-
-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert gpg version bump and unify key to card code to properly create bug upstream #1677
Conversation
It's going to take more time then I thought, since this is the first full development cycle over nix and calling qemu targets requires qemu-img tools and other stuff that are not availble under nix as current v0.1.6/latest docker image. Building the whole qemu-full requires rebuilding python and a lot of other stuff, just like I tried to build diffoscope and stopped in the middle of it. since we rebuild qemu to have canokey enabled. For diffoscope, no clue why the image was so big so I'll try diffoscopeMinimal derivative here. That will probably be continued tomorrow once the image is ready to jump in, the building will take at least an hour if not more. Rebuilding docker image 0.1.7 with qemu-full instead of qemu and qemu_kvm as I thought would be needed but didn't want to bake the docker image too big, but it is needed otherwise the docker image is not self-contained Lines 71 to 80 in c91731c
I will use qemu to troubleshoot this because testing on real hardware this sort of thing is really messy, where qemu over two consoles is ideal and I will use this pull request and issue to detail how to resolve such things where debug traces are available, useful and easy to share properly. Bonus, troubleshooting those OpenPGP card and dev cycles requires to test gpg toolstack will be able to use canokey under qemu, which I will use because doing those over qemu on top of qubesos is really a pain with usb device pass-through not being totally exclusive and host and qemu competing for exclusive access. |
Updating flake.lock pkg pinned with |
Don't try to use this yet, no updated docker image was created successfully yet, this is what i'm trying to do, push the docker image and then switch circleci config to use it and if successfull, push docker image to docker hub with latest tag when successful and docker image fully usable to do proper dev cycles. I won't use my debian-11, debian-12 dev environements from now on and I want to have a working dev env for everyone to test in qemu/kvm, including myself first. |
Build successful. Creating docker image and pushing Nix team considering having canokey support by default under qemu_full (Discussion at https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$jWIgolUhkWfkvKxZPXLn_humw1qkesaqkZl5oX2Uufs?via=matrix.org&via=nitro.chat&via=fairydust.space) |
ec9a3cb
to
a2f9bb2
Compare
Bon. We have reproducible environment. I use whiptail for testing debugging and just saw discrepencies that fell out of my checks because of that between fbwhiptail HEIGHT 0 being respected by whiptail (dynamic) vs fbwhiptail. Outside of that fact
|
The real error is
Have to context switch will come back to it in a bit |
Issues are to track details of issues and PR is where fix are developed until merged to fix issue.
Originally posted by @tlaurion in #1674 (comment) |
haaaa .gnupg/configs get wiped and the error is known with pinentry |
Well it will take more work to understand and probably do bug report upstream. Poitn is that past used gpg toolstack worked for both p256 and RSA keys so strategy here is to revert unneeded changes for our use case for now and will check that without it breaking anything. |
|
…rd on master (Opt: Authenticated Heads) - Revert gnupg toolstack version bump to prior of linuxboot#1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility. - Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master) - oem-factory-reset - Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors - Wipe keyrings only (*.gpg, *.kbx) not conf files under gpg homedir (keep initrd/.gnupg/*.conf) - flake.nix - switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker) - add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing - flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds - README.md: have consistent docker testing + release (push) notes - .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing) TODO: - some fd2 instead of fd1?! - oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail Signed-off-by: Thierry Laurion <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me, thanks for the fixes. We discussed a few things separately:
- docker image for build env is ~1.4 GB, that's fine right now
- The removed steps relating to marking a new key as ultimately trusted were redundant, the steps removed only apply to in-mem generated RSA keys, a common path handles everything and covers those as well
- The change from
rm -rf /.gnupg/*
torm -rf /.gnupg/*.kbx /.gnupg/*.gpg
is because the former was deleting a GPG config file we create at startup telling it where to find the GPG agent, this functionally reverts that change from 2c55338
There is a spotted regression with gpg toolstack 2.4.2+ as merged per #1661. This reverts the gpg tool stack (gnupg and deps) back to what it was before #1661, and adds proper calls for future debugging (enabled by default under qemu boards with canokey virt smartcard usable and provisioned at make run call).
This is BUGFIX and should be merged fast. (gnupg toolstack version bump 2.4.0 -> 2.4.2 broken key to card ops required to enable Authenticated Heads optional feature on re-ownership).