Signing on CentOS 7 doesn't work

[jaxxstorm]

I'm trying to use tito to build an RPM, and it exits with 1 because it looks for the presence of Wrote: when building the RPM:

ERROR: Unable to locate 'Wrote: ' lines in rpmbuild output: '+ umask 022

However, it did create the file:

ls /tmp/tito/sensu-plugins-1.87-1.git.4.5ed0271.el7.centos.src.rpm
/tmp/tito/sensu-plugins-1.87-1.git.4.5ed0271.el7.centos.src.rpm

[dgoodwin]

Could you paste (or link) full output of a run with --debug

[jaxxstorm]

https://gist.github.com/jaxxstorm/bc2b32899a312e6e5274

[jmrodri]

I see a Wrote: in that output for the tarball but not the SRPM. What builder/tagger are you using?

[jmrodri]

https://gist.github.com/jaxxstorm/bc2b32899a312e6e5274#file-outout-sh-L297-L298 looks like it prompt for a pass phrase during the build. @dgoodwin I wonder if that affects the rpmbuild output.

[jaxxstorm]

Yeah it does prompt for a password, but it's blank and continues. Works fine on CentOS 6, but not CentOS 7..

[dgoodwin]

That pw prompt worries me as well, it looks like it's right before the problem occurs too.

Kinda feels like line 299 and 300 are what we're after but they're missing a prefix we expect. Does rpmbuild on CentOS 7 no longer show Wrote? And what's up with the dangling ":" at the end...

@jaxxstorm could we get another gist with the centos output with --debug?

You could also try adding --no-cleanup and then running the rpmbuild command itself similar to line 140 in your gist and see what that outputs.

[jaxxstorm]

So it is the password prompt that's the problem. I removed --rpmbuild-options="--sign from the script and it works as expected.

Obviously I can't just stop signing my packages, so what options do I have here? As mentioned before, this seems to work fine on CentOS 6..

[dgoodwin]

Can rpms be signed after creation? (not something I've ever done)

[domcleal]

Sure, rpmsign --addsign *.rpm.

[jaxxstorm]

Yeah you can do it with rpm --resign but I'm not sure how that'll work with releasers.conf

I do wonder if this can be fixed though, I'll add do some more digging

[dgoodwin]

Ok and fwiw it feels like a good feature for tito if you wanted to add some kind of option to supply a passphrase and automatically add the --sign option. Likely an env var so you don't have to put it into any tito config files.

i.e. RPM_SIGN_PASSPHRASE="blah" tito release mytarget.

Presence of the env var could trigger the behavior, or add an explicit builder option for it.

(all of this assumes rpmbuild allows you to specify the passphrase somehow, actually just using that might work if it exists)

[jaxxstorm]

Yes that'd be a great feature :+1:

It'd be especially useful as an env var, because then we could set the vars using things like travis secret variables and such like. Currently I have to provide a blank passphrase.

[jaxxstorm]

So I figured out the difference between CentOS 6 and 7 with rpmbuild.

In CentOS 6, it passes the request to sign the RPM right at the beginning of the build:

$ source /home/gitlab-runner/buildscripts/build_environment.sh
$ /usr/bin/tito build --rpmbuild-options="--sign" --rpm --test
Building package [techops-sensu-plugins-1.87-1]
Wrote: /tmp/tito/sensu-plugins-git-12.6819e52.tar.gz
Enter pass phrase: Pass phrase is good.

Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.vFfdPV

Where as with CentOS 7, it makes that request much late, right before running the rpmbuild:

+ rm -rf /tmp/tito/rpmbuild-sensu-pluginsJMFz05/BUILDROOT/sensu-plugins-1.87-1.git.12.6819e52.el7.centos.x86_64
+ exit 0
+ umask 022
+ cd /tmp/tito/rpmbuild-sensu-pluginsJMFz05/BUILD
+ rm -rf sensu-plugins-git-12.6819e52
+ exit 0
Enter pass phrase: Pass phrase is good.
/tmp/tito/sensu-plugins-1.87-1.git.12.6819e52.el7.centos.src.rpm:
/tmp/tito/x86_64/sensu-plugins-1.87-1.git.12.6819e52.el7.centos.x86_64.rpm:

It looks like as a result of the passphrase request, it chews everything from stdout up, and as a result tito can't find the Wrote: blah stuff any more.

This poses a fairly significant problem for me, and perhaps anyone else using tito with signed RPMs.

[shawnxue]

I got this error when I use tito on centos 7.1

[root@localhost tito]# tito init Traceback (most recent call last): File "/usr/bin/tito", line 5, in pkg_resources.run_script('tito==0.6.6', 'tito') File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 540, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 1462, in runscript exec(script_code, namespace, namespace) File "/usr/lib/python2.7/site-packages/pkgresources.py", line 41, in exec exec("""exec code in globs, locs""") File "", line 1, in File "/usr/lib/python2.7/site-packages/tito-0.6.6-py2.7.egg/EGG-INFO/scripts/tito", line 19, in

File "build/bdist.linux-x86_64/egg/tito/cli.py", line 22, in File "build/bdist.linux-x86_64/egg/tito/common.py", line 31, in ImportError: No module named blessings

[dgoodwin]

Is this installed via rpm? Did you do anything unusual to install it?

python-blessings should be an rpm dependency and installed for you.

[gonzalo-bulnes]

Hi @FrostyX,

I can confirm a few aspects of this issue in tito 0.6.16 on Fedora 32 with this package of mine:

• tito build --rpm --offline succeeds and produces the expected package.

• tito build --rpm --rpmbuild-options="--sign" --offline fails with ERROR: Unable to locate 'Wrote: ' lines in rpmbuild output.

  • The package is produced as expected.
  • No detached signature is produced (I expected one, see signature command below).
  • However, the package itself is signed, and the signature is valid:

  rpm -K /tmp/tito/noarch/qubes-mgmt-salt-user-split-ssh-0.1.0-1.fc32.noarch.rpm 
  # /tmp/tito/noarch/qubes-mgmt-salt-user-split-ssh-0.1.0-1.fc32.noarch.rpm: digests signatures OK

More context:

• my GPG key doesn't have a passphrase, and I don't get any passphrase prompt (so the password prompt may not be the cause of the issue, at least not the only one)

• the relevant part of my ~/.rpmmacros file:

  # ...
  
  # Use split-GPG. The options are adjusted below.
  %__gpg /usr/bin/qubes-gpg-client-wrapper
  %_gpg_name Packaging
  
  # Based on the default command defined in /usr/lib/rpm/macros
  # Removed the options: --no-armor --no-verbose --no-secmem-warning because qubes-gpg-client-wrapper doesn't support them
  # Separated the option -o from -sb because qubes-gpg-client-wrapper was getting confused
  %__gpg_sign_cmd                 %{__gpg} \
        gpg \
        %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} \
        %{?_gpg_sign_cmd_extra_args:%{_gpg_sign_cmd_extra_args}} \
        -u "%{_gpg_name}" -sb -o %{__signature_filename} %{__plaintext_filename}
  # ...

[gonzalo-bulnes]

I see that the Wrote: output is looked up while building the source package (SRPM) (and only there as far as I can see).

Do you know how I could prevent the SRPM from being created when creating the RPM?

I'd like to separate both steps both steps to check if they succeed separately, my test plan would be:

• Create the SRPM without signing it: tito build --srpm --offline
• Create the signed RPM from that source package: tito build --rpm --rpmbuild-options="--sign" --offline + whatever needs to be done to re-use the existing SRPM instead of creating a new one.

This wouldn't be a complete workaround (signing both packages with rpm --resign ... would still be a better option), but it may help narrowing down on the issue? What do you think @FrostyX, would that be helpful?