builds/x/renovate/renovate/repos/gitlab/demo/sample-repo", "encoding": "utf-8", "env": { "HOME": "/home/ubuntu", "PATH": "/home/ubuntu/bin:/home/ubuntu/.npm-global/bin:/home/ubuntu/bin:/home/ubuntu/.npm-global/bin:/home/ubuntu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "LC_ALL": "C.UTF-8", "LANG": "C.UTF-8", "BUILDPACK_CACHE_DIR": "/builds/x/renovate/renovate/cache/containerbase", "CONTAINERBASE_CACHE_DIR": "/builds/x/renovate/renovate/cache/containerbase" }, "maxBuffer": 10485760, "timeout": 900000 }, "exitCode": 2, "message": "Command failed: gpg --import /tmp/git-private.key\ngpg: directory '/home/ubuntu/.gnupg' created\ngpg: keybox '/home/ubuntu/.gnupg/pubring.kbx' created\ngpg: no valid OpenPGP data found.\ngpg: Total number processed: 0\n", "stack": "ExecError: Command failed: gpg --import /tmp/git-private.key\ngpg: directory '/home/ubuntu/.gnupg' created\ngpg: keybox '/home/ubuntu/.gnupg/pubring.kbx' created\ngpg: no valid OpenPGP data found.\ngpg: Total number processed: 0\n\n at ChildProcess.Have you created a minimal reproduction repository?
No reproduction repository