search

secure-systems-lab / securesystemslib

Cryptographic and general-purpose routines for Secure Systems Lab projects at NYU
MIT License
47 stars 49 forks source link

gpg tests fail if a yubikey is connected #787

Open jku opened 5 months ago

jku commented 5 months ago

The GPG tests that try to use "default key" fail for me locally.

EDIT: this happens when a yubikey happens to be connected: gpg sees two options (yubikey and the test key) and since the test does not actually set a default key, gpg does not know what to do...

We should either stop testing "default key" or actually set the default in the tests

$ tox -e test
test: install_deps> pip install -r /home/jkukkonen/src/securesystemslib/requirements-pinned.txt -r /home/jkukkonen/src/securesystemslib/requirements-test.txt
test: commands[0]> python -m tests.check_gpg_available
.
----------------------------------------------------------------------
Ran 1 test in 0.002s

OK
test: commands[1]> coverage run tests/aggregate_tests.py
.................EE........E.................ss..............................
======================================================================
ERROR: test_gpg_sign_and_verify_object_with_default_key (tests.test_gpg.TestGPGDSA.test_gpg_sign_and_verify_object_with_default_key)
Create a signature using the default key on the keyring
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/jkukkonen/src/securesystemslib/tests/test_gpg.py", line 826, in test_gpg_sign_and_verify_object_with_default_key
    signature = create_signature(test_data, homedir=self.gnupg_home)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jkukkonen/src/securesystemslib/securesystemslib/gpg/functions.py", line 137, in create_signature
    raise CommandError(
securesystemslib.gpg.exceptions.CommandError: Command '['gpg', '--detach-sign', '--digest-algo', 'SHA256', '--homedir', 'dsa']' returned non-zero exit status '2', stderr was:
gpg: WARNING: unsafe permissions on homedir '/tmp/tmp5ffatewa/dsa'
gpg: no default secret key: No public key
gpg: signing failed: No public key
.

======================================================================
ERROR: test_gpg_sign_and_verify_object_with_default_key (tests.test_gpg.TestGPGEdDSA.test_gpg_sign_and_verify_object_with_default_key)
Create a signature using the default key on the keyring
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/jkukkonen/src/securesystemslib/tests/test_gpg.py", line 883, in test_gpg_sign_and_verify_object_with_default_key
    signature = create_signature(test_data, homedir=self.gnupg_home)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jkukkonen/src/securesystemslib/securesystemslib/gpg/functions.py", line 137, in create_signature
    raise CommandError(
securesystemslib.gpg.exceptions.CommandError: Command '['gpg', '--detach-sign', '--digest-algo', 'SHA256', '--homedir', 'dsa']' returned non-zero exit status '2', stderr was:
gpg: WARNING: unsafe permissions on homedir '/tmp/tmpama_mynb/dsa'
gpg: no default secret key: No public key
gpg: signing failed: No public key
.

======================================================================
ERROR: test_gpg_sign_and_verify_object_with_default_key (tests.test_gpg.TestGPGRSA.test_gpg_sign_and_verify_object_with_default_key)
Create a signature using the default key on the keyring
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/jkukkonen/src/securesystemslib/tests/test_gpg.py", line 667, in test_gpg_sign_and_verify_object_with_default_key
    signature = create_signature(test_data, homedir=self.gnupg_home)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jkukkonen/src/securesystemslib/securesystemslib/gpg/functions.py", line 137, in create_signature
    raise CommandError(
securesystemslib.gpg.exceptions.CommandError: Command '['gpg', '--detach-sign', '--digest-algo', 'SHA256', '--homedir', 'rsa']' returned non-zero exit status '2', stderr was:
gpg: WARNING: unsafe permissions on homedir '/tmp/tmpvxwlk8ze/rsa'
gpg: no default secret key: No public key
gpg: signing failed: No public key
.

----------------------------------------------------------------------
Ran 77 tests in 2.810s

FAILED (errors=3, skipped=2)
test: exit 1 (2.99 seconds) /home/jkukkonen/src/securesystemslib> coverage run tests/aggregate_tests.py pid=1703498
  test: FAIL code 1 (4.94=setup[1.92]+cmd[0.04,2.99] seconds)
  evaluation failed :( (4.98 seconds)
jku commented 5 months ago 
$ gpg --version
gpg (GnuPG) 2.2.40
libgcrypt 1.10.3
...
lukpueh commented 5 months ago

Odd. Seems to work on ubuntu CI. Unfortunately, we don't log the gpg version in the tests (anymore?). It also works for me locally on my mac:

gpg --version
gpg (GnuPG) 2.4.5
libgcrypt 1.10.3
jku commented 5 months ago

Tests started succeeding again after I disconnected my yubikey.

So this is no longer that urgent.... but gpg sees two potential private keys (test key and yubikey) during the test and the default key selection fails because the test never configures default key. I think the test should either not test "default key" or should actually configure gpg so that there is a default key